TechnipFMC plc 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

TechnipFMC plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:42:46 EST.

Filings

10-K filed on 2026-02-19

TechnipFMC plc filed a 10-K at 2026-02-19 16:42:46 EST
Accession Number: 0001681459-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information to support the strategic needs of our business. Our information security program is designed with reference to the ISO27001:2022 standard and the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular standard, specification, or requirement, only that we use ISO27001:2022 and NIST CSF to help guide our approach to identifying, assessing, and managing cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels, and governance processes that apply across other legal, compliance, strategic, operational, and financial risk areas. Key elements of our cybersecurity risk management program include but are not limited to: - risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and services; 34 - a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls; - cybersecurity awareness training for our employees, incident response personnel, and senior management; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for service providers, suppliers, and vendors. In alignment with industry practices, our information security processes and governance are informed by "key security principles," including network security, patch and vulnerability management, least privilege, zero-trust based access controls, strong authentication practices, secure change management, and protection against malware and other threats. We routinely perform information protection and risk assessment reviews to help ensure our security posture remains appropriately aligned to our business needs and the threat landscape. We face ongoing material risks from cybersecurity threats, which the U.S. Securities and Exchange Commission defines as any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. See "Risk Factors-A failure or breach of our IT infrastructure or that of our subcontractors, suppliers, or joint venture partners, including as a result of cyber-attacks, could adversely impact our business and results of operations." However, aside from these general and ongoing risks, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Our Board considers cybersecurity risk as part of its overall risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee reviews and considers our risks relating to cybersecurity and receives and reviews regular reports from our Information Security Steering Committee ("ISSC") on our cyber readiness, adversary assessments, risk profile, and any countermeasures undertaken or considered by us. Our ISSC also updates the Audit Committee, as necessary, regarding any significant cybersecurity incidents as well as incidents with lesser impact potential. The Board receives regular updates from the Audit Committee on cybersecurity risks, often with the participation of the Chief Information Security Officer ("CISO") to report on our information security activities. The full Board also receives briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from our CISO or external experts as part of the Board's continuing education on topics that impact public companies. Our ISSC, composed of senior leaders including the Chief Technology Officer, Chief Legal Officer, Chief Information Officer, and CISO, is responsible for assessing and managing our material risks from cybersecurity threats. The ISSC receives monthly reports and updates from the CISO on cybersecurity risks and cybersecurity incidents. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants . Our ISSC includes team members with decades of cybersecurity experience and professional cybersecurity relevant certifications such as CISSP. Our CISO brings more than two decades of experience in information security and risk management and holds a Master in Business Administration and multiple industry-recognized professional certifications, including, CISSP, Certified in Risk and Information Systems Control (CRISC), and CompTIA Security+. The ISSC assists management in staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources(including external consultants) and alerts and reports produced by security tools deployed in our IT environment. 35

Company Information