FMC CORP 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

FMC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 11:49:25 EST.

Filings

10-K filed on 2026-02-27

FMC CORP filed a 10-K at 2026-02-27 11:49:25 EST
Accession Number: 0000037785-26-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Processes As noted in Item 1A. Risk Factors, FMC recognizes that the threat of cybersecurity breaches may create significant risks for the Company. Accordingly, we are committed to an ongoing and comprehensive program to protect all company data, as well as data in our supply chain, from these threats. Our cybersecurity program includes governance defined by IT policies and standards and a robust IT risk management program. FMC uses several tools and controls to manage IT risk including, but not limited to, controls for the management of privileged access, anti-malware tools, required trainings for employees including an annual training module, simulated email phishing attacks, and other email security tools to detect and prevent intrusions as well as monitor threats. FMC employees have access to formal IT policies that define and clarify expected behaviors with respect to IT resources in various areas. The Company has a Cyber Incident Response Plan, which establishes procedures to prepare for and respond to a variety of cyber incidents, and engages in response planning, simulations, trainings, tabletop exercises, and other efforts to mitigate risk and prepare for a rapid response to any incidents should they occur. FMC performs a thorough security review prior to onboarding critical third-party providers, which includes review of third-party independent assessments in the form of SOC reports prior to contracting. SOC reports are also reviewed on an annual basis once the third-party is engaged. Additionally, our contracts with third-party providers require those organizations to notify FMC of any cyber incident that occurs when our information has been impacted. Periodically, the Company has its cybersecurity programs audited by independent third parties using the NIST Cybersecurity Framework, which provides guidance to organizations on how to identify, prevent, detect, respond, and recover from cybersecurity threats. Management Oversight in Cybersecurity Governance FMC's senior management Executive Committee and Leadership Team, which includes the Chief Executive Officer and all Company vice presidents, is responsible for review and oversight of the Company's cybersecurity programs and risk assessment as well as the strategic direction of the program to address evolving risks. Steven Kipp, Director of IT Security and Compliance, serves as management's expert in cybersecurity management and reports to the Andi Le, Chief Digital Officer and member of FMC's Leadership Team. Mr. Kipp is responsible for administering the Company's information security program, including processes for cybersecurity risk assessment, compliance with applicable security and data protection requirements, and coordination of incident response activities. He has more than forty years of leadership experience in information security and counterintelligence roles across the military, defense, and corporate sectors. Mr. Kipp holds advanced degrees in Strategic Intelligence and Business Management and has completed executive level security training at the Wharton School. He also engages with industry and government partners to obtain and apply timely threat intelligence and relevant best practices to support the protection and resilience of the Company's information assets. Additionally, Andrew Sandifer, Executive Vice President and Chief Financial Officer, has completed continuing professional education courses covering the role of management and the board of directors in cybersecurity governance. Members of the management team are encouraged to engage in education opportunities related to cybersecurity. FMC has established a process to assess the nature, scope and timing of a cyber incident and communicate the facts of the incident to management and the board of directors and, if needed, investors. In the event of a cybersecurity incident, the incident response team, which is managed by IT personnel, is responsible for ensuring the Chief Executive Officer and other members of the Executive Committee and Leadership Team are notified in a timely manner. For any cybersecurity incident, there will be a cross-functional review, including the IT, legal, and finance teams, to evaluate qualitative and quantitative factors related to the incident to determine if the impact of the event is material. Individuals from other departments may be involved in this review depending on the facts and circumstances of the incident. These individuals will be responsible for responding to the event and monitoring the impacts on the Company's operations, financial position, and results of operations. This team will also evaluate cyber incidents in the aggregate if related events occur. During the response and recovery related to a cyber incident, this team will meet daily or weekly depending on the severity of the event and continuously evaluate the nature, scope, and timing of the event. Members of the senior management, including the Chief Financial Officer, Chief Accounting Officer, and General Counsel, as well as the Chief Digital Officer and Director of IT Security and Compliance will be briefed as to the facts and circumstances of a cyber incident and determine if the event is considered material to the business. If such determination is made, the matter will be escalated to Board of Directors. For material incidents, the Company will provide information regarding the nature and scope of the incident to investors in compliance with SEC regulations. Throughout this process and the recovery following an incident, the Company is focused on considering the ever-changing facts and circumstances of the event and remaining as transparent with the investment community as possible. During 2025, FMC did not directly experience a cybersecurity breach in any FMC system. During 2025, we did receive notification of cybersecurity breaches affecting third-party vendors, but none were material in nature for FMC. Board of Directors Oversight in Cybersecurity Governance FMC's Board of Directors oversees the Company's cybersecurity program primarily through its Audit Committee, which is comprised of independent directors whose prior work experience provides them with insights as to potential cybersecurity risks and mitigation strategies. Company executives along with external and internal cybersecurity experts update the Audit Committee at least quarterly on risks related to cybersecurity and the steps taken to monitor and control risk exposure. Additionally, the results of periodic audits performed on the Company's cybersecurity programs, described above, are communicated to the Audit Committee upon completion. In addition to the routine updates provided to the Audit Committee, FMC has an established policy for communication of cybersecurity incidents with the Board of Directors and, if material, the investor community. Refer to the discussion above for further details of this policy.

Company Information