AdvanSix Inc. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

AdvanSix Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 16:17:22 EST.

Filings

10-K filed on 2026-02-20

AdvanSix Inc. filed a 10-K at 2026-02-20 16:17:22 EST
Accession Number: 0001673985-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity AdvanSix is committed to protecting the data and confidential information of its business, employees, customers and suppliers. As an organization, we face the risk of cybersecurity breaches and incidents from both external threat actors and from insiders which could compromise the security of our information and networks . Any cybersecurity breach or incident could harm our business or disrupt our operations . Cybersecurity risk is closely monitored by our executive leadership with governance and oversight by the Audit Committee of the Board, whose oversight is expressly noted in its chartered responsibilities along with broader enterprise risk management. A cybersecurity team, led by the General Counsel, the Chief Digital and Information Officer ("CDIO") and the Chief Information Security Officer ("CISO"), is responsible for the management, implementation and operation of the cybersecurity program, alongside qualified internal and external security and IT subject matter experts . Our CDIO leads the Company's digital transformation and technology team and brings 20 years of experience to the role. He joined AdvanSix as Vice President and CDIO in August 2025, and prior to that time, he held various leadership positions in the energy and manufacturing sector, including GE, Baker Hughes, TechnipFMC and Civitas Resources. He earned a Bachelor's and Master's degree in Computer Science and Engineering and is a graduate of Texas Tech University. Our CISO leads the Company's core enterprise services team, including cybersecurity, and brings over 20 years of experience in the areas of technology governance, risk and compliance management, information security and cybersecurity, risk assessments, secure-Software Development Life Cycle (SDLC), security architecting, cloud security design and operations, threat and vulnerability management, Security Information and Event Management (SIEM)/Security Operation Center (SOC), and incident response management. He joined AdvanSix in December 2018 as our Cybersecurity Leader, and prior to that time, he worked as VP and Information Security Officer at MUFG, managing the overall risk management program, design and implementation. Prior to that role, our CISO served as a cybersecurity and privacy manager with PricewaterhouseCoopers, as a technology manager - IT security and infrastructure with Suez Environment North America, and as an IT auditor for Pentair. Our CISO has a Master's Degree in Computer Science from New Jersey Institute of Technology and a Bachelor's Degree in Mechanical Engineering from University of Madras. In order to stay current with best practices, our CISO regularly completes cybersecurity certification courses and attends industry conferences. Our General Counsel brings over 20 years of experience managing and assessing enterprise risks through both his tenure at the Company since 2016, which has included the assessment of risks arising from cybersecurity threats, and his prior experience as outside counsel to publicly traded companies. We track the effectiveness of our cybersecurity program using key performance and risk metrics through daily surveillance with dashboard updates provided by the CISO to the General Counsel and the CDIO supplemented by regular updates to the senior leadership team, which includes the Chief Executive Officer and the Chief Financial Officer . In addition, the CISO provides cybersecurity updates to the Audit Committee and the full Board. Informational report-outs, with risk metrics and dashboard updates, are provided to the Audit Committee on at least a quarterly basis. At least annually, the full Board is provided an update which includes a review of governance oversight, cybersecurity controls, implemented improvements and mitigations, vulnerability risks, third-party vendors utilized, and status of key initiatives. AdvanSix's cybersecurity program is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and zero-trust principles, and consists of technical, administrative and operational controls working together as an integrated solution. AdvanSix engaged the services of a best-in-class third party cybersecurity firm to conduct an independent comprehensive maturity assessment of our cyber security program across critical areas which align with the NIST Cybersecurity Framework. As a result of the assessment, best practice recommendations were incorporated into the cybersecurity program to improve our cybersecurity posture and program maturity. We regularly monitor the qualitative and quantitative performance of the program and other risk metrics. Key risks are identified, and appropriate mitigations are implemented through a combination of people, process, and technology solutions that are continuously evolving to address a dynamic and increasingly sophisticated threat environment. Based on this framework, we have developed and implemented a comprehensive set of cybersecurity policies and procedures to address the key cybersecurity risks faced by AdvanSix. We continue to assess evolving threats and update our policies and procedures appropriately . Our cybersecurity program is designed to protect information technology networks and assets using the zero-trust principles, latest technologies that leverage artificial intelligence, machine learning and automation. Our security architecture uses a "defense-in-depth approach," with controls implemented at user, email, endpoint, cloud, access, and network levels. In addition, training our employees is a critical element of our cybersecurity program. Our comprehensive security awareness and training program covers 100% of our employees on protective measures regarding information security, data privacy, cyber-attacks and recognizing phishing attempts. This program includes regular communication, interactive trainings, and simulated phishing assessments and is designed to reinforce risk 24 awareness and address the latest and most relevant risks. We have implemented robust controls and procedures to ensure trainings are completed in a timely manner and to track our cybersecurity performance metrics. We seek to identify and address cybersecurity threats and risks that can arise from our use of third parties, including those that comprise our information systems, supply chain operations or who have access to certain data. We utilize supplier risk management practices, including enhanced due diligence assessments, that seek to identify cybersecurity risks associated with our use of third-party providers and the scope and nature of their work with us. These risks are assessed and prioritized based on, among other things, supplier assessments, threat intelligence, and industry practices. We consider these risks at the time of supplier onboarding and endeavor to assess changes in risk throughout the lifecycle of our relationship with suppliers. Our environment is monitored continuously for security events by our security operations center, which detects, alerts, and responds to any potential security incidents on 24/7 basis. Escalations of potential incidents or notable risks are escalated by the cybersecurity team and the CISO to the General Counsel and the CDIO. If appropriate, the status of such potential incidents or notable risks will be further escalated to the Chief Executive Officer, the Chief Financial Officer and the Board. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company. AdvanSix has developed cybersecurity incident response plans and procedures, including the formation of a designated cybersecurity incident response team with representatives from across the organization. In the event of an actual cybersecurity incident, the cybersecurity incident response plan serves as the guiding framework for the Company including with respect to incident assessment, mitigations and controls, as well as response, recovery, reporting and resolution. We conduct periodic scenario planning sessions and tabletop exercises with the cybersecurity incident response team and other key functional roles in the enterprise to improve our response preparedness in the event of a security incident. AdvanSix has implemented various measures to protect its sites from both physical and cyber-attacks, which take into account applicable data security and other data privacy laws and regulations. Emerging threats and opportunities to further mitigate cybersecurity risk are continuously explored and evaluated. A vulnerability management program continually assesses our environment to identify and remediate system and software vulnerabilities. A data governance policy and data loss prevention program have been implemented to protect our intellectual property and other sensitive data. We also engage independent third parties to perform security assessments on at least an annual basis, which include penetration testing of our external and internal environment. In summary, the Company's approach to cybersecurity is intended to assess, identify, and manage risks from cybersecurity threats, implement mitigations and controls consistent with the NIST Cybersecurity Framework and zero-trust approach, and support safe, stable and sustainable operations, while protecting our intellectual property, confidential information, privacy data, operations, and infrastructure.

Company Information