Metallus Inc. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

Metallus Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 14:14:24 EST.

Filings

10-K filed on 2026-02-20

Metallus Inc. filed a 10-K at 2026-02-20 14:14:24 EST
Accession Number: 0001193125-26-061042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber Security Our cybersecurity program is led by a team of skilled cybersecurity professionals, including dedicated internal cybersecurity resources and external advisors. In the normal course of business, we may collect and store sensitive information, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party information and employee information. In April 2025, we obtained ISO 27001 certification, an internationally recognized standard for information security. This certification allows us to maintain an information security management system that best protects the confidentiality, integrity and availability of our information. We maintain a robust cybersecurity incident response plan, which details the incident response procedures, tactical and strategic team membership, and points of contact related to the response processes. The Company also maintains a detailed decision-tree-based playbook which is a supplement to the plan and focuses on specific types of incidents and the appropriate response steps. Cybersecurity is an important part of our ERM program, and the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach. The Company's cybersecurity policies, standards, processes, and practices for assessing, identifying and managing material risks from cybersecurity threats and responding to cybersecurity incidents are fully integrated into the Company's ERM program. The plan and playbook are structured to align with the National Institute of Standards and Technology ("NIST") Cybersecurity framework practices. The plan and playbook are reviewed at least annually by internal and external resources. In addition, we maintain insurance that includes cybersecurity coverage. The Company adheres to a periodic, third-party facilitated testing exercise of the cybersecurity incident response plan and playbook with the Company's tactical and strategic team members. The teams are comprised of key members of the organization and external advisors who hold critical importance in the handling of cybersecurity events. The exercise covers response procedures for prevalent cybersecurity incidents including but not limited to phishing, third-party breaches, and a standard incident response process. The documentation helps leaders make appropriate, pre-planned decisions. To assist, appendices detailing generalized incident response checklists and workflows from the Cybersecurity & Infrastructure Security Agency and the NIST are referenced and used as a framework. Lastly, the response plans contain instructions on collecting and incorporating lessons learned after a successful identification and remediation of a security event. The information security team also works in partnership with the Company's internal audit team to review and test the operating effectiveness of our information technology-related internal controls with our external auditor as part of our overall internal controls process. In addition, the rapid evolution and increased adoption of artificial intelligence ("AI") and similar machine learning technologies may intensify our cybersecurity risks. We have established an AI council comprised of a cross-functional group of employees with an objective to deliver value by providing education regarding the uses, benefits and risks of AI and similar technologies in our business, establishing and monitoring a governance framework and principles for our use of AI, and enabling deliberate experimentation with new technologies employing AI. At this time, our use of AI is focused primarily on back-office assistance, data analytics and improving product quality and asset reliability. In light of the pervasive and increasing threat from cyberattacks, the Board of Directors, with input from management, assesses the measures implemented by us to mitigate and prevent cyberattacks. The Company's information technology leadership team consults with and provides regular updates to the Board of Directors, as well as members of our executive leadership team, as appropriate, on technology and cybersecurity matters, the status of projects to strengthen our information security systems, assessments of the information security program, timely reports regarding any cybersecurity incident that meets established reporting thresholds, and the emerging threat landscape. The information technology leadership team also consults regularly with the Board of Director's cybersecurity expert in between meetings. Our program is evaluated by internal and external experts with the results of those reviews reported to senior management and the Board of Directors at least semi-annually. In addition, the Company has an information technology governance committee, which is comprised of members of our executive leadership team and the information technology leadership team. T he information technology governance committee meets at least quarterly and as necessary to discuss the cybersecurity program and other relevant topics. In an effort to enhance the skills and capabilities of the Board of Directors and improve the Board's oversight of cybersecurity risks, in 2022 the Board appointed Mary Ellen Baker as a director. Ms. Baker brings to the Board additional technology and cybersecurity expertise, with extensive experience in governance and risk oversight related to technology, cybersecurity and control environment assurance, as well as large-scale technology, operations, cybersecurity and enterprise data initiatives. The Board of Directors has oversight responsibility for our data security practices and we believe the Board has the requisite skills and awareness into the design and operation of our data security practices to fulfill this responsibility effectively. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. See "Risk Factors - General Risk Factors" for additional information about the risks to our business associated with a breach or compromise to our information security systems.

Company Information