Avery Dennison Corp 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Avery Dennison Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 11:32:11 EST.

Filings

10-K filed on 2026-02-25

Avery Dennison Corp filed a 10-K at 2026-02-25 11:32:11 EST
Accession Number: 0000008818-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our cybersecurity risk management program, which is designed to protect the confidentiality, integrity and availability of our critical systems and information, includes a comprehensive security incident response plan. It complements our enterprise risk management program overseen by our Board, using similar methodologies and governance processes to identify risks and mitigating strategies. We design and assess our program based on the ISO 27000 and the National Institute of Standards and Technology ("NIST") SP-800 and Cybersecurity Framework. We use these frameworks to help us identify, assess and manage cybersecurity risks relevant to our business and do not intend to suggest that we meet any particular technical standards, specifications or requirements. Our cybersecurity risk management program includes risk assessments designed to help identify potentially material cybersecurity risks to our critical systems, information security, products and services, as well as our broader enterprise information technology environment; an information technology security team principally responsible for managing our cybersecurity risk assessment processes, security controls and response to any cybersecurity events; the use of third party experts and service providers, where appropriate, to assess, test and otherwise assist with protecting our security environment ; cybersecurity awareness training for our employees and further training for our incident response personnel and senior management; a security incident response plan that includes procedures for assessing and coordinating our response to cybersecurity events; and a third-party risk management program designed to identify and mitigate risks associated with our supply chain and vendor ecosystem, which includes initial security posture assessments, contractual security requirements and ongoing monitoring of critical third parties to address potential cybersecurity threats. We have not experienced cybersecurity events that have materially affected our operations, results of operations or financial condition. However, we face ongoing risks from cybersecurity threats in an ever-evolving threat landscape that, if realized, could be reasonably likely to materially affect our business. Risks and uncertainties related to cybersecurity are discussed in greater detail under "Risks Related to Information Technology" in Item 1A of this report. Cybersecurity Governance Our Board considers cybersecurity risk as part of its overall risk oversight. In 2025, its Audit Committee was primarily responsible for overseeing our strategies, policies and risk management practices related to cybersecurity and information security, engaging with management, including our Chief Information Security Officer ("CISO"), who reports to our Chief Information Officer ("CIO"), a member of our Company Leadership Team and a direct report of our Chief Executive Officer ("CEO"). During 2025, our CIO and CISO provided semiannual updates on our cybersecurity preparedness to the Audit Committee. These updates covered the overall status of our cybersecurity program, results of risk assessments, the evolving threat landscape, performance against key performance indicators and the progress with strategic information security initiatives. The Audit Committee Chair reported on these matters to our full Board. In addition, management updated the Cybersecurity Advisory Council, composed of members of our Board and management, to obtain additional insights into our cybersecurity risk management, and, if and as needed, to the Audit Committee regarding any significant cybersecurity events, as well as events that may have had lesser potential impact. Effective January 2026, our Board formed a standalone Cybersecurity Committee to be primarily responsible for overseeing our strategies, policies and risk management practices related to cybersecurity and information security and the Cybersecurity Advisory Council ceased operating. Our cybersecurity leadership team ("CSLT") - which includes leaders accountable for security operations, incident response, risk and compliance, data security, application security, digital solutions security, vulnerability management and operational technology security - is responsible for assessing and managing our risks from cybersecurity threats. The CSLT, which is led by our CIO and CISO, is primarily responsible for our overall cybersecurity risk management program and supervises both our internal cybersecurity and information security personnel and the external consultants advising our company on these matters. Our information security management and personnel maintain a variety of technical and managerial security certifications and have broad security experience in manufacturing, finance, software and information technology environments. The CSLT manages our efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through a variety of means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants; and reports from cybersecurity systems deployed in our information technology environment.

Company Information