UNIVERSAL CORP /VA/ 10-K Cybersecurity GRC - 2024-05-29

Page last updated on July 16, 2024

UNIVERSAL CORP /VA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-29 12:00:25 EDT.

Filings

10-K filed on 2024-05-29

UNIVERSAL CORP /VA/ filed a 10-K at 2024-05-29 12:00:25 EDT
Accession Number: 0000102037-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Cybersecurity risks are considered within our broader enterprise risk management (“ERM”) framework as part of our overall risk assessment process. We maintain a comprehensive Information Security Program and controls that are designed to assess, identify, manage, contain, and recover from material cybersecurity risks. The Information Security Program is also designed to identify emerging cybersecurity and information security risks and apply safeguards to the Company, our assets, customer, and employee data. The Information Security Program also addresses cybersecurity risks associated with our use of third-party service providers through systems and processes that are designed to assess, identify, and reduce the potential likelihood and impact of a cybersecurity incident at our third-party service providers. The Information Security Program is based on Center for Internet Security (“CIS”) Controls, a cybersecurity framework that is acknowledged worldwide and is designed to comply with applicable laws and guidelines. We also have adopted a cybersecurity incident response and recovery plan to enable us to properly respond to cybersecurity incidents that may affect the function and security of the Company, our IT assets, customer and employee data, information resources, and business operations. We have adopted cyber and data security policies, which address matters including user access, incident response, third-party compliance, personal devices, and data privacy. These policies are reviewed 18 annually, including by our independent auditor. We also maintain insurance covering certain costs that may be incurred in connection with cybersecurity incidents, should they occur. Our Information Security Program is further supported by regular educational and awareness training for employees. The training includes an annual assessment, focused on security, appropriate use, incident reporting, and social engineering, as well as multiple courses per year on global security trends and emerging risks. We also provide employees with educational materials about emerging cybersecurity threats and update employees when our information security policies are amended. We regularly evaluate our Information Security Program based on software vendor assessments and reports, insurance underwriter evaluations, and internal and external audits, including, without limitation, customer audits. We also periodically engage third parties to review the effectiveness of its Information Security Program. To date, these engagements have included third-party penetration testing, risk identification, and a Fiscal Year 2023 comprehensive evaluation of the maturity of our Information Security Program. Management has determined that no cybersecurity incidents that we have experienced to date have resulted in, or are reasonably likely to result in, a material impact to its financial condition, results of operations, or business strategy. For additional information on risks from cybersecurity threats and potential related impacts on the Company, please see Item 1A - Risk Factors. Cybersecurity Governance Board Oversight The Board of Directors is ultimately responsible for our Information Security Program, and it has delegated to the Audit Committee primary oversight responsibility for this program. The Audit Committee periodically reviews the program and information security, cybersecurity, and technology risks. At least quarterly, the Audit Committee reviews and discusses with management and our senior information officers the Information Security Program, including the structure and function of the program and any enhancements made to the program as a result of third-party reviews or an identified security risk. The Audit Committee regularly briefs the Board on these discussions. In addition, our Incident Response Policy outlines procedures pursuant to which cybersecurity incidents or risks are escalated within the Company, and, as applicable, timely reported to the Audit Committee and Board. Management Oversight The Information Security Program is overseen by our Information Security Steering Team, which provides cross-functional program oversight and maintenance and includes members from the Information Technology, Internal Audit, Legal, and Risk Management Departments. This team is also responsible for developing, implementing, and maintaining our information security policies and procedures. Our Chief Information Officer and Corporate Director of Information Technology Security, in coordination with our Information Technology Department and other appropriate personnel, are responsible for assessing and managing our risks from cybersecurity threats. The Chief Information Officer has served in various roles in information technology and information security for over 25 years, has been in his current role for more than 10 years, and holds a degree in Computer Science. The Corporate Director of Information Technology Security has served in various roles in information technology and information security for over 30 years, has been in his current role for more than 15 years, and has been trained in multiple cybersecurity subjects. A third-party security operations center, which is in operation at all times, is responsible for monitoring all logs, events, and alerts from our Endpoint Detection & Response (“EDR”) platforms and cloud deployed services. This third-party also quarantines any systems displaying suspicious behavior for automatic or approved remediation. Our Information Technology Department maintains regular oversight of this third-party’s actions through the monitoring of alerts displayed on the third-party’s threat management dashboard to identify and respond to any irregularities that could be associated with threats. Significant threats are promptly reported to our Information Security Steering Team, who will assess the respective threat, with the help of external advisers as necessary, and initiate a plan to address it. The Information Security Steering Team will advise the General Counsel and Audit Committee of the threat as well as other third parties or authorities who are required to be notified pursuant to applicable law or contract. 19

Company Information