LiveWire Group, Inc. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

LiveWire Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 16:32:07 EST.

Filings

10-K filed on 2026-02-20

LiveWire Group, Inc. filed a 10-K at 2026-02-20 16:32:07 EST
Accession Number: 0001898795-26-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management Strategy We have implemented a cybersecurity program intended to assess, identify, manage and reduce cybersecurity risks. Through our partnership with Harley-Davidson, we maintain an IT incident response plan that is designed to protect against, identify, evaluate, respond to, and recover from an incident. The plan is designed to be flexible so it may be adapted to an array of potential scenarios and includes a cybersecurity incident response team in the event of a cyber incident. The incident response team is a cross-functional group that is composed of both Company and Harley-Davidson personnel and external service providers, and which is tailored to a particular incident so that individuals with appropriate experience and expertise are available. Currently, we contract for such cybersecurity services through the Master Services Agreement with Harley-Davidson, in addition to leveraging our own information technology and security tools and teams. We have invested in tools and technologies intended to protect our data and business systems, and we monitor our computing environment on an ongoing basis to help identify and assess risk. In addition, we have implemented a cybersecurity training program designed to educate and train employees how to identify, potentially avoid and report cybersecurity threats. It is focused on helping our workforce recognize, avoid falling victim to and raise the visibility of potential cyber threats and scams. In addition, periodic cybersecurity awareness messages are communicated to employees as new threats and scams develop throughout the year. To reinforce these practices, routine phishing simulations are conducted across the organization to test employees awareness and provide targeted follow-up training, as needed. Through the Master Services Agreement with Harley-Davidson, we take measures to regularly update and improve our cybersecurity program, including conducting assessments, performing penetration testing and scanning of our systems for vulnerabilities using external third-party tools and techniques to test security controls, auditing applicable data policies, and monitoring emerging laws and regulations related to information security. The program is designed based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. However, this does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST Cybersecurity Framework as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. In addition, we periodically engage third-party advisors to assess the effectiveness of our cybersecurity program, policies and practices. We rely on Harley-Davidson to regularly consult with external advisors and cybersecurity providers regarding opportunities and enhancements to strengthen our policies and practices. With respect to third-party service providers, our cybersecurity program includes conducting due diligence of relevant and material service providers' information security programs prior to onboarding. In general, we also contractually require material third-party service providers with access to our information technology systems, sensitive business data or personal information to implement and maintain reasonably appropriate security controls and to use our personal information only to provide services to us, except as required by law. While we have experienced, and may in the future experience, cybersecurity incidents, prior incidents have not materially affected the Company's business, results of operations or financial condition. Although we have invested in the protection of our data and information technology and monitor our systems on an ongoing basis, there can be no assurance that such efforts will in the future prevent material compromises to our information technology systems that could have a material adverse effect on our business. See Item 1A. Risk Factors, which are incorporated by reference into this Item 1C. Governance Our Board of Directors has risk oversight responsibility for us and administers this responsibility both directly and with assistance from the Audit and Finance Committee, which periodically reports to the Board of Directors on its risk oversight 56 activities. Cybersecurity is a critical component of our overall risk management program. Our Board of Directors is actively involved in reviewing our information security and technology risks and opportunities (including cybersecurity) and discusses these topics on a regular basis. The Audit and Finance Committee, comprised solely of independent directors, oversees our enterprise risk management program and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), which are included as part of our enterprise risk management systems. The Audit and Finance Committee reviews and discusses our information security and technology risks (such as cybersecurity), including our information security and risk management programs. Our cybersecurity program is contracted through and led by Harley-Davidson's Chief Information Security (CISO) , who is responsible for assessing and managing our data privacy function and information security and technology risks (including cybersecurity). In October 2025, the CISO left Harley-Davidson and the Chief Digital and Operations Officer assumed the responsibilities of acting CISO from October until his departure on December 31, 2025. Harley-Davidson's IT Security Manager is serving as acting CISO, executing all the responsibilities of the CISO, while Harley-Davidson conducts a search to fill the position. The Company's IT Security Manager has over 20 years of experience in Information Technology, including 13 years focused on cybersecurity and regulatory compliance, with leadership roles spanning Enterprise Security Architecture, Security Operations and Incident Response, Cybersecurity Engineering, and Application Security. This background includes developing and executing security strategies, managing incident prevention and response, and leading operational risk programs. The CISO reports to Harley-Davidson's Chief Legal, Compliance and Corporate Affairs Officer, who has been providing legal support to the Harley-Davidson's Corporate Information Security Office for over nine years. The Harley-Davidson CISO meets regularly with the appropriate management to review and discuss our cybersecurity and other information technology risks and opportunities. Our cybersecurity incident response plan sets forth a security incident management and reporting protocol, with escalation timelines and responsibilities. The Audit and Finance Committee receives periodic updates from the Harley-Davidson CISO or his designee on our cybersecurity program, including industry trends, the current state of our business systems, and any current known risks or concerns related thereto. The Audit and Finance Committee is involved in reviewing our information security and technology risks, including with respect to cybersecurity and reports on such matters to the Board as necessary, and at least annually.
Item 1C. Governance Our Board of Directors has risk oversight responsibility for us and administers this responsibility both directly and with assistance from the Audit and Finance Committee, which periodically reports to the Board of Directors on its risk oversight 56 activities. Cybersecurity is a critical component of our overall risk management program. Our Board of Directors is actively involved in reviewing our information security and technology risks and opportunities (including cybersecurity) and discusses these topics on a regular basis. The Audit and Finance Committee, comprised solely of independent directors, oversees our enterprise risk management program and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), which are included as part of our enterprise risk management systems. The Audit and Finance Committee reviews and discusses our information security and technology risks (such as cybersecurity), including our information security and risk management programs. Our cybersecurity program is contracted through and led by Harley-Davidson's Chief Information Security (CISO) , who is responsible for assessing and managing our data privacy function and information security and technology risks (including cybersecurity). In October 2025, the CISO left Harley-Davidson and the Chief Digital and Operations Officer assumed the responsibilities of acting CISO from October until his departure on December 31, 2025. Harley-Davidson's IT Security Manager is serving as acting CISO, executing all the responsibilities of the CISO, while Harley-Davidson conducts a search to fill the position. The Company's IT Security Manager has over 20 years of experience in Information Technology, including 13 years focused on cybersecurity and regulatory compliance, with leadership roles spanning Enterprise Security Architecture, Security Operations and Incident Response, Cybersecurity Engineering, and Application Security. This background includes developing and executing security strategies, managing incident prevention and response, and leading operational risk programs. The CISO reports to Harley-Davidson's Chief Legal, Compliance and Corporate Affairs Officer, who has been providing legal support to the Harley-Davidson's Corporate Information Security Office for over nine years. The Harley-Davidson CISO meets regularly with the appropriate management to review and discuss our cybersecurity and other information technology risks and opportunities. Our cybersecurity incident response plan sets forth a security incident management and reporting protocol, with escalation timelines and responsibilities. The Audit and Finance Committee receives periodic updates from the Harley-Davidson CISO or his designee on our cybersecurity program, including industry trends, the current state of our business systems, and any current known risks or concerns related thereto. The Audit and Finance Committee is involved in reviewing our information security and technology risks, including with respect to cybersecurity and reports on such matters to the Board as necessary, and at least annually.

Company Information