Cybersecurity and Data Privacy

Three colleagues working on computers wearing PPE

We apply best practice cybersecurity and data privacy protocols throughout PPG.

Our cybersecurity program is designed to protect and preserve the confidentiality, integrity and continuity of our networks, systems and information. We implement physical, organizational and technological safeguards to protect information about our customers, employees and suppliers. Our policies are designed to prevent unauthorized access and disclosure of personal information and other data using a range of operational and technological safeguards. Our employees receive comprehensive training on data privacy concepts to prevent misuse of personal and sensitive information.

For cybersecurity, AI and data privacy, we follow the U.S. National Institute for Standards and Technology (NIST) and other applicable industry frameworks.

Male PPG worker using computer screen in lab

Reducing emissions from data centers

Data centers are important enablers of PPG's operations, as they allow for the electronic storage, processing and dissemination of data and applications. Physical data centers are energy intensive as they rely on continuous and reliable electricity. In 2025, as part of our continued efforts to reduce energy use across the company, we completed a multi-year initiative to transition our data and applications to hyperscale cloud providers. These cloud providers are more than three times as energy efficient when compared with our internally managed physical data centers.

As of the end of 2025, 100% of our IT operations are managed through the cloud. All physical data centers have been shut down, which reduced our annual energy consumption by an estimated 1,642 MWh. This transition also reduced our greenhouse gas emissions by 829 metric tons of CO₂ equivalent, comparable to 193 gasoline-powered passenger vehicles driven for one year.

Cybersecurity and data privacy program improvements

We have significantly increased cybersecurity investments in recent years and have implemented safeguards designed to detect and prevent cybersecurity events. We regularly assess and measure our program against industry practices to identify opportunities to improve the people, processes and technology used to identify, prevent, detect, respond and recover from cybersecurity incidents.

We continue to invest in strengthening our training and incident preparedness across the business. PPG employees engage in ongoing cybersecurity awareness and training activities, including frequent phishing testing and training on detecting impersonations through social media and email channels. We have placed an increased emphasis on training and prevention of phishing scams as attackers have become more sophisticated, and perform control testing in nine different languages across the company. We have local incident response groups in place across PPG to continue to drive improvements. These groups are responsible for assessing risk specific to their area of the business, preparing response plans and responding to any incidents to minimize their impact.

Our Global Data Privacy Council oversees all data privacy compliance activities. Members of the council represent key stakeholders from departments handling personal information or supporting relevant systems and processes. The council has a core focus on monitoring ongoing data privacy legislation to ensure PPG is positioned to adapt to evolving requirements. For example, in 2025 we strengthened our compliance position in mainland China by completing a mandatory data protection compliance audit. This audit covered all aspects of the data privacy program, including data collection, user consent, sensitive personal information processing, automated decision-making, personal data sharing and international data transfers. We continue to act on the results of the audit to improve information security in the region.

The company is increasingly focused on developing governance structures to oversee and manage risks related to Artificial Intelligence (AI). In 2025, we adopted an internal AI Policy that defines acceptable and prohibited uses of AI and outlines the obligations of PPG employees related to the use, development and implementation of AI models and applications. The policy lays out a set of guiding principles and action plans, including establishing an AI Governance Council responsible for:

Setting governance standards and processes for evaluating and approving proposals for new AI use cases and projects.
Creating assurance processes aimed at ensuring that approved AI use cases comply with the AI policy.
Defining and proposing modifications to improve the AI policy.
Maintaining a list accessible by all PPG personnel of allowed and prohibited AI uses, tools, systems and applications.
Maintaining a list of all designated owners of AI tools and systems.

Progress in addressing cybersecurity and data privacy issues is crucial for maintaining trust with PPG’s stakeholders. We will continue to review and update our policies, procedures and governance structures, as needed, to keep pace with the rapidly evolving technology and risk landscape.

Learn more about our approach to cybersecurity and data privacy, including elements of our cybersecurity program and governance, at the bottom of this web page.

Learn more, access our Global Data Privacy Statement and contact us at our privacy website.

Our approach to cybersecurity and data privacy

Our security protocols and practices ensure the protection of sensitive information and systems. We apply best practice cybersecurity and data privacy protocols and practices throughout our systems. Read more...

Our approach ensures the protection of our information, and that of our customers and others.

Cybersecurity

PPG's cybersecurity program is designed to protect and preserve the confidentiality, integrity and continued availability of all information that we own or is in our care. Our program is based on the U.S. National Institute for Standards and Technology (NIST) standards and other applicable industry standards. We regularly assess and measure ourselves against industry practices to identify and act on opportunities to improve people, processes and technology used to identify, prevent, detect, respond and recover from cybersecurity incidents.

Our cybersecurity program includes:

Ongoing employee cybersecurity awareness and training activities, which include frequent phishing testing;
Access management and access controls intended to implement Principle of Least Privilege (PoLP) access;
Protection of certain data through encryption at rest and in transit;
Monitoring and protection software;
A vulnerability management program that includes managing the risk of third-party software;
A cyber incident response plan that provides controls and procedures to support appropriate containment, response, investigation, reporting and recovery of cybersecurity incidents;
Periodic testing of our cybersecurity posture, including by independent third-party consultants; and
Integrating cybersecurity requirements and other provisions into various contracts.

PPG's Board of Directors has oversight of risk management at PPG, which includes cybersecurity risks. The Audit Committee of the Board is responsible for oversight of the Company's enterprise risk management (ERM) program, which provides oversight and governance of cybersecurity threats. The Audit Committee receives bi-annual reports and periodic briefings on cybersecurity matters, including key risks to PPG, recent developments, and risk mitigation activities from our vice president and chief information officer (CIO) and our chief information security officer (CISO), who are both responsible for overseeing our cybersecurity program. In addition, the full Board receives bi-annual briefings from our CIO on our cybersecurity program. The Board and the Audit Committee periodically review the results of exercises performed by our advisors as part of an independent assessment of PPG's cybersecurity program and internal preparedness. The Enterprise Risk Committee, a committee of senior executives who identify and monitor the risks to PPG and are responsible for our ERM program, receives updated information on cybersecurity risks at each of its meetings.

We maintain insurance covering certain costs that we may incur in connection with cybersecurity incidents.

Data Privacy

Our internal data privacy policies are designed to prevent unauthorized access to, and disclosure of, personal information using a range of operational and technological safeguards. Our employees also receive training on data privacy concepts to prevent the misuse of personal or confidential information. When we share personal information with third parties, we take contractual measures to ensure such information is protected and processed in accordance with applicable laws. We closely monitor evolving data privacy and data protection legislation around the world and update our policies and procedures to comply with current regulations.

We have a global data privacy manager responsible for ensuring the ongoing compliance of PPG's data privacy and data protection policies and procedures. The manager chairs the Global Data Privacy Council, comprised of key internal stakeholders in the data privacy area and whose role is to supervise and lead compliance initiatives. The global data privacy manager reports to our chief compliance officer (CCO). The CCO oversees our data privacy program and provides regular reports to the PPG Board of Directors' Audit Committee.

Our privacy notices and statements outline how we collect, use and protect personal information provided to PPG. When personal information is no longer required, we destroy, anonymize or dispose of it using secure methods in accordance with applicable requirements.

Learn more by accessing our Global Data Privacy Page or contact us via PPG Data Privacy Portal.