Alcoa Corp 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Alcoa Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:52:29 EST.

Filings

10-K filed on 2026-02-26

Alcoa Corp filed a 10-K at 2026-02-26 16:52:29 EST
Accession Number: 0001193125-26-077167

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company's processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall Enterprise Risk Management (ERM) process. As part of the ERM, the Company focuses on developing multi-layered, collaborative processes to identify, monitor, and manage risks from cybersecurity threats. Risks are grouped into categories that management can then assess, monitor, and prioritize based on the likelihood of an occurrence, level of impact, and mitigating factors. The Company maintains cybersecurity risk management processes that span multiple functions, including, but not limited to, third-party risk management and vulnerability management. These processes are supported by technologies designed to provide visibility into, and protection against, cybersecurity risks, including real-time monitoring of network and system traffic. The Company has established a comprehensive framework of policies and standards to assess, identify, and manage material cybersecurity risks, including an incident response plan, business continuity plan, crisis management plan, and disaster recovery capabilities, all of which are regularly tested and updated. In addition, the Company employs personnel dedicated to promoting cybersecurity awareness and delivering training across the organization. The Company engages third-party assessors , consultants, and auditors to assist in assessing, identifying, and managing risk from cybersecurity threats. Third parties assist the Company by (i) providing regular penetration testing and vulnerability assessments; (ii) assessing and maintaining our formal incident response policies, including the use of tabletop testing; and (iii) providing multiple sources of threat intelligence information that are fed directly into our technical security platforms and our awareness campaigns, including ongoing network monitoring. The Company also has a comprehensive third-party information security monitoring program in place. Alcoa has implemented processes designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to a security risk assessment prior to engagement to determine if they meet defined levels of security capabilities. Our master services agreements with third-party service providers include several security requirements, including audit rights for the Company. After engagement, third-party service providers are subject to audits in which contract owners within Information Technology Automation Solutions (ITAS) validate that any certifications a vendor had upon engagement are maintained throughout the life of the agreement. We have in the past experienced attempts and incidents by external parties to penetrate our, our service providers', and our business partners' networks and systems. To date, no cybersecurity incident or attack, or any risk from cybersecurity threats , has materially affected or has been determined to be reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. See Part I Item 1A of this Form 10-K for more information on risks. Governance The Alcoa Board of Directors (Board) is responsible for the oversight of our cybersecurity risk management program, and specifically, reviews and oversees the Company's risk management and strategy relating to cybersecurity, including cybersecurity developments and threats and the Company's process for assessing, managing, and mitigating material cybersecurity risks and threats. The Board receives regular updates from the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO) regarding the state of the Company's cybersecurity pr ogram, cybersecurity developments, and emerging threats, as well as regarding the Company's strategy to mitigate cybersecurity risks, which includes regular vulnerability assessments and employee training on cybersecurity matters. Alcoa's CISO is responsible for maintaining identified material cybersecurity risks within the Company's ERM platform. On a quarterly basis, the CISO reviews and updates risks, as well as the control procedures in place. These risks are regularly reported to the Board. Between Board meetings, the Audit Committee assists the Board in its review and oversight of the Company's risk management and strategy relating to cybersecurity, and regularly reports to the Board on such activities. The Audit Committee also escalates matters to the full Board, as necessary. Alcoa's CISO has over thirty years of experience in information technology, including over fifteen years in cybersecurity, and prior to joining Alcoa, was the CISO of the U.S. business of a large global insurance and asset company and was responsible for the security of data, systems, and processes supporting customer assets. Alcoa's CISO maintains professional certifications in information security, participates in intelligence sharing organizations, and has extensive cybersecurity risk management experience in manufacturing organizations and reports to the CIO. Alcoa's CIO has almost thirty years of information technology experience, including a diverse knowledge in manufacturing and process control solutions, corporate applications, infrastructure, and service delivery operations. The CISO closely collaborates w ith the CIO and Chief Financial Officer in managing material risks from cybersecurity threats. Alcoa also maintains an information security steering committee (ISSC), which oversees current and emerging cybersecurity risks and investments in the cybersecurity risk protections for the Company. The steering committee is comprised of a cross-functional team of leaders from across Alcoa's business groups, including the CISO (the ISSC Chair) and CIO. 31 The Company has established comprehensive incident response plans that set forth the processes through which cybersecurity incidents are managed, including how management is informed of cybersecurity incidents. As part of these plans, incidents are evaluated, classified, and elevated to an executive team which includes the CISO and executives on the Crisis Response Team. Once elevated, these executives are ultimately responsible for the management, mitigation, and remediation of incidents.

Company Information