AMERICOLD REALTY TRUST 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

AMERICOLD REALTY TRUST reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:10:56 EST.

Filings

10-K filed on 2026-02-26

AMERICOLD REALTY TRUST filed a 10-K at 2026-02-26 16:10:56 EST
Accession Number: 0001628280-26-012274

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cyber Security Disclosure Risk Management and Strategy The Company maintains a robust enterprise-wide information security program aimed at assessing, identifying, and effectively managing cybersecurity risks, threats, and incidents. The Company has integrated cybersecurity risk management into its broader risk management framework to promote cybersecurity risk management company-wide. Third-Party Engagement The Company engages a range of third-party advisory service providers, including cybersecurity assessors, and consultants to conduct recurrent evaluations of its cybersecurity controls. These reviews are a critical component of the ongoing risk assessment process within the cybersecurity function and include periodic evaluations of internal controls aimed at mitigating cybersecurity threats. These assessments often include penetration tests, evaluations of the Company's cyber program maturity, and assessments of progress toward future-state cyber initiatives, among other considerations. The results of these assessments are reviewed with management and the Board. Oversee Third-Party Risk The Company implements processes to oversee and manage the risks inherent with third-party service providers, including conducting thorough security assessments prior to engagement. This is designed to mitigate risks related to data breaches or other security incidents originating from third party providers. Incident Response The Company has implemented internal incident response procedures to address potential cyber incidents. These procedures are designed to analyze, contain, and remediate any cyber incidents that may circumvent existing safeguards. The incident response procedures encompass a systematic approach to evaluate the materiality of incidents, execute appropriate containment and remediation measures, and evaluate internal (including the Board) and external communication and disclosure protocols. The Company also maintains data backup procedures in the event of a cybersecurity incident and for a business continuity plan in the event of business interruption. Examples of our backup procedures include regularly scheduled backups for various systems, critical system log files, and applications backup. Governance & Board Oversight The cybersecurity program is led by the Company's Chief Information Security Officer ("CISO"). The CISO plays a pivotal role in informing the Board on cybersecurity risks. Management, including the CISO, provides comprehensive briefings to the Board on cybersecurity risks at least quarterly. These briefings encompass a range of topics, including the current cybersecurity landscape and emerging threats, status of ongoing cybersecurity initiatives and strategies, incident reports, and compliance with regulatory requirements and industry standards. Additionally, the Board is regularly briefed on updates related to the Company's Global Information Security Program and the Company's Information Security Roadmap. The Board also oversees the prompt assessment of material cyber events including countermeasures and mitigation actions. In addition to scheduled meetings, the Board and CISO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks and updates on any significant developments in the cybersecurity domain. Management's Role Managing Risk The Americold Global Information Security Program is structured to address cyber-related risks in alignment with the guidelines delineated in the National Institute of Standards and Technology ("NIST") security framework. The program also leverages various automated tools, manual processes, and routine periodic third-party assessments to promote the efficacy of our security measures. Furthermore, the program includes a formal information security training program that includes comprehensive security awareness initiatives and training modules, addressing critical areas such as phishing attacks and best practices for email security. The Company's Chief Information Officer ("CIO") and CISO work closely with other management positions, including the Chief Legal Officer and the Head of Internal Audit, to evaluate cybersecurity risks in alignment with our business objectives and operational needs. The CIO oversees the Company's security team and the CISO and has participated in the NIST review and validation of security procedures and processes. The individuals responsible for evaluating and managing the Company's cybersecurity risk have extensive experience managing organizational risk and implementing cybersecurity programs at companies. The CIO has more than 20 years of experience advising on the overall strategy of technology, including the incorporation of cyber security into the software development lifecycle and change management process. The CISO possesses more than 10 years of relevant expertise in cybersecurity and holds a Certified Information Systems Security Professional ("CISSP") certification. Other members of the Company's information security team also hold certifications such as Certified Information Security Manager ("CISM"), Certified Ethical Hacker ("CEH"), and Certified Information Systems Auditor ("CISA"). The Chief Legal Officer possesses many years of experience managing legal and compliance risk at public companies, including with respect to cybersecurity incidents. The Head of Internal Audit manages the Company's broader risk management framework, which includes cybersecurity risks, and has many years of prior experience assessing cybersecurity risks and programs at several companies. Impact of Cybersecurity Threats As previously disclosed, we have experienced significant cyber incidents in the past, including in November 2020 and April 2023, that have impacted our operations and financial results. The related expense is reflected in "Acquisition, cyber incident, and other, net" on the Consolidated Statements of Operations for the years ended December 31, 2025, 2024, and 2023, and any reserve balance is included in "Accounts payable and accrued expenses" in our Consolidated Balance Sheets as of December 31, 2025, and 2024. For additional information regarding such risks and the affects thereof on our business strategy, operations and financial condition, see Part I, Item 1A, Risk Factors - "We depend on information technology systems to operate our business, and issues with maintaining, upgrading or implementing these systems, could have a material adverse effect on our business."

Company Information