NEWMONT Corp /DE/ 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

NEWMONT Corp /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:18:40 EST.

Filings

10-K filed on 2026-02-19

NEWMONT Corp /DE/ filed a 10-K at 2026-02-19 16:18:40 EST
Accession Number: 0001164727-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We rely upon technology and information systems to support our mining and business operations globally. These systems may be susceptible to cybersecurity risks including, but not limited to, external attackers, malware, viruses, and unauthorized access to our IT systems. Cybersecurity and the secure adoption of emerging technologies, including artificial intelligence ("AI"), remain strategic priorities for Newmont. In November 2025, we implemented an enterprise-wide Artificial Intelligence Standard that governs AI adoption and use, model lifecycle management, and associated cybersecurity and privacy controls. We continuously invest in developing our cybersecurity controls and processes to address these threats and reduce the risk of future breaches and cyber attacks. Our processes to assess, identify, and manage cybersecurity risk are integrated with our global Risk Management System ("RMS") and include periodic enterprise-wide cyber risk assessments, continuous control monitoring, scenario-based exercises, and site-level reviews of our operational technology environments. Our Board of Directors and management team oversee these risks ensuring alignment with our business objectives and regulatory obligations. Foundationally, we seek to manage cyber risk through a structure of controls that includes cybersecurity standards, policies and cyber solutions that protect the availability, integrity, and confidentiality of our critical IT and mining systems. We monitor for emergent cyber threats and assess any actions required to reduce those risks. Our cybersecurity program is aligned to globally recognized security frameworks including the Mitre Att&ck Framework, NIST and ISO27001. We previously maintained ISO27001 certification; while we are no longer certified, we continue to align our cybersecurity program to ISO27001 principles and conduct periodic independent assessments of our controls. We further test our cybersecurity controls by engaging leading third-party cybersecurity service providers to perform external and internal penetration tests of critical business applications and mining system. Additionally, we review and tabletop test our incident response plan. We leverage continuous monitoring of our internet facing presence, as well as, known internet based criminal communities for indicators referencing Newmont, our executives, and employees. Our Security Operations Center ("SOC") continuously monitors for security events and threats, responding and escalating when appropriate. We also hold employee trainings on privacy and current cybersecurity topics, conduct phishing tests and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population. Newmont requires third parties that supply IT services, have access to Newmont systems, or manage Newmont data to adhere to established Newmont security policies. Additionally, Newmont requires such third parties to provide detailed information on their established security controls via our third party risk assessment process. The third party risk assessment informs our contracting process. Specific certification may be required of critical third party IT service providers and partners. All third party workers are bound by our Acceptable Technology Use standard which governs appropriate IT systems access and usage. Our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, employee or vendor misconduct, and other external hazards could expose our information systems, and those of our vendors, to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business. Cybersecurity incidents may also cause disruption to mining operations; critical financial or reporting systems impairment; breach or integrity loss of Newmont proprietary or confidential data; or external reputational damage. The sophistication of cybersecurity threats, including through the use of AI, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may become insufficient. We evaluate the effectiveness of our controls through continuous monitoring, testing, and lessons-leaned reviews following incidents and exercises, and adapt our program accordingly. In addition, new technology that could result in greater operational efficiency such as our use of AI, fleet electrification, and autonomous vehicles may further expose our operations and computer systems to the risk of cybersecurity incidents. Newmont did not identify any cybersecurity incidents during the year ended December 31, 2025 that have materially affected or are reasonably likely to materially affect Newmont's business strategy, results of operations, or financial condition. Additional information about cybersecurity risks we face is discussed in Item 1A, Risk Factors of this report under the heading " We are dependent upon information technology and operational technology systems, which are subject to disruption, damage, failure or cybersecurity attacks and risks associated with implementation, upgrade, operation and integration " which should be read in conjunction with the information above. Governance As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Our Audit Committee, comprised of independent directors from our Board, oversees the responsibilities relating to the operational (including information technology ("IT") risks and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through quarterly reports from our cybersecurity leadership and it reports any material findings and recommendations to the full Board for consideration. Our Cybersecurity team, comprised of seasoned IT and cybersecurity members, has decades of experience across multiple technical and compliance disciplines including cyber incident response, forensics, IT compliance, incident recovery, threat investigation and information technology. Our cybersecurity team includes several individuals who hold industry recognized certifications and advanced degrees in cybersecurity. Cybersecurity oversees the implementation and compliance of our information security standards, information technology compliance, and mitigation of information security related risks. The Chief Technology Officer and Chief Information Officer have direct oversight of the cybersecurity function. We also have management level committees, leaders, and a cybersecurity incident team who support our processes to assess and manage cybersecurity risk as follows: - Working closely with the legal team, cybersecurity leadership drives the identification and mitigation of privacy-related risks across the enterprise. This collaborative approach engages legal, compliance, and other functional leaders as needed. - The Cybersecurity Disclosure Steering Committee, comprised of leadership from IT, cybersecurity, operations, risk, finance, legal and compliance across business segments, contributes to the assessment of cybersecurity breach, planned response, and required disclosures and filings. - The Rapid Response Team, which includes senior executives across the Company and its global operations, is alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The Rapid Response Team performs tabletop exercises on a yearly basis with inclusion across functions. Each of these committees provides summary reports on their activities, which are then communicated as appropriate to the Audit Committee.

Company Information