Unity Software Inc. - (U)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
We are committed to our privacy and security programs, and our security team strives to protect our customer and employee data from cybersecurity risks. From time to time, and at least annually, we review and update if necessary our privacy standards and policies in response to evolving regulatory requirements and internal Unity requirements. Unity personnel are provided annual privacy training, with additional targeted training for key participants in our privacy program. We have procedures in place to
37

Unity Software Inc.
address suspected personal-data breaches and notify users determined to be affected and applicable regulator of a breach where we are legally required to do so.
We have a security policy which outlines mandatory security requirements for all of our employees, contractors or other agents. This policy is supported by internal standards, directives and procedures. The security program includes implementation of software security throughout the development life cycle, vulnerability and configuration management software across certain data infrastructure, products and services. Our risk management process includes employee education and annual analysis of risks from across the company, which are then prioritized for remediation. Our approach to cybersecurity is integrated into our overall company-wide approach to risk management, including that our management team, including our Chief Security Officer and Data Privacy Officer, evaluates material risks from cybersecurity threats against our overall business objectives and regularly reports to both the Audit Committee of our board of directors and to our internal audit function which evaluates our overall enterprise risk.
We engage third party services in connection with our processes for vendor security reviews and incidents. We are continuing to develop our processes to oversee and identify the risks from cybersecurity threats associated with our use of any third-party service provider.
Because our business involves the collection, use, storage, and transmission of personal information, we are subject to numerous federal, state, local, and foreign laws, regulations, and other obligations relating to privacy and data security. Countries around the world have adopted or are proposing similar laws and regulations relating to privacy and data security, and we may become subject to them as we expand our operations into new geographic markets.
Our Chief Security Officer and Data Privacy Officer oversee our assessment, prevention, detection and management of cybersecurity risks, and report to our executive team, including our Chief Information Officer, Chief Financial Officer and Chief Legal Officer. Collectively, they have expertise in cybersecurity, privacy law and regulation, and governance, and their teams comprise personnel with a broad range of experience across the private and public sectors, the technology industry, and in different geographic regions. Our Chief Security Officer Security has over 25 years of experience in multiple business verticals and has led security organizations and managed global practices for Fortune 500 technology companies. He became our Chief Security Officer earlier this year after previously serving in that role at ironSource, prior to its merger with us.
Our security team follows an incident response process which we are continuing to evaluate and enhance. Pursuant to this process, incidents which may result in economic loss to the company, reputational harm or require notifications to individuals and government authorities are reported to our executive team as they are occurring. Our Chief Security Officer also provides a quarterly summary of investigations given to an executive data council, and our Data Privacy Officer reports on our compliance posture with respect to new and pending laws and regulations.
The Audit Committee of our board of directors is responsible for overseeing our cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats. Additionally, the Audit Committee of our board of directors meets on a quarterly basis with our Chief Security Officer about our cybersecurity risk management and strategy, including any significant investigations, and biannually with our Data Privacy Officer about our privacy program.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. Refer to "Item 1A. Risk Factors" for a description of the risks from cybersecurity threats that may materially affect the Company, including the risk factor titled, "If we or our third-party service providers experience a security breach or unauthorized parties otherwise obtain access to our customers' data, our data, or our platform, our platform may be perceived as not secure, our reputation may be harmed, our business operations may be disrupted, demand for our solutions may be reduced, and we may incur significant liabilities".
38

Unity Software Inc.