Garrett Motion Inc. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

Garrett Motion Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 07:03:11 EST.

Filings

10-K filed on 2026-02-19

Garrett Motion Inc. filed a 10-K at 2026-02-19 07:03:11 EST
Accession Number: 0001735707-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity objective is to protect against data privacy breaches, information theft, and external and insider cyber threats through the use of a combination of cyber technologies, policies, and procedures. We have processes to identify, assess, monitor and mitigate material risks from cybersecurity threats, which are part of the Company's overall enterprise risk management ("ERM") process and have been embedded in the Company's operating procedures, internal controls and information systems. To that end, we take a holistic approach to securing our data and business systems from attack, compromise or loss. The Company has cybersecurity capability that is managed by a dedicated Chief Information Security Officer ("CISO") whose team is responsible for leading the Company-wide cybersecurity strategy, policy, standards, architecture, and processes. The Security Operations Center ("SOC") provides visibility across all information technology assets and includes proactive cyber security threat detection technology to facilitate the identification of misconfigurations to mitigate threats and prevent data loss. As part of the Company's holistic approach to cybersecurity, we have implemented programs and technology associated with threat hunting, vulnerability scanning, and threat detection and response technology. As part of its cybersecurity risk management, the Company delivers specific education to the organization on how to identify potential cybersecurity risks and protect the Company's resources and information. This training is mandatory for all employees globally on a regular basis and may be supplemented by various testing initiatives including periodic phishing tests. The Company uses third-party expertise for periodic effectiveness testing of its prevention, detection, and response capabilities. The Company also requires all third-party service providers to meet specific cybersecurity requirements, including risk assessment and monitoring activities. In addition, third-party service providers with access to the Company's network have additional obligations including a requirement to undertake cybersecurity training. While Garrett focuses heavily on prevention and detection, response and recovery plans, service agreements and partner engagements are in place should there be a need for us to respond to a cybersecurity attack. The Company's response process includes identifying the incident; notifying the executive team, activating the crisis team, assessing the business risk and materiality of the incident; managing the recovery of operations; and performing a post-incident analysis. The Company maintains business continuity and disaster recovery plans. The Company also engages in cyber crisis response simulation to assess our incident response ability and effectiveness. No cybersecurity incidents have occurred that materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition during the year ended December 31, 2025. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us in the future. See Item 1A. " Risk Factors " for a discussion of cybersecurity risks. Governance Role of Management The Company has a Cyber Risk Governance Council consisting of the Senior Vice President Chief Digital and Information Officer ("CDIO"), the CISO, the IT leadership team, and the cybersecurity team that focuses on cybersecurity and compliance risks. The Cyber Risk Governance Council meets periodically to review cybersecurity risks and related risk management methodologies. Cybersecurity risks are included in the Company's ERM as appropriate based on potential impact and vulnerability assessed according to certain set criteria and defined ERM materiality thresholds. Regular discussions of cybersecurity developments and risk mitigation approaches are held by the CDIO & CISO with the Chief Executive Officer and the senior leadership team. The CISO has over 28 years of experience in IT in various capacities with over 22 years in cybersecurity, reporting to the CDIO, who has over 20 years of IT related experience. Role of the Board The Board of Directors is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, 29 manage and mitigate risk. The Board has delegated responsibility for oversight of the Company's cybersecurity framework and risk management to the Audit Committee. The CDIO and CISO provide reports to the Audit Committee at least semi-annually on the Company's cybersecurity program, including the external threat environment, the Company's programs to address and mitigate the risks associated with the evolving cybersecurity threat environment, and the results of evaluation of the Company's cybersecurity program by external experts. The Audit Committee, as well as the Board of Directors, is also promptly informed about any information security incidents that may pose significant risk to the Company.

Company Information