XML 51 R31.htm IDEA: XBRL DOCUMENT v3.25.3
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Sep. 30, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Cybersecurity Program
Our cybersecurity program includes, among other things:
ongoing monitoring of systems for security threats at a base level
an internal team that focuses on higher level threats and conducts threat hunting activities
monitoring of the cyber threat landscape using a variety of sources, including engagement with domestic and international governmental security agencies, and industry groups
periodic engagement of third parties to test for vulnerabilities in our information technology systems, assess cybersecurity risk levels, and assess our cybersecurity policies and framework
compliance audits of our information technology processes by our internal audit team, which also monitors the progress of any remediation activities
employee training to raise awareness of cyber risks and behaviors that increase vulnerabilities
periodic exercises to test information technology security protocols
periodic exercises to test information security protocols to enhance crises management readiness and business continuity capabilities
systems and processes designed to assess, oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use
overseeing alignment with customer cybersecurity requirements
a Cybersecurity Incident Reporting process
Cybersecurity Incident Reporting Process (“CIR Process”)
Our CIR Process is a formalized approach following the NIST framework for evaluating cybersecurity incidents and prioritizing response efforts based on established criteria. The key components of the CIR Process include:
Cybersecurity incident prioritization
Timelines and communications protocols, including establishing reporting thresholds pursuant to which incidents are escalated within the Company, and, where appropriate, reported promptly to the Cyber Review Committee, the Audit Committee Chairman, the Chief Executive Officer and Chief Financial Officer, and the Board of Directors
Procedures related to our Cyber Review Committee described below
A formalized methodology for evaluating the impact of cybersecurity incidents
The Cyber Review Committee (“Cyber Committee”) is a sub-committee of our Disclosure Committee comprised of our Chief Accounting Officer; Senior Vice President of Information Technology and Engineering; CISO; general counsels; Vice President – Investor Relations; Director – Risk Management & Insurance; and Vice President – Global Security & Administration. Pursuant to the CIR Process, cybersecurity incidents classified as high priority are reported to the Cyber Committee. The Cyber Committee’s responsibilities include:
providing feedback and direction to our information technology teams on incident investigations
coordinating other departments, consultants, and advisors as needed
communicating with our executive officer team, Disclosure Committee, independent auditor, and the Chair of the Audit Committee
initiating the materiality determination methodology and assessing materiality of incidents (quantitative and qualitative)
based on materiality analysis, making a recommendation to the Chief Executive Officer and Chief Financial Officer that an incident should be deemed material
Material Cybersecurity Risks and Threats
Risks from cybersecurity threats, including any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face can be found in Item 1A—Risk Factors of this Report under the heading “Our business is subject to cybersecurity and information technology system disruption risks,” which should be read in conjunction with the foregoing information.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Our cybersecurity program includes, among other things:
ongoing monitoring of systems for security threats at a base level
an internal team that focuses on higher level threats and conducts threat hunting activities
monitoring of the cyber threat landscape using a variety of sources, including engagement with domestic and international governmental security agencies, and industry groups
periodic engagement of third parties to test for vulnerabilities in our information technology systems, assess cybersecurity risk levels, and assess our cybersecurity policies and framework
compliance audits of our information technology processes by our internal audit team, which also monitors the progress of any remediation activities
employee training to raise awareness of cyber risks and behaviors that increase vulnerabilities
periodic exercises to test information technology security protocols
periodic exercises to test information security protocols to enhance crises management readiness and business continuity capabilities
systems and processes designed to assess, oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use
overseeing alignment with customer cybersecurity requirements
a Cybersecurity Incident Reporting process
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board of Directors (“Board”) and its committees oversee the risk management functions of the Company. Our Audit Committee plays a significant role in oversight of risks, including cybersecurity. At least quarterly, the Audit Committee receives an update on cybersecurity matters from the Company’s Senior Vice President of Information Technologies and Engineering and our Vice President & Global Chief Information Security Officer (“CISO”). These updates address a broad spectrum of cybersecurity topics including recent developments, evolving technology practices, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, cybersecurity considerations arising with respect to the Company’s third-party service providers, and other cybersecurity considerations. Our Vice President of Internal Audit also updates the Audit Committee at least quarterly on internal audit matters, including those related to information technology and security. Additionally, the Company’s Cybersecurity Incident Reporting process (described below), provides that potentially significant cybersecurity incidents be promptly reported to the Chairman of the Audit Committee, who will also receive ongoing updates regarding any such incident as appropriate. Cybersecurity incidents determined to be material are reported to the Board of Directors promptly following such determination.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The CISO reports directly to our Senior Vice President of Information Technology and Engineering, who provides oversight of cybersecurity, risk, mitigation strategies, and governance.
Our CISO oversees an internal cross-functional information technology governance, risk, and compliance team that actively maintains a register of risks and mitigation measures under the umbrella of our enterprise risk management program. Our enterprise risk management program is designed to identify and monitor risks to the Company, assess the Company’s risk mitigation plans, and consult on further measures that can be taken to address new and existing risks. Our Enterprise Risk Management Committee, which meets quarterly, is comprised of our executive officers, Senior Vice President of Information Technologies and Engineering, CISO, Chief Accounting Officer, Vice President of Internal Audit, Corporate Secretary, and Director – Risk Management & Insurance. Our Risk Management and Insurance Department is responsible for the implementation of our enterprise risk management program and maintains a register of risks and initiates reviews and assessments. The Director of Risk Management and Insurance reports to the Audit Committee and full Board on a quarterly basis.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board of Directors (“Board”) and its committees oversee the risk management functions of the Company. Our Audit Committee plays a significant role in oversight of risks, including cybersecurity. At least quarterly, the Audit Committee receives an update on cybersecurity matters from the Company’s Senior Vice President of Information Technologies and Engineering and our Vice President & Global Chief Information Security Officer (“CISO”). These updates address a broad spectrum of cybersecurity topics including recent developments, evolving technology practices, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, cybersecurity considerations arising with respect to the Company’s third-party service providers, and other cybersecurity considerations. Our Vice President of Internal Audit also updates the Audit Committee at least quarterly on internal audit matters, including those related to information technology and security. Additionally, the Company’s Cybersecurity Incident Reporting process (described below), provides that potentially significant cybersecurity incidents be promptly reported to the Chairman of the Audit Committee, who will also receive ongoing updates regarding any such incident as appropriate. Cybersecurity incidents determined to be material are reported to the Board of Directors promptly following such determination.
Cybersecurity Risk Role of Management [Text Block]
Our Board of Directors (“Board”) and its committees oversee the risk management functions of the Company. Our Audit Committee plays a significant role in oversight of risks, including cybersecurity. At least quarterly, the Audit Committee receives an update on cybersecurity matters from the Company’s Senior Vice President of Information Technologies and Engineering and our Vice President & Global Chief Information Security Officer (“CISO”). These updates address a broad spectrum of cybersecurity topics including recent developments, evolving technology practices, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, cybersecurity considerations arising with respect to the Company’s third-party service providers, and other cybersecurity considerations. Our Vice President of Internal Audit also updates the Audit Committee at least quarterly on internal audit matters, including those related to information technology and security. Additionally, the Company’s Cybersecurity Incident Reporting process (described below), provides that potentially significant cybersecurity incidents be promptly reported to the Chairman of the Audit Committee, who will also receive ongoing updates regarding any such incident as appropriate. Cybersecurity incidents determined to be material are reported to the Board of Directors promptly following such determination.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The CISO reports directly to our Senior Vice President of Information Technology and Engineering, who provides oversight of cybersecurity, risk, mitigation strategies, and governance.
Our CISO oversees an internal cross-functional information technology governance, risk, and compliance team that actively maintains a register of risks and mitigation measures under the umbrella of our enterprise risk management program. Our enterprise risk management program is designed to identify and monitor risks to the Company, assess the Company’s risk mitigation plans, and consult on further measures that can be taken to address new and existing risks. Our Enterprise Risk Management Committee, which meets quarterly, is comprised of our executive officers, Senior Vice President of Information Technologies and Engineering, CISO, Chief Accounting Officer, Vice President of Internal Audit, Corporate Secretary, and Director – Risk Management & Insurance. Our Risk Management and Insurance Department is responsible for the implementation of our enterprise risk management program and maintains a register of risks and initiates reviews and assessments. The Director of Risk Management and Insurance reports to the Audit Committee and full Board on a quarterly basis.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CISO has over 20 years of experience in information security and global compliance. The CISO reports directly to our Senior Vice President of Information Technology and Engineering, who provides oversight of cybersecurity, risk, mitigation strategies, and governance.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] At least quarterly, the Audit Committee receives an update on cybersecurity matters from the Company’s Senior Vice President of Information Technologies and Engineering and our Vice President & Global Chief Information Security Officer (“CISO”). These updates address a broad spectrum of cybersecurity topics including recent developments, evolving technology practices, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, cybersecurity considerations arising with respect to the Company’s third-party service providers, and other cybersecurity considerations. Our Vice President of Internal Audit also updates the Audit Committee at least quarterly on internal audit matters, including those related to information technology and security. Additionally, the Company’s Cybersecurity Incident Reporting process (described below), provides that potentially significant cybersecurity incidents be promptly reported to the Chairman of the Audit Committee, who will also receive ongoing updates regarding any such incident as appropriate. Cybersecurity incidents determined to be material are reported to the Board of Directors promptly following such determination.
Management
Our CISO has over 20 years of experience in information security and global compliance. The CISO reports directly to our Senior Vice President of Information Technology and Engineering, who provides oversight of cybersecurity, risk, mitigation strategies, and governance.
Our CISO oversees an internal cross-functional information technology governance, risk, and compliance team that actively maintains a register of risks and mitigation measures under the umbrella of our enterprise risk management program. Our enterprise risk management program is designed to identify and monitor risks to the Company, assess the Company’s risk mitigation plans, and consult on further measures that can be taken to address new and existing risks. Our Enterprise Risk Management Committee, which meets quarterly, is comprised of our executive officers, Senior Vice President of Information Technologies and Engineering, CISO, Chief Accounting Officer, Vice President of Internal Audit, Corporate Secretary, and Director – Risk Management & Insurance. Our Risk Management and Insurance Department is responsible for the implementation of our enterprise risk management program and maintains a register of risks and initiates reviews and assessments. The Director of Risk Management and Insurance reports to the Audit Committee and full Board on a quarterly basis.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true