Ingevity Corp 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Ingevity Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:23:25 EST.

Filings

10-K filed on 2026-02-26

Ingevity Corp filed a 10-K at 2026-02-26 16:23:25 EST
Accession Number: 0001653477-26-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY At Ingevity, we understand that strong cybersecurity is essential to protecting sensitive information and maintaining trust. Our program is grounded in industry-recognized standards, including the ISO 27001 information security framework, for which we achieved certification in 2024. Our diverse cybersecurity team uses advanced technologies, including AI and machine learning, to enhance and continuously refine our defenses. We also collaborate closely with local, state, and federal agencies, as well as peers across the chemical manufacturing sector, to stay ahead of emerging threats and implement effective measures that safeguard our employees, customers, and operations. Key Components of Our Cybersecurity Program: Leadership and Governance. We maintain a highly skilled team of internal and external cybersecurity professionals, led by our Vice President of Information Technology, Chief Information Officer, and Chief Information Security Officer ("VP of IT"), who brings more than three decades of experience in information security and information technology. Our cybersecurity team holds deep expertise across the security domain and maintains a range of advanced industry certifications, including ISA/IEC 62443 Cybersecurity Expert, ("ISC")² certifications, Certified Information Security Manager ("CISM"), and Certified Information Systems Security Professional ("CISSP"). Beginning in 2025, the Sustainability & Safety Committee of our Board of Directors assumed oversight of our cybersecurity and risk management programs, a responsibility previously held by the full Board. This shift enables more focused and in-depth review of cybersecurity matters. The Committee receives quarterly updates from the VP of IT and periodic briefings from external cybersecurity experts, while the full Board receives at least one formal update each year supported by regular Committee reporting. We continuously monitor our information systems with advanced security controls and routine audits to identify and address vulnerabilities. Our incident response plan provides immediate mitigation steps, long-term remediation, and measures to prevent recurrence. The VP of IT regularly briefs the executive leadership team to ensure senior management stays informed of cybersecurity risks, incidents, and emerging threats. We also maintain strict controls over the collection, storage, and access of personal, proprietary, and confidential information, with a focus on protecting trade secrets, intellectual property, third-party data, and employee information. Industry-Standard Frameworks, Policies, and Protection Measures. We follow industry-recognized practices, including the ISO 27001 information security standard, for which we earned certification in 2024. Our program includes continuous network monitoring, preventive and detective controls, and annual independent security assessments to help safeguard sensitive information. Incident Response and Testing . We maintain a comprehensive incident response plan supported by regular simulations, vulnerability scans, penetration tests, and independent assessments to continually strengthen our cybersecurity controls and resilience. Third-Party Monitoring . A managed security services provider monitors our enterprise network 24/7. We also require third-party providers with access to personal, confidential, or proprietary information to maintain strong cybersecurity measures aligned with legal requirements and industry best practices. 22 Our proactive cybersecurity approach combines advanced technologies with collaboration from third-party experts to maintain alignment with industry standards and strengthen the protection of sensitive information for both our organization and our customers. Over the past three years, we have not experienced any cybersecurity threats or incidents that have had, or are reasonably likely to have, a material effect on our business strategy, results of operations, or financial condition. However, despite our security architecture, controls, and those of our third-party providers, we remain exposed to risks such as cyberattacks, ransomware, security breaches, system failures, the rapid evolution and increased adoption of AI and inadvertent or malicious employee actions. Any such event could materially impact our operations or financial performance.

Company Information