Alexander & Baldwin, Inc. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Alexander & Baldwin, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 20:55:55 EST.

Filings

10-K filed on 2026-02-27

Alexander & Baldwin, Inc. filed a 10-K at 2026-02-27 20:55:55 EST
Accession Number: 0001545654-26-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity, and in particular cybersecurity risk management, is an important part of operations and a focus area for the Company. Cybersecurity risks are evaluated on an ongoing basis by the Company's Technology department, both internally and with the assistance of external firms. The Company engages a national security firm to improve its cybersecurity posture and keep current with evolving cybersecurity risks. The Company's cybersecurity program is examined on a regular basis, and new procedures and tools are 22 adopted on an ongoing basis to address the changing cybersecurity landscape. The Company's technology team gauges the effectiveness of its tools with periodic testing and evaluations. The Company's Board of Directors oversees the overall risk management process, including cybersecurity risks, which it administers in part through its Audit Committee . One of the Audit Committee's responsibilities involves reviewing the Company's policies regarding risk assessment and risk management, including with respect to cybersecurity risks. Risk oversight plays a role in all major decisions of the Company's Board of Directors, and the evaluation of risk is a key part of its decision-making process. Cybersecurity risks are considered as part of the risk management process across all levels of the organization but are also facilitated through a formal process in which the Company identifies significant risks through regular discussions with management and also develops responses and mitigating actions to address such risks. In conjunction with the Company's Internal Audit department, management compiles a report of significant, enterprise risks that is shared with the Company's Board of Directors and its Audit Committee annually or as needed. In addition, cybersecurity and information security risks are among the matters presented by the Chief Technology Officer ("CTO") for discussion with the Company's Board of Directors annually and its Audit Committee quarterly or as needed. The CTO, who reports to the Chief Financial Officer, is responsible for leading the assessment and management of cybersecurity risks . The Company's current CTO has more than twenty-five years of experience in IT across diverse industries, and he has designed and led the approach for the modernization of the Company's technology platforms and security posture since 2017. As many security threats involve social engineering, the Company maintains a security awareness and training program for all employees. The program provides continuous, adaptive security simulations and education, including brief quarterly training modules focused on emerging and relevant threats. The Company monitors participation and progress to help ensure ongoing preparedness and awareness across the organization. The Company does not believe that any risks from cybersecurity threats to date, including as a result of any previous cybersecurity incidents of which the Company is aware, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial conditions. Refer to the risk factor captioned, " Security breaches through cyber attacks or intrusions, or other significant disruptions of the Company's information technology ("IT") networks, communications, and related systems could impair our ability to operate, adversely affect our financial condition, and damage our reputation. ," in Part I, Item IA. "Risk Factors" for additional description of cybersecurity risks and potential related impacts on the Company. 23

Company Information