Page last updated on February 24, 2026
LUXFER HOLDINGS PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:37:24 EST.
Filings
10-K filed on 2026-02-24
LUXFER HOLDINGS PLC filed a 10-K at 2026-02-24 16:37:24 EST
Accession Number: 0001096056-26-000015
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C for further information regarding disclosed our Cybersecurity procedures. Legacy liabilities from previously owned or divested businesses could result in future claims and financial exposure We have sold or closed businesses over time. Products and services provided during prior periods may still give rise to claims, including product liability, environmental or other liabilities. Such claims could be costly and could materially and adversely affect our operations, financial position and cash flows. 13 Risks associated with products, technology and intellectual property Our ability to protect intellectual property and proprietary information affects our competitive position and profitability Our profitability depends in part on our ability to protect proprietary information and intellectual property rights. We rely on patents, trade secrets, trademarks and confidentiality agreements. Our intellectual property rights may be challenged, invalidated, circumvented or may not provide meaningful protection in all jurisdictions. Some key patents have expired or will expire in coming years, potentially reducing barriers to entry and increasing pricing pressure. If we cannot protect or enforce our rights, or if we are forced to rebrand products due to trademark challenges, our competitive position could suffer and our results of operations, financial position and cash flows could be materially and adversely affected. Dependence on third-party intellectual property and potential infringement claims could disrupt operations and increase costs We license certain technologies from third parties and may be exposed to risks if licenses expire, terminate, are non-exclusive, or become unavailable on acceptable terms. We may also be subject to claims that our products or processes infringe third-party intellectual property. If such claims are successful, we could be required to pay damages, cease manufacturing certain products, redesign products, obtain costly licenses, or be prevented from entering certain markets. Defense costs and diversion of management attention could be significant and could materially and adversely affect our results. Our performance depends on continued research, development and successful innovation Our products are highly technical. To maintain and improve our market position, we depend on continued research and development and timely innovation. We may experience delays in development, or innovations may not achieve market acceptance or profitability. Competitive products and substitute materials may reduce demand for our offerings, and without timely improvements or new products, our existing products could become less competitive or obsolete, materially and adversely affecting our results of operations, financial position and cash flows. We collaborate research with universities, and in addition spent $4.3 million, $4.4 million and $4.6 million in 2025, 2024 and 2023, respectively, on our own research and development activities. We expect to fund our future research and development expenditure requirements through operating cash flows and restricted levels of indebtedness, but if operating profit decreases, we may not be able to invest in research and development or continue to develop new products or enhancements. Operational Risks We may pursue acquisitions, which involve integration challenges, financial risks and uncertainty regarding expected benefits We may pursue acquisitions as part of our strategy. Acquisitions and integrations involve risks, including unidentified liabilities, integration challenges, increased indebtedness, impairment charges, loss of key personnel, and distraction of management. We cannot assure that acquisitions will achieve anticipated benefits, and any adverse outcome could materially and adversely affect our results. Failures to perform under supplier or customer contracts could result in penalties, loss of business and reputational harm Failures to perform under supplier or customer contracts could result in penalties, damages, loss of business, or reputational harm. Certain supplier contracts may include minimum purchase commitments, and certain customer contracts may include firm delivery requirements. Demand weakness or operational disruptions could increase exposure under such provisions and could materially and adversely affect our results. 14 We rely on key personnel and skilled employees, and failure to attract or retain talent could adversely affect our operations We rely on key executives and technical personnel. Loss of key personnel or inability to attract and retain qualified employees could harm our ability to execute strategy and maintain technical capabilities and could materially and adversely affect our results. We do not carry key person insurance covering the loss of any of our executives or employees. Fraud, control failures or errors in finance processes could result in financial loss, misstatement and regulatory exposure Our business relies on the accurate and timely processing of financial transactions and the proper operation of finance and accounting processes across the Group. These processes involve the use of manual inputs, judgment and reliance on information provided by employees and third parties. There is a risk that fraudulent transactions, unauthorized activities, misappropriation of assets or deliberate circumvention of controls could occur, as well as a risk of errors arising from human error, inadequate segregation of duties, system limitations or process failures. Such incidents could result in financial losses, misstatement of our financial results, regulatory scrutiny, litigation, reputational harm and a loss of investor and stakeholder confidence. Any material failure to prevent, detect or correct fraudulent activity or significant errors within the finance process could materially and adversely affect our results of operations, financial position and cash flows. Business interruptions at our production facilities could disrupt operations and adversely affect results and cash flows Our production facilities could experience interruptions due to severe weather, natural disasters, fires, explosions, equipment failure, utility outages, terrorism, pandemics or labor disruptions. Some products and processes involve materials that are flammable or potentially explosive if mishandled. Such events could cause injuries, property damage, environmental harm, operational disruptions and reputational damage. Insurance may not cover all losses, and interruptions could materially and adversely affect our results and cash flows. Labor relations and reliance on unionized workforces could disrupt operations and increase costs Some facilities rely on unionized labor. Strikes, lock-outs, labor disputes or other work stoppages could disrupt operations and materially and adversely affect our results. We depend on distributions from subsidiaries to meet obligations, and restrictions could limit our ability to fund operations or dividends Luxfer Holdings PLC operates through subsidiaries and depends on distributions from those subsidiaries to fund obligations, dividends and corporate activities. Subsidiary distributions may be restricted by law, contractual arrangements, and operating needs. If subsidiaries are unable to make distributions, our ability to fund operations, service debt or pay dividends may be adversely affected. Our indebtedness and financing arrangements could limit flexibility and expose us to refinancing and interest rate risk Our indebtedness could affect our ability to fund working capital, capital expenditures, acquisitions and dividends. Debt agreements contain restrictive covenants that may limit strategic flexibility. Rising interest rates could increase interest expense on floating-rate debt. If we cannot generate sufficient cash to service debt or refinance maturities on acceptable terms, we may need to refinance, sell assets, reduce investment, or raise equity, any of which could materially and adversely affect our business and results. As of December 31, 2025, we had $25.0 million of indebtedness under our senior notes (the "Loan Notes") due in 2026. There was also a $15.3 million drawn balance on the revolving credit facility ("RCF"), with $109.7 million of headroom remaining as of December 31, 2025. In July 2025 we completed a refinance of our shelf facility, the terms of this remaining the same, with expiry now in July 2030 as opposed to October 2026. 15 General risks Future dividends are at the discretion of our Board and may be reduced or suspended based on financial and legal constraints Future dividends are at the discretion of our Board and depend on many factors, including results of operations, cash requirements, debt facilities, financial position, contractual restrictions and applicable laws. Under English law, dividends may be paid only from profits available for distribution. Any change in dividend levels, or suspension of dividends, could adversely affect the market price of our ordinary shares. Compliance with U.S. securities laws and internal control requirements could result in increased costs and expose us to reporting and control risks As a U.S. public company, we are subject to extensive U.S. securities law reporting requirements, including obligations to design, maintain, and assess the effectiveness of internal control over financial reporting. These controls provide reasonable, not absolute, assurance that financial information is reliable and that fraud is prevented or detected. Failure to maintain effective internal controls could result in inaccurate financial reporting, inability to prevent or detect fraud, loss of investor confidence, regulatory scrutiny, and a decline in the market price of our ordinary shares. In addition, compliance with these reporting and control requirements places a significant and ongoing strain on management's time and operational, and financial resources, as management must evaluate and report on the effectiveness of internal controls annually under Section 404(a) and quarterly under Section 302 of the Sarbanes-Oxley Act, which includes ongoing system and process evaluation and testing. Our incorporation outside the United States and the location of certain directors, officers and assets may make it difficult to enforce U.S. judgments Luxfer is incorporated in England and Wales, and certain directors and officers reside outside the U.S. A substantial portion of our assets and the assets of such persons are located outside the U.S. As a result, it may be difficult to effect service of process within the U.S. or to enforce U.S. judgments against the Company or such persons based on U.S. federal securities laws. 16 Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity Overview Luxfer recognizes that as business-efficiency demands lead to a more digitized world, cybersecurity and privacy risks have become critical business issues. Luxfer understands the systemic nature of these threats to the safety of our Company, customers, and employees. Consequently, Luxfer has integrated cybersecurity risk management into our broader enterprise risk management processes . Luxfer is committed to safeguarding and protecting our information technology ("IT") network, equipment, and systems against cybersecurity threats to ensure our security and reduce risk. Process and Standards We devote significant resources to network security, data encryption, monitoring, and system maintenance. Our cybersecurity program is aligned with best practices, specifically the DFARS / NIST 800-171 IT Security Standard for US Government Contractors, reflecting our global operational footprint. During the year, we further strengthened our defense strategy through the enterprise-wide implementation of Sophos Endpoint Detection and Response (EDR) solutions, enhancing our real-time threat analysis and mitigation capabilities across our network. To ensure long-term success, we are committed to discovering and preparing for potential threats through the following mechanisms: - Incident Response: We maintain an incident response plan that establishes procedures for reporting and handling cybersecurity events. - Audits and Assessments: We perform periodic security audits and assessments, regularly engaging qualified independent third parties to assess our cybersecurity maturity and control environment. - Third-Party Risk: We depend on third-party vendors for firewalls, virus solutions, and backups. To manage this risk, our IT professionals perform due diligence and risk analyses on vendors, verifying security testing prior to software installation. As of the date of the filing of this Form 10-K, we are not aware of any successful attempts by third parties to gain access to our systems that have had, or are reasonably likely to have, a material effect on our business, operations, or financial condition . Although no incidents have been material to date, we recognize that cyber-attacks are becoming more sophisticated and our network remains potentially vulnerable. Governance Objectives We will continually review and update our existing governance, policies, and practices, when necessary, to address the following objectives: - Business Continuity, Availability, and Asset Protection: Ensure continuous business operations and safeguard the availability, integrity, and confidentiality of technology, data, intellectual property, and network infrastructure assets. - Cybersecurity Resilience and Incident Management: Strengthen cyber-resiliency by enhancing controls for the rapid detection, mitigation, and effective response to cybersecurity incidents. - Compliance and Data Governance: Maintain comprehensive compliance with all applicable external regulations (such as GDPR) and internal policies, including requirements for customer and employee confidentiality and privacy. Board of Directors Oversight The Board of Directors is responsible for overseeing cybersecurity, information security, and technology risk as part of its regular risk oversight function. The Board, comprised of independent Non-Executive Directors and one Executive Director, receives regular reports on information security matters from the Senior Leadership team at least quarterly as it is their responsibility to oversee Management's actions to identify, access, mitigate and remediate material risk. 17 Management's Role The cybersecurity program is managed by our IT Steering Committee , which maintains the vision, strategy, and operation of the program. - Committee Structure: The Committee is chaired by a member of the executive leadership team and includes IT Managers from across the company. - Operational Responsibility: Local IT teams, managed by IT Managers, are responsible for the day-to-day implementation and monitoring of IT policies within their respective business units. - Expertise: IT personnel are qualified within their respective roles and are provided with the resources necessary to carry out their responsibilities. Human Capital and Training Luxfer view it's employees as a key line of defense. In addition to global policies covering IT security standards, Luxfer maintains a comprehensive, mandatory compliance training program. This includes: - Policy Attestation: Employees must review applicable IT policies and attest to their understanding and agreement to comply. - Phishing Simulations: The IT Steering Committee conducts internal phishing simulations to test employee reactions and collect metrics, such as click rates, to pinpoint trouble spots and target additional training. Risks Luxfer is committed to discovering and preparing for all potential cybersecurity threats. We set out below certain mitigating actions that we believe help us manage our principal cybersecurity risks. Technical and Operational Risk Risk Description: Luxfer's operations are dependent on IT systems. A successful cyber-attack (including disruption to the network, systems, and services) could inhibit business operations, impacting sales, production, and cash flows. Furthermore, reliance on third-party vendors for core services (e.g., firewalls, backup solutions) introduces external risk if their measures are compromised. Management of Risk: - Layered Defense: Implementation of technical controls including firewalls, threat monitoring systems, protected cloud architecture, and frequent security patching. - System Integrity: Phasing out vulnerable operating systems, updating legacy servers with advanced security features, and ensuring core operating data applications are fully backed up. - Vendor Due Diligence: Our IT professionals perform thorough due diligence and risk analysis on all third-party vendors, verifying sufficient security testing before software installation and regularly monitoring access permissions. Human and Employee Risk Risk Description: Employees represent a key vulnerability, as advancing cyber-attacks and phishing scams may lead to failure in recognizing threats or relying solely on automated defenses. Management of Risk: - Mandatory Training: Global policies cover IT security standards, and a comprehensive, mandatory compliance training and awareness program educates all employees on threat recognition and incident reporting. - Phishing Simulations: Internal phishing simulations are continuously carried out to engage employees, raise awareness, and collect metrics (e.g., click rate) to pinpoint trouble spots and target additional, specific training where needed. All results are reported to the Senior Leadership Team. 18 Regulatory and Assessment Risk Risk Description: Non-compliance with regulations, such as the UK General Data Protection Regulation (GDPR), which governs personally identifiable information security, can result in significant fines or litigation following a data breach. Management & Controls: - Compliance Framework: We make every effort to comply with GDPR and other applicable regulations through best practices, including annual review of the Data Protection Policy and implementation of secure systems and access control measures. - Audits and Assessments: Periodic security audits and assessments are performed across the cybersecurity program. We regularly engage qualified independent third parties to assess cybersecurity maturity, review the security control environment, and ensure operating effectiveness. 19
Item 1C. Cybersecurity Overview Luxfer recognizes that as business-efficiency demands lead to a more digitized world, cybersecurity and privacy risks have become critical business issues. Luxfer understands the systemic nature of these threats to the safety of our Company, customers, and employees. Consequently, Luxfer has integrated cybersecurity risk management into our broader enterprise risk management processes . Luxfer is committed to safeguarding and protecting our information technology ("IT") network, equipment, and systems against cybersecurity threats to ensure our security and reduce risk. Process and Standards We devote significant resources to network security, data encryption, monitoring, and system maintenance. Our cybersecurity program is aligned with best practices, specifically the DFARS / NIST 800-171 IT Security Standard for US Government Contractors, reflecting our global operational footprint. During the year, we further strengthened our defense strategy through the enterprise-wide implementation of Sophos Endpoint Detection and Response (EDR) solutions, enhancing our real-time threat analysis and mitigation capabilities across our network. To ensure long-term success, we are committed to discovering and preparing for potential threats through the following mechanisms: - Incident Response: We maintain an incident response plan that establishes procedures for reporting and handling cybersecurity events. - Audits and Assessments: We perform periodic security audits and assessments, regularly engaging qualified independent third parties to assess our cybersecurity maturity and control environment. - Third-Party Risk: We depend on third-party vendors for firewalls, virus solutions, and backups. To manage this risk, our IT professionals perform due diligence and risk analyses on vendors, verifying security testing prior to software installation. As of the date of the filing of this Form 10-K, we are not aware of any successful attempts by third parties to gain access to our systems that have had, or are reasonably likely to have, a material effect on our business, operations, or financial condition . Although no incidents have been material to date, we recognize that cyber-attacks are becoming more sophisticated and our network remains potentially vulnerable. Governance Objectives We will continually review and update our existing governance, policies, and practices, when necessary, to address the following objectives: - Business Continuity, Availability, and Asset Protection: Ensure continuous business operations and safeguard the availability, integrity, and confidentiality of technology, data, intellectual property, and network infrastructure assets. - Cybersecurity Resilience and Incident Management: Strengthen cyber-resiliency by enhancing controls for the rapid detection, mitigation, and effective response to cybersecurity incidents. - Compliance and Data Governance: Maintain comprehensive compliance with all applicable external regulations (such as GDPR) and internal policies, including requirements for customer and employee confidentiality and privacy. Board of Directors Oversight The Board of Directors is responsible for overseeing cybersecurity, information security, and technology risk as part of its regular risk oversight function. The Board, comprised of independent Non-Executive Directors and one Executive Director, receives regular reports on information security matters from the Senior Leadership team at least quarterly as it is their responsibility to oversee Management's actions to identify, access, mitigate and remediate material risk. 17 Management's Role The cybersecurity program is managed by our IT Steering Committee , which maintains the vision, strategy, and operation of the program. - Committee Structure: The Committee is chaired by a member of the executive leadership team and includes IT Managers from across the company. - Operational Responsibility: Local IT teams, managed by IT Managers, are responsible for the day-to-day implementation and monitoring of IT policies within their respective business units. - Expertise: IT personnel are qualified within their respective roles and are provided with the resources necessary to carry out their responsibilities. Human Capital and Training Luxfer view it's employees as a key line of defense. In addition to global policies covering IT security standards, Luxfer maintains a comprehensive, mandatory compliance training program. This includes: - Policy Attestation: Employees must review applicable IT policies and attest to their understanding and agreement to comply. - Phishing Simulations: The IT Steering Committee conducts internal phishing simulations to test employee reactions and collect metrics, such as click rates, to pinpoint trouble spots and target additional training. Risks Luxfer is committed to discovering and preparing for all potential cybersecurity threats. We set out below certain mitigating actions that we believe help us manage our principal cybersecurity risks. Technical and Operational Risk Risk Description: Luxfer's operations are dependent on IT systems. A successful cyber-attack (including disruption to the network, systems, and services) could inhibit business operations, impacting sales, production, and cash flows. Furthermore, reliance on third-party vendors for core services (e.g., firewalls, backup solutions) introduces external risk if their measures are compromised. Management of Risk: - Layered Defense: Implementation of technical controls including firewalls, threat monitoring systems, protected cloud architecture, and frequent security patching. - System Integrity: Phasing out vulnerable operating systems, updating legacy servers with advanced security features, and ensuring core operating data applications are fully backed up. - Vendor Due Diligence: Our IT professionals perform thorough due diligence and risk analysis on all third-party vendors, verifying sufficient security testing before software installation and regularly monitoring access permissions. Human and Employee Risk Risk Description: Employees represent a key vulnerability, as advancing cyber-attacks and phishing scams may lead to failure in recognizing threats or relying solely on automated defenses. Management of Risk: - Mandatory Training: Global policies cover IT security standards, and a comprehensive, mandatory compliance training and awareness program educates all employees on threat recognition and incident reporting. - Phishing Simulations: Internal phishing simulations are continuously carried out to engage employees, raise awareness, and collect metrics (e.g., click rate) to pinpoint trouble spots and target additional, specific training where needed. All results are reported to the Senior Leadership Team. 18 Regulatory and Assessment Risk Risk Description: Non-compliance with regulations, such as the UK General Data Protection Regulation (GDPR), which governs personally identifiable information security, can result in significant fines or litigation following a data breach. Management & Controls: - Compliance Framework: We make every effort to comply with GDPR and other applicable regulations through best practices, including annual review of the Data Protection Policy and implementation of secure systems and access control measures. - Audits and Assessments: Periodic security audits and assessments are performed across the cybersecurity program. We regularly engage qualified independent third parties to assess cybersecurity maturity, review the security control environment, and ensure operating effectiveness. 19
Company Information
| Name | LUXFER HOLDINGS PLC |
| CIK | 0001096056 |
| SIC Description | Industrial Inorganic Chemicals |
| Ticker | LXFR - NYSE |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | December 31 |