GATX CORP 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

GATX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:22:36 EST.

Filings

10-K filed on 2026-02-19

GATX CORP filed a 10-K at 2026-02-19 16:22:36 EST
Accession Number: 0000040211-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Board recognizes the critical importance of maintaining the trust and confidence of our employees, customers, shareholders and other stakeholders. Among other areas of responsibility, the Board has oversight responsibilities in relation to the Company's risk management program, and cybersecurity represents an important component of the Company's overall approach to enterprise risk management ("ERM"). The Company's cybersecurity policies and practices are integrated into the Company's ERM program and our risk goals are guided by internationally recognized standards and frameworks that help us to identify, assess, and manage risks relevant to our business. In general, the Company manages our cybersecurity risk using an evidence- and risk-based approach designed to reduce risks and thereby protect the Company's mission, business, and stakeholders, rather than focusing upon meeting any specific technical specifications. Risk Management and Strategy The Company's cybersecurity program is focused on the following key areas: - Governance: As discussed in more detail below, the Board's oversight of cybersecurity risk management is supported by its Audit Committee, which interacts with the Company's ERM function, the Company's Senior Vice President and Chief Information Officer ("CIO"), the Global Head of IT Security, who reports directly to the CIO, and other relevant members of management. - Collaborative Approach: We have implemented a cross-functional approach to identifying, mitigating, and managing cybersecurity risks, threats, and incidents through a broad range of controls and supporting processes. - Technical Safeguards: We deploy various technical safeguards that are designed to protect the Company's information systems and data from cybersecurity threats. - Incident Response and Recovery Planning: We have established, and maintain, an incident response plan that addresses the Company's planned responses to a potential or actual cybersecurity incident. This plan is periodically reviewed, tested, and evaluated. The incident response plan also includes consideration of disclosure requirements and communication to appropriate parties within the Company. - Third-Party Risk Management: We take a risk-based approach to identifying the cybersecurity risks presented by third-party service providers, including by conducting a security assessment and an evaluation of AI usage of prospective vendors where warranted. - Education and Awareness: We provide training for our employees regarding cybersecurity threats as a means to build awareness and equip them with effective tools to identify and address cybersecurity threats, as well as to communicate the Company's evolving information security policies and practices. We engage in the periodic assessment and testing of our cybersecurity policies and practices. These efforts include a range of activities focused on evaluating the effectiveness of our cybersecurity measures and planning. We engage third parties to perform assessments on various aspects of our cybersecurity measures, including information security maturity assessments, audits, and reviews of our information security control environment and operating effectiveness. The results of such assessments, audits, and reviews are reported to senior management and the Audit Committee, and we adjust our cybersecurity processes as necessary based on the information provided by these assessments, audits, and reviews. We have experienced, and may in the future experience, cybersecurity threats. While prior incidents have not had a material impact on us, future incidents could have a material effect on our operations, business strategy, results of operations, or reputation. See Item 1A. "Risk Factors - Information Technology Risks - If we are unable to adequately protect our information technology systems against cybersecurity threats and related disruptions, our business could be negatively impacted." for more information. 23 Governance Through its Audit Committee, the Board oversees the Company's ERM program, including risks arising from cybersecurity threats. The Audit Committee receives periodic presentations and reports on cybersecurity risks addressing recent developments, evolving standards, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company's peers and third parties. The Audit Committee also receives information regarding cybersecurity incidents impacting the Company that are deemed more significant under the cybersecurity incident response plan, as well as ongoing updates regarding any such incidents until they have been addressed. The Audit Committee discusses the Company's approach to cybersecurity risk management with GATX senior management, including the CIO and the Global Head of IT Security, who has responsibility for assessing and managing material risks from cybersecurity threats. A cybersecurity group within GATX's IT department, led by the Global Head of IT Security , works collaboratively across the Company to administer a program designed to protect the Company's information systems and information from cybersecurity threats and to execute processes in accordance with the Company's incident response plan. To facilitate the Company's cybersecurity risk management program, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams and the cybersecurity group, the Global Head of IT Security monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents and reports such threats and incidents to the Audit Committee when appropriate. The CIO has over 26 years of experience in information technology, including over 19 years managing the cybersecurity function and resources. The Global Head of IT Security has over 16 years of experience in information technology and information security, including over 11 years of leadership roles within the information security domain, and holds multiple certifications in cybersecurity and risk management. 24

Company Information