UNITEDHEALTH GROUP INC - (UNH)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
UnitedHealth Group manages cybersecurity and data protection through a continuously evolving framework. The framework allows us to identify, assess and mitigate the risks we face, and assists us in establishing policies and safeguards to protect our systems and the information of those we serve.
Our cybersecurity program is managed by our Chief Digital and Technology Officer and Chief Information Security Officer. The Audit and Finance Committee of the Board of Directors has oversight of our cybersecurity program and is responsible for reviewing and assessing the Company’s cybersecurity and data protection policies, procedures and resource commitment, including key risk areas and mitigation strategies. As part of this process, the Audit and Finance Committee receives regular updates from the Chief Digital and Technology Officer and Chief Information Security Officer on critical issues related to our information security risks, cybersecurity strategy, supplier risk and business continuity capabilities.
The Company’s framework includes an incident management and response program that continuously monitors the Company’s information systems for vulnerabilities, threats and incidents; manages and takes action to contain incidents that occur; remediates vulnerabilities; and communicates the details of threats and incidents to management, including the Chief Digital and Technology Officer and Chief Information Security Officer, as deemed necessary or appropriate. Pursuant to the Company’s incident response plan, incidents are reported to the Audit and Finance Committee, appropriate government agencies and other authorities, as deemed necessary or appropriate, considering the actual or potential impact, significance and scope.
We work to require our third-party partners and contractors to handle data in accordance with our data privacy and information security requirements and applicable laws. We regularly engage with our suppliers, partners, contractors, service providers and internal development teams to identify and remediate vulnerabilities in a timely manner and monitor system upgrades to mitigate future risk, and ensure they employ appropriate and effective controls and continuity plans for their systems and operations.
To ensure that our program is designed and operating effectively, our infrastructure and information systems are audited periodically by internal and external auditors. We have obtained various certifications from industry-recognized certifying organizations as a result of certain external audits. We also perform regular vulnerability assessments and penetration tests to improve system security and address emerging security threats. Our internal audit team independently assesses security controls against our enterprise policies to evaluate compliance and leverages a combination of auditing and security frameworks to evaluate how leading practices are applied throughout our enterprise. Audit results and remediation progress are reported to and monitored by senior management and the Audit and Finance Committee. We also periodically partner with industry-leading cybersecurity firms to assess our cybersecurity program. These assessments complement our other assessment work by evaluating our cybersecurity program as a whole.
We complete an enterprise information risk assessment as part of our overall enterprise information security risk management assessment, which is overseen by our Chief Information Security Officer. This risk assessment is a review of internal and external threats that evaluates changes to the information risk landscape to inform the investments and program enhancements to be made in the future to rapidly respond and recover from potential attacks, including rebuild and recovery protocols for key systems. We evaluate our enterprise information security risk to ensure we address any unexpected or unforeseen changes in the risk environment or our systems and the resulting impacts are communicated to the Company’s overall enterprise risk management program.
We believe our Chief Digital and Technology Officer and Chief Information Security Officer have the appropriate knowledge and expertise to effectively manage our cybersecurity program. The Chief Digital and Technology Officer has experience leading enterprise digital transformation efforts for a large multinational corporation and held several leadership and growth positions at a global technology consulting and services firm before joining UnitedHealth Group. Our Chief Information Security Officer has experience leading a global digital portfolio for a large multinational corporation and held key leadership roles for a large technology and software company, including overseeing information security, before joining UnitedHealth Group.
As of December 31, 2023, the Company has not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, but there can be no assurance that any such risk will not materially affect the Company in the future. For further information about the cybersecurity risks we face, and potential impacts, see Part I, Item 1A, “Risk Factors.”
On February 22, 2024, we disclosed the occurrence of a cybersecurity incident. We continue to investigate the extent of the incident, which we believe was committed by cybercrime threat actors. As of the date of this report, we have not determined the incident is reasonably likely to materially impact our financial condition or results of operations.
21