|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Sep. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity.
Risk Management and Strategy
We have a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. This includes multiple tools and processes for assessing, identifying, and managing material risks from cybersecurity threats.
Our efforts are designed to maintain the confidentiality, integrity, and availability of our information and operational technology systems and the data stored on those systems. The program includes:
•Conduct periodic risk assessments to identify material cybersecurity risks in our critical IT systems
•Monitor for external threats and manage incident response
•Engage third-party security providers for penetration testing and program reviews based on National Institute of Standards and Technology (“NIST”) standards
•Perform internal audit reviews of IT-related controls
•Assess cybersecurity risks of third-party vendors
•Train employees regularly, including phishing simulations
The cyber security program is continually adapting to the evolving threat landscape and technology developments.
A multi-functional enterprise cyber security and Infrastructure team reviews and assesses top cybersecurity risks. This assessment is shared with members of senior management, including the CFO and Senior Vice President (“SVP”), IT, and helps guide the Company's cybersecurity operational priorities and strategy. In addition, cybersecurity risks are integrated into the Company’s broader Enterprise Risk Management program and, when identified, are reported to relevant business and governance leaders within the Company for appropriate action.
To support the ongoing identification and management of cybersecurity issues, the Company provides information security employee training, conducts global and targeted phishing simulation campaigns and conducts tabletop exercises. The Company also deploys a combination of security tools and experts to help prevent, detect, contain, eradicate and recover from potential cybersecurity issues and cyber-attacks. Further, the Company engages third-party consultants and services for cyber threat intelligence, insights and assessments of its cybersecurity risk posture and governance.
The Company’s third-party intake process incorporates cybersecurity risk into the assessment of our third-party vendors when we engage a new vendor or experience a change in relationship with an existing vendor. Further, the Company’s cybersecurity team conducts reviews of its third-party vendors depending on the vendor’s risk profile as determined by its cybersecurity team.
As a global company, we manage a variety of cybersecurity threats and cannot wholly eliminate the risk of adverse impacts from such incidents. However, as of the date of this Form 10-K, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations or financial condition. For additional information on the risks from cybersecurity threats that we have faced in the past and expect to continue to face in the future, please refer to the “Risk Factors” in Part I, Item 1A of this Form 10-K.
Security Policy and Requirements
As part of our overall risk management program, we have adopted our Information Security Policy which details the overall risk-based framework and governance for the management and security of our information technology assets and information. The policy applies to everyone who accesses our data or information resources and all of our information systems and resources, including third parties we engage. Our program aligns with the NIST 2.0 cybersecurity framework.
Governance
Our Board of Directors is part of the Company’s Cyber Response Task Force and table top simulations. Additionally, the Board of Directors have delegated to the Audit Committee oversight responsibility of our risk management program, including cybersecurity, business continuity, IT operational resilience, and data privacy. The Audit Committee has specific responsibility for reviewing the status of the security of the Company’s electronic data processing information systems related to the Company’s people, assets and information systems. The Audit Committee receives regular updates from the SVP, IT, about information security and systems security programs and plans, including emerging trends and progress on overall enterprise cybersecurity programs and priorities. These updates occur at least two times a year, with interim updates as needed. Additionally, we have protocols by which certain cybersecurity incidents are reported promptly to the Chief Executive Officer, or the Audit Committee, as appropriate. A Cyber dashboard is also provided to the Board of Directors quarterly.
Management is responsible for implementing its strategic plans, including identifying, evaluating, managing and mitigating the risks inherent in them, such as cybersecurity risks.
Internal Cybersecurity Team
The Information Security organization reports into the SVP, IT and includes a dedicated team of centralized information security experts with extensive cybersecurity knowledge and experience to manage the cyber risk under the leadership of the Director of Information Security.
The team is responsible for the following:
•Implementing Enterprise-wide cybersecurity strategy
•Developing and enforcing Cybersecurity Policy
•Developing and enforcing Cybersecurity Standards
•Approving and reviewing Cybersecurity Architecture
•Developing and enforcing Cybersecurity Processes
•Developing and testing Cybersecurity Incident response
•Performing other Cybersecurity operational activities including but not limited to:
◦Vulnerability management strategy
◦Network security configurations
◦Risk Management and oversight of third parties
Our cyber security and infrastructure team’s experience includes a combined 102 years of experience. Further, our Director of Information Security, IT Governance Risk and Compensation Manager, Cybersecurity Team Lead, and Industrial Security and Network Senior Analyst all hold the Certified Information Systems Security Professional (CISSP) credential, widely recognized as the global standard for information security expertise. CISSP certification demonstrates advanced knowledge across eight security domains, a minimum of five years of industry experience, and adherence to strict ethical standards. This designation reflects our leaders’ ability to align technical controls with business risk, ensuring robust governance, regulatory compliance, and resilience against evolving cyber threats. Our team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.
Incident Response
We have adopted a cybersecurity incident response plan that is designed to provide a framework across all functions for a coordinated identification and response to security incidents. The plan specifies the process for identifying, validating, classifying, documenting, and responding to cybersecurity events as well as determining whether reporting of an event is appropriate under regulatory standards. Internal reporting and escalation protocols are in place to ensure the involvement of the SVP, IT, other senior leaders, and the Audit Committee, as appropriate. Under the plan, we conduct tabletop exercises to test our preparedness and our incident response process, and we provide ongoing training.
In fiscal 2025, the Company developed a Cybersecurity Incident Materiality Policy (the “Policy”) to guide the Company through the materiality decision making framework, SEC reporting and disclosures obligations, disclosure controls and procedures related to a cybersecurity incident, and a communication protocol to escalate material incidents to the Board and supplements the Company’s Cybersecurity Incident Response Plan. In addition to the Policy, the Company also formed a Cyber Incident Disclosure Committee, which includes key stakeholders whose role will be to determine whether an incident is material and, therefore, requires public disclosure.
Risk Factors
Additional information on cybersecurity risks we face is discussed in Item 1A, "Risk Factors,” which should be read in conjunction with the information in this section.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Risk Management and Strategy
We have a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. This includes multiple tools and processes for assessing, identifying, and managing material risks from cybersecurity threats.
Our efforts are designed to maintain the confidentiality, integrity, and availability of our information and operational technology systems and the data stored on those systems. The program includes:
•Conduct periodic risk assessments to identify material cybersecurity risks in our critical IT systems
•Monitor for external threats and manage incident response
•Engage third-party security providers for penetration testing and program reviews based on National Institute of Standards and Technology (“NIST”) standards
•Perform internal audit reviews of IT-related controls
•Assess cybersecurity risks of third-party vendors
•Train employees regularly, including phishing simulations
The cyber security program is continually adapting to the evolving threat landscape and technology developments.
A multi-functional enterprise cyber security and Infrastructure team reviews and assesses top cybersecurity risks. This assessment is shared with members of senior management, including the CFO and Senior Vice President (“SVP”), IT, and helps guide the Company's cybersecurity operational priorities and strategy. In addition, cybersecurity risks are integrated into the Company’s broader Enterprise Risk Management program and, when identified, are reported to relevant business and governance leaders within the Company for appropriate action.
To support the ongoing identification and management of cybersecurity issues, the Company provides information security employee training, conducts global and targeted phishing simulation campaigns and conducts tabletop exercises. The Company also deploys a combination of security tools and experts to help prevent, detect, contain, eradicate and recover from potential cybersecurity issues and cyber-attacks. Further, the Company engages third-party consultants and services for cyber threat intelligence, insights and assessments of its cybersecurity risk posture and governance.
The Company’s third-party intake process incorporates cybersecurity risk into the assessment of our third-party vendors when we engage a new vendor or experience a change in relationship with an existing vendor. Further, the Company’s cybersecurity team conducts reviews of its third-party vendors depending on the vendor’s risk profile as determined by its cybersecurity team.
As a global company, we manage a variety of cybersecurity threats and cannot wholly eliminate the risk of adverse impacts from such incidents. However, as of the date of this Form 10-K, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations or financial condition. For additional information on the risks from cybersecurity threats that we have faced in the past and expect to continue to face in the future, please refer to the “Risk Factors” in Part I, Item 1A of this Form 10-K.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Internal Cybersecurity Team
The Information Security organization reports into the SVP, IT and includes a dedicated team of centralized information security experts with extensive cybersecurity knowledge and experience to manage the cyber risk under the leadership of the Director of Information Security.
The team is responsible for the following:
•Implementing Enterprise-wide cybersecurity strategy
•Developing and enforcing Cybersecurity Policy
•Developing and enforcing Cybersecurity Standards
•Approving and reviewing Cybersecurity Architecture
•Developing and enforcing Cybersecurity Processes
•Developing and testing Cybersecurity Incident response
•Performing other Cybersecurity operational activities including but not limited to:
◦Vulnerability management strategy
◦Network security configurations
◦Risk Management and oversight of third parties
Our cyber security and infrastructure team’s experience includes a combined 102 years of experience. Further, our Director of Information Security, IT Governance Risk and Compensation Manager, Cybersecurity Team Lead, and Industrial Security and Network Senior Analyst all hold the Certified Information Systems Security Professional (CISSP) credential, widely recognized as the global standard for information security expertise. CISSP certification demonstrates advanced knowledge across eight security domains, a minimum of five years of industry experience, and adherence to strict ethical standards. This designation reflects our leaders’ ability to align technical controls with business risk, ensuring robust governance, regulatory compliance, and resilience against evolving cyber threats. Our team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef