Solstice Advanced Materials Inc. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

Solstice Advanced Materials Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:11:39 EST.

Filings

10-K filed on 2026-02-19

Solstice Advanced Materials Inc. filed a 10-K at 2026-02-19 16:11:39 EST
Accession Number: 0002064953-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain a cybersecurity and information security risk management program designed to assess, identify, manage, and govern material risks from cybersecurity threats. Our cybersecurity and information security risk management program is a key component of our overall enterprise risk management program. We maintain cybersecurity policies and procedures in accordance with industry standard control frameworks and applicable regulations, laws, and standards. We maintain oversight of our cybersecurity and information security risk management program via a corporate structure that includes a Cybersecurity Disclosure Committee, a Security Governance Council, the Audit Committee of the Board of Directors ("Audit Committee") and the Board of Directors. We assess and evaluate cybersecurity-related risks on a quarterly basis or as needed, to determine whether any such risks have the potential to materially impact our business operations, revenue, and expenditures and to understand the degree of such risks relative to other risks faced by the Company. Our Chief Information Security Officer has served in various roles in IT and information security for nearly 25 years, including security-related roles in technology deployments, cyber risk management, regulatory compliance and operations. He holds a diploma in Information Technology from Nettur Technical Training Foundation and a post graduate diploma in information technology from the Sikkim Manipal University. Prior to serving in his current role, our Chief Information Security Officer was part of Honeywell's global security leadership, leading the governance, risk and compliance function across the global enterprise. 43 Our Chief Information Security Officer reports to our Senior Vice President, General Counsel & Corporate Secretary and oversees the Solstice Global Security Organization (SGS). SGS is responsible for leading enterprise-wide information security strategy, architecture, and processes. Included within SGS's scope is responsibility for infrastructure defense and security controls, performing vulnerability assessments, security incident management, and defining the parameters and standards of our cybersecurity and information security risk management program. Our cybersecurity and information security risk management program includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and security monitoring. The cybersecurity and information security risk management program leverages International Organization for Standardizations (ISO) 22301 standard for business continuity, ISO 27001 standard for information security management systems, and the National Institute of Standards and Technology (NIST) Cyber Security Framework (NIST 800-171) for measuring overall readiness to respond to cyber threats. SGS has more than 20 members, with expertise in: (i) application security, (ii) governance and compliance, (iii) program and vulnerability management, (iv) security engineering, (v) identity and access management, (vi) security operations and security assurance, (vii) threat intelligence and security architecture, (viii) incident response, (ix) physical security, (x) operational technology security and (xi) business resiliency. In addition, our SGS receives additional support from a third-party managed security service provider. We rely on internal resources and third-party service providers for certain critical or key infrastructure, solutions, and services across our operations. We have a third-party risk management program that assesses risks from vendors and suppliers that provide, among other things, key information and supply chain services to the Company. In addition, the Company maintains business continuity and disaster recovery plans as well as cybersecurity insurance coverage. From time to time, we engage third parties to perform periodic, internal security reviews/audits, as well as assess the adequacy of our cybersecurity and information security risk management program. The most recent third-party assessment occurred in October 2025. We maintain cybersecurity and information security awareness training programs for employees. Formal training on topics relating to the Company's cybersecurity, data privacy and information security policies and procedures is mandatory for all employees with access to the Company's network. Training will be administered and tracked through online learning modules. Improper or illegitimate use of the Company's information system resources or violation of the Company's information security policies and procedures may result in disciplinary action. Additionally, we periodically engage in cyber crisis response table-top simulations to assess our ability to adapt to security-related threats. In the event an attack or other intrusion were to be successful, we have a response team of internal and external resources engaged and prepared to respond. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For further discussion of the risks related to cybersecurity, see the risk factors discussed under Item 1A. "Risk Factors" of this Annual Report on Form 10-K. Governance Our Security Governance Council, which meets quarterly or as needed, is led by our Chief Information Security Officer , and includes members of senior executive leadership. Our Security Governance Council maintains a security program designed to monitor and track key security performance indicators and provides regular updates to the Audit Committee as part of its oversight. Our Chief Information Security Officer will provide updates directly to the full Board once a year and directly to the Audit Committee at least twice a year or as needed. These updates cover topics related to our information security program, cyber risks and risk management processes, including the status of significant cybersecurity incidents, the emerging threat landscape, and the status of projects to strengthen the Company's information security posture. Our Cybersecurity Disclosure Committee receives updates as needed from the SGS regarding cybersecurity incidents. The Cybersecurity Disclosure Committee includes our Chief Information Security Officer and senior representatives from finance, controllership, internal audit, investor relations, tax, and legal. Our governance, risk and compliance team, which is part of our SGS, works in partnership with our internal audit team to review cybersecurity and IT-related internal controls as part of our overall internal controls process. The Cybersecurity 44 Disclosure Committee informs the Security Governance Council and the Audit Committee of any cybersecurity incidents (if any) that have the potential to materially adversely impact the Company or our information systems. The Company's Board is responsible for cybersecurity risk oversight and delegated such oversight to the Audit Committee. The Audit Committee , a committee comprised of independent Board members, two of whom have notable experience related to the oversight of cybersecurity issues, is responsible for oversight of the Company's IT and cybersecurity risks and regularly reports to the Board on IT and cybersecurity matters. The Audit Committee oversees cybersecurity risks including those related to the protection of customer and employee data, trade secrets, and other proprietary information, the security of cloud data, persistent threats, and cybersecurity risks associated with the Company's facilities. 45

Company Information