Primo Brands Corp 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Primo Brands Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 15:58:24 EST.

Filings

10-K filed on 2026-02-27

Primo Brands Corp filed a 10-K at 2026-02-27 15:58:24 EST
Accession Number: 0001628280-26-012779

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management, Strategy and Governance The Company maintains a robust cybersecurity infrastructure to safeguard our operations, networks and data through comprehensive security measures including our technology tools, internal management and external service providers. The Company's Chief Information Security Officer ("CISO") is responsible for assessing, identifying, and managing our risks from cybersecurity threats. This individual has over 30 years of experience in information security positions. Our CISO holds the Certified in Risk and Information Systems Control ("CRISC") certification from the Information Systems Audit and Control Association, a leading independent cybersecurity association. Our Board of Directors, primarily through the Audit Committee, oversees management's approach to managing cybersecurity risks. The Audit Committee holds periodic discussions with management regarding the Company's guidelines and policies with respect to cybersecurity risks and receives regular reports regarding such risks and the steps management has taken to monitor and control any exposure resulting from such risks. Our CISO also leads an annual review and discussion with the full Board of Directors dedicated to the Company's cyber risks, threats, and protections and provides updates throughout the year, as warranted. Our processes and risk-based methodology align closely with the National Institute of Standards and Technology Cybersecurity Framework. The Cybersecurity and Data Protection Program incorporates comprehensive controls, including Asset Management, Business Continuity & Disaster Recovery, Change Management, Configuration Management, Continuous Monitoring, Cryptographic Protections, Data Classification & Handling, Endpoint Security, Identity & Access Management, Incident Response, Network Security, Physical & Environmental Security, Data Privacy, Security Operations, Security Awareness & Training, Third-Party Management, Threat Management, and Vulnerability & Patch Management. The Chief Information Security Officer (CISO) routinely evaluates emerging threats, controls, and procedures to assess, identify, and manage risks. This ongoing review can help facilitate the detection of material breaches at other organizations, including those involving our third-party service providers. Our CISO regularly discusses cyber risk trends and strategies for safeguarding information from cybersecurity incidents with both our Audit Committee and executive leadership team, and also conducts an annual review with the full Board of Directors . Beyond the oversight provided by our internal information security and technology teams, we also retain independent third-party cybersecurity firms to deliver Security Operations Center monitoring, managed detection and response, and threat and vulnerability management services. Regular engagement with these external partners enhances our ability to identify and address evolving threats. We periodically evaluate our third-party relationships and services to ensure alignment with industry standards and the latest cybersecurity challenges. We keep employees informed about new risks and require completion of annual security awareness training, supplemented by additional targeted training as necessary. All personnel participate in yearly training programs, with specialized sessions for certain roles and functions. Moreover, we conduct periodic internal exercises to measure the effectiveness of training initiatives and determine if further training is needed. Material cybersecurity incidents are required to be reported to the Board of Directors and to the SEC on Form 8-K. Our systems and services are vulnerable to interruptions or other failures resulting from cybersecurity attacks, such as computer viruses, ransomware, phishing, hackers, or other security issues. In addition, the rapid evolution and increased adoption of new technologies, such as artificial intelligence, may intensify our cybersecurity risks. An interruption or cybersecurity breach, disruption or misuse of our information systems, or the information systems of our third-party service providers, could have a material negative effect on our business, financial condition and results of operations but we have processes in place to mitigate these risks. As of the date of this report, in the past twelve months, we have not experienced material business disruption, 38 Table of Content s monetary loss, and/or data loss as a result of phishing, business email compromise or other types of attacks, and we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, we face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

Company Information