Our Code of Conduct, along with internal policies, standards, and guidelines, governs our activities and ensures our daily work is conducted in a manner consistent with our values. In particular, PMI’s global policy on data privacy sets a standard for privacy, governance and accountability.
PMI’s Global Privacy Program (GPP) sets data privacy standards across markets and functions. It governs the collection, processing, and sharing of personal data by PMI affiliates. PMI also has a Cybersecurity Risk Program (CRP) to enhance its ability to identify, prevent, mitigate, respond, and recover from disruptive cybersecurity threats and incidents and to reduce cybersecurity risk exposure. The CRP includes the requirement to conduct third-party cyber risk assessments.
Our privacy team regularly reports to PMI’s Corporate Risk Governance Committee and relevant Board committees on the business’s adherence to the GPP. The Information Security team similarly reports to these committees on a more frequent basis regarding cyber risks and protection measures.
The GPP and CRP are subject to regular external reviews against industry practice and applicable legislation.
We use information systems to help manage business processes and collect and interpret data. We also use these systems to communicate internally and externally with employees, suppliers, consumers, and customers. Specialist third-party service providers manage some of our information systems, and we work with internal and external specialists to protect systems and data from unauthorized access.We use an array of security solutions to help prevent, detect, and respond to events.
Employees and contractors play a fundamental role in protecting data. By being aware of legal obligations and potential threats, our community can help keep PMI secure. In 2025, we continued to train our workforce in data protection principles and information security. We complement ourtraining with regular awareness campaigns, tabletop exercises, and simulated phishing campaigns addressed to our entire workforce, with access to IT equipment to help everyone practice recognizing and reporting phishing attempts and to identify weaknesses in advance of any real attempts the business might face.
We also maintain a hub of resources on data privacy and information security awareness, accessible to all employees and contractors. The Code of Conduct, and relevant security requirements, are made available publicly. In addition to detailing good security practices to protect user accounts and data from cyber risk, these resources help our team remain vigilant of the indirect risks that can arise from activities such as online shopping or connecting to wireless networks.
We continue to make investments in administrative, technical, and physical safeguards, including continuity planning, to increase the resilience of our core processes and maintain information security protections in line with industry standards. We evaluate the adequacy of these preventative actions to reduce security incidents on an ongoing basis. In addition, PMI’s CRP and GPP support the management of cyber risks, protect PMI’s data, and safeguard the privacy of consumers and customers.
This online content about our Value Report should be read in conjunction with PMI’s Value Report 2025. This report includes metrics that are subject to uncertainties due to inherent limitations in the nature and methods for data collection and measurement. The precision of different collection and measurement techniques may also vary. This report includes data or information obtained from external sources or third parties. Unless otherwise indicated, the data contained herein cover our operations worldwide for the full calendar year 2025 or reflect the status as of December 31, 2025. Where not specified, data comes from PMI financials, nonfinancials, or estimates.
Unless explicitly stated, the data, information, and aspirations in this report do not incorporate PMI’s Wellness unit, Aspeya. Regarding the Swedish Match acquisition, completed late 2022, unless otherwise indicated, this report includes information pertaining to its sustainability performance. Please also refer to "About this report" on page 3 of the PMI’s Value Report 2025 for more information. Aspirational targets and goals do not constitute financial projections, and achievement of future results is subject to risks, uncertainties and inaccurate assumptions, as outlined in our forward-looking and cautionary statements on page 142. In PMI’s Value Report 2025 and in related communications, the terms “materiality,” “material,” and similar terms are defined in the referenced sustainability standards and are not meant to correspond to the concept of materiality under the U.S. securities laws and/or disclosures required by the U.S. Securities and Exchange Commission.
Related stories
Business ethics and integrity
We conduct business ethically and with integrity. At PMI, business ethics means acting with integrity and following our ethical principles of honesty, respect, and fairness when making decisions, so we can be proud of working at PMI.
Fair fiscal practices
To achieve the common goal of a safe, functional, and prosperous society, governments worldwide must have the financial resources to fund public goods, services, and infrastructure.
Conduct R&D responsibly and transparently
World-class scientific research and development powers PMI’s delivery of a smoke-free future.