INTERNATIONAL PAPER CO /NEW/ 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

INTERNATIONAL PAPER CO /NEW/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:25:22 EST.

Filings

10-K filed on 2026-02-27

INTERNATIONAL PAPER CO /NEW/ filed a 10-K at 2026-02-27 16:25:22 EST
Accession Number: 0000051434-26-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY The Company's cybersecurity risk management processes are integrated into our overall risk management system. The Company has a formalized enterprise risk management program overseen by the Board of Directors and committees of the Board of Directors that addresses strategic, operational, financial, compliance, legal and information technologies and cybersecurity risks. Each year, the Chief Audit Executive provides the Board of Directors and members of the ELT with a comprehensive update on the Company's risk management activities. This update includes a structured, collaborative review through which key risks are examined and prioritized. In 2025, the Board of Directors identified seven priority risks for the Company, including cybersecurity. The Company has an Information Technology ("IT") Risk Governance Program that aligns with our enterprise risk management framework and assists with fulfilling oversight responsibilities for major IT risks, including cybersecurity risks. An enterprise Cyber Governance, Risk, and Compliance function manages overall Company cyber risk, coordinating risk management functions with each business. Business and IT leaders conduct cyber risk reviews monthly within each business. These monthly reviews include the evaluation of new and evolving risks, management of risk mitigation plans, and a review of all cybersecurity incidents meeting certain criteria. Our Cybersecurity Risk Assessment Program The Company has a risk assessment program in place to assess, identify and manage material risks from cybersecurity threats. Cybersecurity risks the Company faces include targeted attacks, ransomware, malware, phishing attacks, data theft, other data or security breaches, virus and intrusion software, as well as attacks to our website, financial applications, operational technology, telecommunications and human resources data. Key aspects of the Company's cybersecurity program include the following: - layered technical protective capabilities and detective surveillance controls; - using independent third parties to assess the Company's practices related to, and provide expertise and assistance with, various aspects of information security, as further described below; - courses and awareness training on information security for employees with Company email or access to Company devices, including phishing, social engineering and other cybersecurity training as well as targeted training for specific roles based on responsibilities and risk level; - global security and privacy policies; and - business continuity, incident response and disaster recovery procedures, including table top exercises involving senior leaders. The Company does not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. For a full discussion of cybersecurity risks facing the Company, please see Part I, Item 1A. Risk Factors - We are subject to cybersecurity and information technology risks related to breaches of security pertaining to sensitive company, customer, employee and vendor information as well as breaches in technology used to manage operations and other business processes. The Company carries cyber insurance which provides coverage in connection with cybersecurity breaches. Engagement of Third Parties The Company engages third parties in connection with assessing, identifying and managing its cybersecurity risks. All of the following activities were conducted in both regions in 2025, except for the annual security program assessment which was completed in North America and is planned for EMEA in 2026: - Engagement of an independent third party with incident response expertise to provide intelligence-based cybersecurity solutions and services to assist the Company with preparing for, preventing, investigating, responding to and remediating cybersecurity incidents, including attacks that target on-premise, cloud, and critical infrastructure environments. - Engagement of an independent third party to conduct an annual security program assessment of the controls, maturity and performance of the Company's information security program and the information security risk associated with the Company's business systems. The assessment uses the National Institute of Standards and Technology Cybersecurity Framework as its benchmark. - Engagement of a leading third-party service provider to periodically perform an external and an internal penetration assessment using industry standard tools and techniques. In 2025, the Company began transitioning to a strategic outsourcing model for certain North America IT functions to enhance efficiency and resilience. The Company has employed the following processes to oversee and identify material risks from cybersecurity threats associated with the Company's use of third-party service providers in North America and EMEA including the following: - The Company's cybersecurity risk management program takes into account third-party systems whereby the Company could be impacted by the compromise of the security of vendors or other business relations of the Company, and the Company has a comprehensive third-party access management system. - The Company conducts risk-based due diligence on the profiles of third-party service providers with respect to cybersecurity risks prior to engagement. - Providers of critical and outsourced services are continuously monitored with respect to security risks, including periodic audits and compliance reviews. - The Company also requires service providers to adhere to the Company's cybersecurity standards, maintain robust security controls, and provide prompt notification of any actual or suspected breach impacting Company data or operations. These measures are designed to mitigate risks associated with use of third parties including outsourcing of non- core IT functions overseas while maintaining compliance with applicable regulatory requirements and protecting the integrity of the Company's systems and data. We expect the transition to be finalized in the second quarter of 2026. Additionally, our Internal Audit team conducts annual assessments of our cyber programs and controls. Oversight of Third Parties The Company has processes to oversee and identify material risks from cybersecurity threats associated with the Company's use of third-party service providers. In this regard, the Company's cybersecurity risk management program takes into account third-party systems whereby the Company could be impacted by the compromise of the security of vendors or other business relations of the Company, and the Company has a comprehensive third-party access management system. In addition, the Company conducts risk-based due diligence on the profiles of third- party service providers with respect to cybersecurity risks prior to engagement, and providers of critical and outsourced services are continuously monitored with respect to security risks, including periodic audits and compliance reviews. The Company also requires service providers to adhere to the Company's cybersecurity standards, maintain robust security controls, and provide prompt notification of any actual or suspected breach impacting Company data or operations. These measures are designed to mitigate risks associated with use of third parties including outsourcing of non- core IT functions overseas while maintaining compliance with applicable regulatory requirements and protecting the integrity of the Company's systems and data. CYBERSECURITY GOVERNANCE Role of the Board of Directors and its Committees International Paper has an integrated board and executive-level governance structure that oversees risks from cybersecurity threats. The Company's Board of Directors has primary oversight of our enterprise risk management program, which includes cybersecurity risk. Moreover, the Board of Directors is supported in its oversight by the Audit and Finance Committee and Public Policy and Environment Committee ("PPE Committee"), which share oversight responsibilities related to the Company's information security programs. The Audit and Finance Committee reviews management's cybersecurity and information security risk management programs and controls, including processes for management's identification and reporting of material cybersecurity incidents. The PPE Committee reviews technology issues pertinent to the Company including those associated with information and operational technology, cybersecurity and data security and assesses related Company strategies. Our Board of Directors, Audit and Finance Committee and PPE Committee each receive periodic updates on cybersecurity issues from management (including our Chief Information Security Officer ("CISO")). For example, the CISO provides reports to the Audit and Finance Committee and PPE Committee annually regarding cybersecurity risks, as well as plans and strategies to mitigate those risks. Role of Management At a management level, our cybersecurity risk management program is led by our CISO . Our current CISO has been with the Company for over 30 years, worked in Information Technology for over 25 years, and has led the Company's security efforts since 2011. Appointed as the Company's first CISO in 2019, our CISO stays current on cybersecurity issues and trends through continuing education activities such as participation at conferences and in webinars. Our CISO reports to our Chief Financial Officer. Additionally, our CISO and members of the cybersecurity team hold several industry recognized certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Ethical Hacker, among others. The Company has adopted a global cyber-incident response plan which provides for controls and procedures in connection with cybersecurity events, including escalation procedures summarized below. The cyber-incident response plan captures our North America and EMEA operations and is designed to address non-operational and operational cybersecurity events. Evaluation and response to cybersecurity events is led by our Cybersecurity Incident Response Teams ("CIRTs"), under the direction of our CISO. The CIRTs are made up of subject matter experts representing information security, information technology, operational technology and legal. The CIRTs perform an impact assessment with respect to cybersecurity incidents, gathers facts and provides a chronology of events in connection therewith, and lead remediation and recovery activities. Our General Counsel, Senior Vice President, Chief Human Resources Officer, Chief Ethics and Compliance Officer (or their respective designees), Global Chief Privacy Officer and CISO review and assess significant non-operational data breaches. Cybersecurity events that meet specified criteria for operational impact are escalated for further review to our Business Continuity Incident Command Teams ("Incident Command Teams"). The Incident Command Teams perform an initial assessment that includes evaluation of the cybersecurity event's severity, response required, and estimated business cost, and leads the execution of business continuity plans to maintain Company operations. Cybersecurity events meeting certain criteria are escalated to our Disclosure Committee, General Counsel and Chief Financial Officer for further review, and, if appropriate, may be further elevated for the review of the Board of Directors . The Disclosure Committee, General Counsel and Chief Financial Officer assess and determine materiality using the facts gathered and chronology of events provided by the Incident Command Team. If deemed material, the event will be timely reported on a Current Report on Form 8-K in accordance with applicable SEC rules.

Company Information