PKG: 10-K Risk Factor Changes

The Company maintains a cyber risk management program to prevent, detect and respond to information security threats. This program is supervised by a dedicated Chief Information Security Officer (CISO) whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. The CISO manages the program in collaboration with the Company’s businesses and functions. To mitigate the risk of cybersecurity threats and data breaches we also have established policies and procedures, including a Cybersecurity & Data Breach Incident Response Policy and identified an Incident Response Team (IRT) with defined roles, responsibilities and means of communication. As part of our broader risk management and control framework we have implemented cybersecurity controls over the information technology and process control systems of the Company and of its third-party service providers. The Company engages third-party organizations to assess the controls around sensitive data, including but not limited to financial, employee, customer and vendor data as well as data affecting our process controls and data used to operate our manufacturing and converting facilities. We work with an independent assessor to conduct interim assessments and track ongoing efforts to continuously improve the Company’s cyber risk management program. The most recent assessment was completed at the end of 2022. In addition, the Company utilizes an independent audit firm to perform specific attack and penetration reviews on an annual basis. While we have experienced threats to our data and systems, as of December 31, 2025, we are not aware of any cybersecurity incidents that have materially impacted, or are reasonably likely to materially impact, our operations or financial condition. engages We work with an independent assessor to conduct interim assessments and track ongoing efforts to continuously improve the Company’s cyber risk management program. The most recent assessment was completed at the end of 2022. In addition, the Company utilizes an independent audit firm to perform specific attack and penetration reviews on an annual basis. we have experienced threats to our data and systems, as of December 31, 2025, we are not aware of any cybersecurity incidents that have materially impacted, or are reasonably likely to materially impact, our operations or financial condition. 15 15 Board Roles and ResponsibilitiesThe Audit Committee of the Board of Directors oversees the Company’s cyber risk management program. The Chief Information Officer (CIO) presents frequent updates to the Audit Committee and, as necessary, to the full Board of Directors. These regular reports include detailed updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. In addition, we have established processes to notify the Audit Committee of active incidents, as deemed necessary. The Company’s program is periodically evaluated by third-party experts, and the results of those reviews are reported to the Board of Directors.Management Responsibilities The Incident Response Team that we have established as part of our cyber risk management program coordinates the Company’s response to incidents and communicates with internal and external stakeholders. The team includes members of our Senior Leadership and draws upon additional staff, consultants, advisors and service providers as needed. We are continuously focused on ensuring our Company is protected from potential cyber threats. Our Information Technology (IT) team is comprised of employees with a diverse mix of skills, backgrounds, perspectives, and relevant expertise, that undergo extensive training as part of their employment with the Company. We believe these measures together with our cyber risk management program as well as our policies, processes and procedures set a high benchmark for our employees to address and respond to cybersecurity threats.Our IT team regularly monitors best practices and as needed, implements changes to the Company’s cyber risk management program to ensure a robust program is maintained. Aspects of this program include plans and procedures for identifying, communicating and containing security incidents, regular risk assessments and testing of the Company’s internal infrastructure to identify vulnerabilities, procedures for recovering from disruptions to our operations, maintaining global security policies, and comprehensive end user training and cybersecurity drills for personnel.See “Part I, Item 1A. Risk Factors” of this Form 10-K for a discussion of cybersecurity risks.Item 2. PROPERTIESWe own and lease properties in our business. Primarily all of our leases are non-cancelable and are accounted for as operating leases. These leases are not subject to early termination except for standard nonperformance clauses.Information regarding our principal operating facilities, the segments that use those facilities, and a map of geographical locations is presented in “Part I, Item 1. Business” of this Form 10-K. We assess the condition and capacity of our manufacturing, distribution, and other facilities needed to meet our operating requirements. Our properties have been generally well maintained and are in good operating condition. In general, our facilities have sufficient capacity and are adequate for our production and distribution requirements.As of December 31, 2025, we own buildings and land for our ten mills. Additionally, we have 91 corrugated manufacturing operations, of which the buildings and land for 56 are owned, including 44 combining operations, or corrugated plants, five corrugated sheet-only manufacturers, and seven sheet plants. We lease the buildings for 12 corrugated plants, two corrugated sheet-only manufacturers, and 21 sheet plants. We own warehouses and miscellaneous other properties, including sales offices and woodlands management offices. We lease space for regional design centers and numerous other distribution centers, warehouses, and facilities. The equipment in these leased facilities is, in virtually all cases, owned by us, except for forklifts and other rolling stock, which are generally leased.We own our corporate headquarters building, which is located in Lake Forest, Illinois. Item 3. LEGAL PROCEEDINGSInformation concerning legal proceedings can be found in Note 20, Commitments, Guarantees, Indemnifications, and Legal Proceedings, of the Notes to Consolidated Financial Statements in “Part II, Item 8. Financial Statements and Supplementary Data” of this Form 10-K.Item 4. MINE SAFETY DISCLOSURENot applicable. Board Roles and ResponsibilitiesThe Audit Committee of the Board of Directors oversees the Company’s cyber risk management program. The Chief Information Officer (CIO) presents frequent updates to the Audit Committee and, as necessary, to the full Board of Directors. These regular reports include detailed updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. In addition, we have established processes to notify the Audit Committee of active incidents, as deemed necessary. The Company’s program is periodically evaluated by third-party experts, and the results of those reviews are reported to the Board of Directors.Management Responsibilities The Incident Response Team that we have established as part of our cyber risk management program coordinates the Company’s response to incidents and communicates with internal and external stakeholders. The team includes members of our Senior Leadership and draws upon additional staff, consultants, advisors and service providers as needed. We are continuously focused on ensuring our Company is protected from potential cyber threats. Our Information Technology (IT) team is comprised of employees with a diverse mix of skills, backgrounds, perspectives, and relevant expertise, that undergo extensive training as part of their employment with the Company. We believe these measures together with our cyber risk management program as well as our policies, processes and procedures set a high benchmark for our employees to address and respond to cybersecurity threats.Our IT team regularly monitors best practices and as needed, implements changes to the Company’s cyber risk management program to ensure a robust program is maintained. Aspects of this program include plans and procedures for identifying, communicating and containing security incidents, regular risk assessments and testing of the Company’s internal infrastructure to identify vulnerabilities, procedures for recovering from disruptions to our operations, maintaining global security policies, and comprehensive end user training and cybersecurity drills for personnel.See “Part I, Item 1A. Risk Factors” of this Form 10-K for a discussion of cybersecurity risks. Board Roles and ResponsibilitiesThe Audit Committee of the Board of Directors oversees the Company’s cyber risk management program. The Chief Information Officer (CIO) presents frequent updates to the Audit Committee and, as necessary, to the full Board of Directors. These regular reports include detailed updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. In addition, we have established processes to notify the Audit Committee of active incidents, as deemed necessary. The Company’s program is periodically evaluated by third-party experts, and the results of those reviews are reported to the Board of Directors.Management Responsibilities The Incident Response Team that we have established as part of our cyber risk management program coordinates the Company’s response to incidents and communicates with internal and external stakeholders. The team includes members of our Senior Leadership and draws upon additional staff, consultants, advisors and service providers as needed. We are continuously focused on ensuring our Company is protected from potential cyber threats. Our Information Technology (IT) team is comprised of employees with a diverse mix of skills, backgrounds, perspectives, and relevant expertise, that undergo extensive training as part of their employment with the Company. We believe these measures together with our cyber risk management program as well as our policies, processes and procedures set a high benchmark for our employees to address and respond to cybersecurity threats.Our IT team regularly monitors best practices and as needed, implements changes to the Company’s cyber risk management program to ensure a robust program is maintained. Aspects of this program include plans and procedures for identifying, communicating and containing security incidents, regular risk assessments and testing of the Company’s internal infrastructure to identify vulnerabilities, procedures for recovering from disruptions to our operations, maintaining global security policies, and comprehensive end user training and cybersecurity drills for personnel.See “Part I, Item 1A. Risk Factors” of this Form 10-K for a discussion of cybersecurity risks.