AXON ENTERPRISE, INC. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

AXON ENTERPRISE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 20:38:42 EST.

Filings

10-K filed on 2026-02-25

AXON ENTERPRISE, INC. filed a 10-K at 2026-02-25 20:38:42 EST
Accession Number: 0001628280-26-011360

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our business depends on the secure and reliable operation of our information systems, which support operations, communications, supply chain management, billing, accounting, and other critical functions. We collect, process, store, and transmit personally identifiable and other sensitive information relating to employees, customers, third parties, and, in certain cases, subjects of law enforcement, and must protect its confidentiality, integrity, and availability. We maintain a formal cybersecurity and information security program that incorporates recommendations from recognized frameworks and standards, including ISO, SOC 2, CJIS, FedRAMP, and NIST. The Information Security team oversees the program, which is designed to identify, prevent, detect, respond to, and remediate cybersecurity vulnerabilities and incidents. To manage cybersecurity risk and support regulatory compliance and system availability, we undertake activities including monitoring evolving data protection laws; maintaining internal and customer-facing policies; providing regular employee training, including phishing simulations; requiring employees and service providers to safeguard data; conducting risk-based diligence and oversight of third-party vendors; performing periodic risk assessments, vulnerability scans, penetration testing, and tabletop exercises; updating security technologies; and maintaining cybersecurity insurance coverage. Third Party Monitoring and External Reviews We engage third-party technology providers to support the protection of our information systems and networks. These services include vulnerability assessments, incident response support such as computer forensics, internal and external audits for security certifications, and broader evaluations of program maturity. Material findings, significant control weaknesses, and key recommendations arising from these activities are reported to the Enterprise Risk and Compliance Committee of the Board of Directors of the Company ("ERC Committee"). Cybersecurity Management Team The Company's cybersecurity and information security program, including data privacy, is led by the Chief Information Security Officer ("CISO") , who oversees the Company's global information security function. The current CISO has more than 20 years of experience in information technology and information security, including leadership roles at Netflix, Salesforce, and Facebook, and has served as the Company's CISO since February 2024. He holds a Master of Science in Information Assurance and relevant industry certifications. The CISO attends quarterly meetings of the Disclosure Committee and the ERC Committee and provides updates regarding the Company's cybersecurity risk profile, program maturity, significant developments, and related disclosures included in the Company's filings with the SEC. The CISO, together with the Information Security team, leads the Security Incident Response Team, which investigates suspected cybersecurity threats and incidents. In the event of a potentially material cybersecurity incident, senior leadership, including the Chief Legal Officer, Chief Accounting Officer, Chief Operating Officer, Chief Financial Officer, and other appropriate members of management, participate in the response and assessment process. Board Oversight The Board of Directors oversees data and systems protection, including cybersecurity risk. The Audit Committee reviews significant legal, compliance, or regulatory matters that may materially impact the Company and consults with the ERC Committee on matters involving cybersecurity, data privacy, or information technology. The Chair of the ERC Committee also serves on the Audit Committee, facilitating coordination between the committees. 36 Table o f Contents The ERC Committee oversees the Company's enterprise risk management framework, including cybersecurity risk. The Information Security team and CISO report to the ERC Committee at least quarterly regarding cybersecurity risks, emerging threats, and the status of the Company's cybersecurity program. The ERC Committee provides updates to the Board of Directors. Incident Response and Assessment Policies and Procedures The Company maintains an incident response plan that establishes defined roles and responsibilities and includes disclosure controls and procedures for assessing the materiality of cybersecurity events. In the event of a potentially material cybersecurity incident, the Security Incident Response Team, under the direction of the Chief Legal Officer, evaluates relevant quantitative and qualitative factors, including incidents affecting third-party systems. The Team reports its findings to the Chair of the ERC Committee. If further review is warranted, the Audit Committee is convened, with members of the ERC Committee invited, to determine materiality consistent with SEC guidance. Incidents determined not to be material are reported to the ERC Committee at its next scheduled meeting. To date, the Company has not identified risks from known cybersecurity threats, including prior incidents, that have materially affected its operations, business strategy, results of operations, or financial condition. The Company faces ongoing cybersecurity risks that, if realized, could materially affect the Company. Additional information is provided in Item 1A of Part I of this Annual Report on Form 10-K. 37 Table o f Contents

Company Information