INTERNATIONAL BUSINESS MACHINES CORP 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

INTERNATIONAL BUSINESS MACHINES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:07:07 EST.

Filings

10-K filed on 2026-02-24

INTERNATIONAL BUSINESS MACHINES CORP filed a 10-K at 2026-02-24 16:07:07 EST
Accession Number: 0000051143-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity: Risk Management and Strategy Cybersecurity is a critical part of risk management at IBM and is integrated with the company's overall enterprise risk management framework. The Board of Directors and the Audit Committee of the Board are responsible for overseeing management's execution of cybersecurity risk management and for assessing IBM's approach to risk management. Senior management is responsible for assessing and managing IBM's exposure to cybersecurity risks on an ongoing basis. From an enterprise perspective, we implement a multi-faceted risk management approach based on the National Institute of Standards and Technology Cybersecurity Framework. We have established policies and procedures that provide the foundation upon which IBM's infrastructure and data are managed. We regularly assess and adjust our technical controls and methods to identify and mitigate emerging cybersecurity risks. We use a layered approach with overlapping controls to defend against cybersecurity attacks and threats on IBM networks, end-user devices, servers, applications, data, and cloud solutions. We draw heavily on our own commercial security solutions and services to manage and mitigate cybersecurity risks. IBM maintains global Security Operations Centers ("SOCs") that monitor for threats to IBM's networks and systems, utilizing threat intelligence provided by a range of sources, including the IBM Security X-Force Exchange platform, which maintains one of the largest compilations of threat intelligence in the world. We also rely on tools licensed from third party security vendors to monitor and manage cybersecurity risks. We periodically engage third parties to supplement and review our cybersecurity practices and provide relevant certifications. We have a global incident response process, managed by IBM's Computer Security Incident Response Team ("CSIRT"), that relies primarily on internal expertise to respond to cybersecurity threats and attacks. We utilize a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among our workforce, including responsibility for reporting suspicious activity. IBM has a third party supplier risk management program to oversee and identify risks from cybersecurity threats associated with its use of third party service providers and vendors. Risks are assessed and prioritized based, among other things, on the type of offering/engagement, supplier assessments, threat intelligence, and industry practices. As discussed in greater detail in Item 1A., "Risk Factors," the company faces numerous and evolving cybersecurity threats, including risks originating from the increased use of AI, intentional acts of individual and groups of criminal hackers, hacktivists, state-sponsored organizations, nation states and competitors; from intentional and unintentional acts or omissions of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. While the company continues to monitor for, identify, investigate, respond to and remediate cybersecurity risks, including incidents and vulnerabilities, there have not been any that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity risks that will have a material adverse effect in the future. Governance Escalation of cyber risk is a core function within IBM's cyber governance so that emerging threats, incidents, and vulnerabilities are promptly communicated, escalated, and remediated at the appropriate leadership level across the enterprise. IBM's Enterprise & Technology Security ("E&TS") organization is responsible for the security of both IBM's internal systems and external offerings and works across IBM to protect its brand and its clients against cybersecurity risks. E&TS also addresses cybersecurity risks associated with third party suppliers. For these purposes, E&TS includes a dedicated Chief Information Security Officer ("CISO") whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes for IBM's internal systems. The CISO is responsible for enterprise incident response; the Product Security Incident Response Team ("PSIRT"), which focuses on product vulnerabilities potentially affecting the security of offerings sold to customers; and the Business Information Security Officers ("BISO"), which focus on security issues specific to particular business segments. The CSIRT team, together with the Office of the CISO, Cyber Legal, and BISOs, engage in on-going review of incidents, threat intelligence, detections, and vulnerabilities, including to assess client and regulatory impact. CSIRT leads and coordinates incident response investigations and depending on the nature of the matter, may include individuals from E&TS, the Office of the CISO, the Office of the Chief Information Officer, Cyber Legal, Business Units, the Risk, Compliance and Integrity Team, Human Resources, Procurement, Finance and Operations, and Corporate Security. Events of interest are promptly reported to the Chief Legal Officer ("CLO"), the Chief Financial Officer, and the Senior Vice President ("SVP") overseeing the impacted business unit. If required by the scale of the incident, an executive is appointed to provide the unified business leadership, coordination, and project management necessary to manage the broader business response under the direction of the CLO. The Board of Directors, the Audit Committee, and senior management participate in cyber incident tabletops to exercise preparedness for incidents and to strengthen cyber governance. The Cybersecurity Advisory Committee ("CAC") is a senior executive committee comprised of SVPs from the business (Software, Consulting, Infrastructure) and corporate functions (Legal, Finance, Marketing/Communications), which provides oversight and direction for the management of the company's cybersecurity risk. It serves as a key resource and escalation point for IBM's CISO and operating units on significant and emerging cybersecurity incidents, risks, policies, and practices. IBM executives responsible for managing cybersecurity risk reflect a cross-section of functions from across the organization with significant experience in managing such risk as well as the technologies underlying these risks. They also hold leadership positions outside of IBM in the field of cybersecurity, serving on governing and advisory boards of public and private institutions at the forefront of issues related to cybersecurity, including technology development, cybersecurity policy, and national security. The Board of Directors and the Audit Committee oversee risk management at IBM. Leadership from E&TS, including the CISO, make regular presentations to the Audit Committee and the full Board on identification, management, escalation, and remediation of cybersecurity risks, both internal and external, as well as threat intelligence, emerging global policies and regulations, cybersecurity technologies, and best practices. In addition, executive management provides briefings as needed to the Lead Independent Director, Audit Committee Chair, the Audit Committee, and, as appropriate, the full Board on cybersecurity issues and incidents of potential interest.

Company Information