UNISYS CORP 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

UNISYS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:32:13 EST.

Filings

10-K filed on 2025-02-21

UNISYS CORP filed a 10-K at 2025-02-21 16:32:13 EST
Accession Number: 0000746838-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Unisys’ process for assessing, identifying and managing material risks from cybersecurity threats . Protecting information, including that of our clients, is a top priority. Our overall cybersecurity and privacy strategy is to protect our customers’ information and assets as well as ours to enable agility in the business. We have expertise, dedicated resources and technology to identify, assess, respond to and mitigate material risks from cybersecurity threats. Our Global Information Security organization (GIS), led by our Chief Information Security Officer (CISO), manages Unisys’ cybersecurity risk identification, detection, assessment, response, mitigation and remediation processes, and interfaces with other departments, including business units, the information technology and legal departments, and enterprise risk management, to facilitate the risk management processes and ensure the policies and procedures established by GIS are integrated into our overall enterprise risk management system. GIS processes also work in tandem with the processes maintained by our Global Privacy Office (GPO). Through our GPO, we deploy functional and business unit-specific approaches to data and privacy compliance sharing threat intelligence daily and collaborate closely with the Corporate Information Technology (CIT) organization to build process and playbooks for cyber-resiliency. Taking into consideration the processes established by GIS and CIT, our GPO has developed a framework of policies, procedures and other initiatives that are implemented across Unisys to help meet data privacy requirements. Our GPO is supported by a network of data protection officers, attorneys and privacy specialists; and manages privacy software that is used across Unisys to facilitate privacy impact assessments. The GPO also records data processing activities, maps data flows and follows evolving privacy regulatory guidance for countries in which we operate and adjusts standards as necessary. Our dedicated cybersecurity incident response team, the Security Incident Response Team (SIRT), is comprised of internal resources and an external vendor, Managed Security Services Provider (MSSP). The MSSP triages and validates true positive events and then communicates to the internal SIRT team for deeper investigation and response. Our physical and technological cybersecurity controls include, among other items: - perimeter and endpoints firewalls, intrusion prevention systems, endpoint detection and response, Attack Surface Management, multi-factor authentication and email protection; - routine testing of and training on our IT systems, including test phishing emails and awareness training opportunities; - automation and alerts via embedded tools and procedures to monitor data and notify us of threats or other potential unauthorized occurrences on or conducted through our systems; - multiple mechanisms by which employees can report cybersecurity and data privacy concerns, including a “Report Phish” button in the email application; - a vulnerability management program designed to protect our external and internal networks and critical assets; - bug bounty capability, enabling ethical hackers to simulate real-world attacks to identify and report vulnerabilities; - secure coding and development; and - security and operations framework and tools. We design and assess our cybersecurity policies, standards and practices following recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We have established written policies that are provided to all associates regarding identification, classification of severity and escalation of cybersecurity incidents and we provide annual and ongoing cybersecurity awareness training for our associates - including regular training on information security and data privacy policies. We also perform internal audits on our cybersecurity and data privacy practices. We regularly engage third-party cybersecurity experts to supplement our cybersecurity risk management efforts, including those we engage to conduct periodic cybersecurity risk assessments. During 2024, Unisys engaged an external security firm to 25 conduct several cybersecurity tabletop exercises. Additionally, we worked with an audit firm and directed several audits related to cybersecurity. Unisys recognizes the importance of overseeing and identifying material risks from cybersecurity threats associated with our use of third-party service providers. We have a Third Party Risk Management (TPRM) program, which is integrated into our procurement process and involves cybersecurity risk oversight and identification components. Our TPRM program includes policies and standards requiring that we perform cybersecurity due diligence reviews on our vendors based on the risk profile of a particular supplier or service provider or the service they provide. We also monitor certain of our principal suppliers and service providers on an ongoing basis by using an outside-in, hacker perspective of a company’s cybersecurity posture through an external service provider. Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect Unisys, including its business strategy, results of operations, or financial condition and if so, how. The information set forth under “Risk Factors” (Part I, Item 1A of this Form 10-K) - “We have been and could be vulnerable to disruption in our IT systems, cyber incidents, security breaches and loss of data (associate and client) that have occurred, and may continue to occur, and have resulted in and could continue to result in the incurrence of significant costs and harm to our business and reputation.” - on page 15 of this Annual Report on Form 10-K is hereby incorporated by reference. As of December 31, 2024, our financial condition, results of operations or business strategy have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. Cybersecurity Governance Board Oversight of Risks from Cybersecurity Threats Cybersecurity risk oversight continues to remain a top priority for the Board of Directors. The Board of Directors is responsible for oversight of Unisys’ information security program, including compliance and risk management, and the review of cybersecurity risks. The Security and Risk Committee (S&RC), a Board committee comprised entirely of independent directors, assists the Board of Directors in these oversight responsibilities. Additionally, the Audit and Finance Committee has general oversight over Unisys’ cybersecurity as it relates to responsibility for Unisys’ internal audit function, including cybersecurity practices, compliance with legal and regulatory requirements, and internal control over financial reporting. The S&RC’s responsibilities include monitoring Unisys’ enterprise risk profile and its ongoing and potential exposure to risks of various types and reviewing crisis preparedness; incident response plans; summaries of any incidents or activities; and reports or presentations from management or advisors, including third-party experts, regarding the management of enterprise risk program. The S&RC periodically meets with the CISO and Chief Privacy Officer (CPO) and briefs the full Board of Directors on cybersecurity matters. Our S&RC chair has previously served in the role of Chief Information Officer at two large companies for over 15 years. Other members of the S&RC have extensive years of executive and operational leadership experience at several global technology and telecommunications companies. Management’s Role in Assessing and Managing the Company’s Material Risks from Cybersecurity Threats. The Disclosure Committee, a senior executive leadership committee, assists in fulfilling our obligations to maintain disclosure controls and procedures and oversees the process of preparing our periodic securities filings with the Securities and Exchange Commission. Cybersecurity incidents, based on their severity, are escalated to the Disclosure Committee by the SIRT. The Disclosure Committee is comprised of the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, General Counsel, Chief Compliance Officer and Chief Accounting Officer. The Disclosure Committee meets on a quarterly basis and more often, if necessary, and invites subject matter experts to meetings as appropriate. We have policies and procedures in place designed to provide appropriate information of any matters to our Disclosure Committee that should be considered in advance of applicable public filings, including cybersecurity matters, and to address the proper handling and escalation of information to management and the Board of Directors or a committee of the Board of Directors. In addition to the oversight by the Board of Directors, members of our management are responsible for assessing and managing material cybersecurity risks. Our CISO has over 34 years of experience in cybersecurity, applications, infrastructure and networks in information security. Our CPO has over 8 years of experience serving as a Global Data Privacy Officer and practicing law specializing in data privacy among other areas. Our Chief Information Officer (CIO) has over 20 years at Unisys with experience and knowledge of IT infrastructure, systems and operations. At Unisys, the CIO partners with our CISO and CPO on cybersecurity risk management matters. 26

Company Information