Compass Diversified Holdings 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Compass Diversified Holdings reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 21:57:45 EST.

Filings

10-K filed on 2026-02-27

Compass Diversified Holdings filed a 10-K at 2026-02-27 21:57:45 EST
Accession Number: 0001345126-26-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Cybersecurity risk management and strategy is overseen both as a critical component of our overall risk management program and as a standalone program. We have implemented a risk-based, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt and appropriate escalation of cybersecurity incidents so that decisions regarding the remediation, reporting, and public disclosure of such incidents can be made by management in a timely manner. Our cybersecurity program is designed to leverage people, processes, and technology to identify cybersecurity threats quickly and respond to them effectively. To that end, we utilize a variety of mechanisms such as risk assessments using applicable industry-specific cybersecurity frameworks such as the National Institute of Standards and Technology, control gap analyses, penetration testing, vulnerability scanning, cyber insurance that aligns with our subsidiaries' risk profiles, and other internal assessments. We also engage external third-party service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security processes. We are committed to protecting the security and integrity of our systems, networks, databases, and applications. We routinely invest in our information technology infrastructure and in the development and implementation of stronger cybersecurity programs and processes, including risk management and assessment measures, security and event monitoring capabilities, and prevention and protection capabilities. Our employees also undergo mandatory annual security awareness training to enhance their understanding of cybersecurity threats and to strengthen their ability to identify and escalate potential cybersecurity events. Additionally, in fiscal year 2024, our full Board received training from an outside service provider on cybersecurity and data privacy in addition to the cyber awareness training that the Board regularly receives. These and other tools allow us to more effectively assess the cybersecurity risks presented by the rapidly evolving technological landscape and to evaluate the potential vulnerabilities that these threats may attempt to generate and exploit. We are also aware of the cybersecurity risks inherent in the use of third-party service providers. To mitigate such risks, we apply a risk-based approach extending to providers across our supply chain who have access to our customer and employee data and our systems. This is done as part of our overall enterprise risk process. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. To date, our business strategy, results of operations, and financial condition have not been, and are not reasonably likely to be, materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity-related risks, see Item 1A "Risk Factors" of this Form 10-K. Cybersecurity Governance Board and Audit Committee Oversight Our Board considers cybersecurity risk as part of its overall risk oversight function and has delegated oversight of cybersecurity risks to the Audit Committee . The Audit Committee is responsible for, in part, (i) reviewing and monitoring emerging cybersecurity developments and threats; (ii) evaluating the risks such developments and threats pose to our systems, data, finances, and other components of our business; (iii) ensuring compliance with cyber-related legal, regulatory, and other disclosure requirements; and (iv) assessing the Company's network security and information security policies and practices, risk mitigation strategies, and related internal controls. Where appropriate, the Audit Committee reports any findings and recommendations to the full Board for consideration. 67 Both the Board and the Audit Committee periodically review the measures we have implemented to identify and mitigate cybersecurity risks. As part of such reviews, our Board and Audit Committee receive and consider reports and presentations from members of our management team responsible for overseeing cybersecurity risk management. These periodic reviews address various topics including evolving regulatory standards, recent developments, vulnerability assessments, third-party reviews, and other information security topics that senior management deems necessary. Management's Cybersecurity Role Our management is responsible for the day-to-day assessment and management of cybersecurity risks. Members of our senior management, comprising our Compliance Committee, regularly monitor and evaluate cybersecurity risks and trends, and report any material developments to the Audit Committee of the Board, including through delivery of periodic reports and presentations as described above. We have also established protocols by which cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to the Audit Committee or the Board in a timely manner

Company Information