UPBOUND GROUP, INC. - (UPBD)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
We rely heavily on information systems to meet the operational and financial needs of our business. Therefore, we seek to continuously improve our approach to cybersecurity with the goal of ensuring the confidentiality, integrity and availability of our information resources and to reduce the risk of information loss by accidental or intentional modification, disclosure or destruction. We believe we devote appropriate resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner.
The Cybersecurity and Privacy team, which maintains our cybersecurity function, reports to our Chief Technology and Digital Officer, who reports directly to our Chief Executive Officer. The Cybersecurity and Privacy team is led by our Chief Information Security Officer (“CISO”), who is responsible for developing and implementing our cybersecurity program and reporting on cybersecurity matters. The CISO and Chief Technology and Digital Officer report to the Audit and Risk Committee on a quarterly basis. Our CISO has been a cybersecurity leader for 20 years, maintains appropriate security certifications, and has extensive experience in building and maintaining cybersecurity risk and compliance programs. The cybersecurity team includes members who also have various levels of cybersecurity experience and maintain relevant cybersecurity certifications. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security controls and technologies and ongoing scanning and testing of Company information systems by internal teams as well as third-party organizations to identify potential vulnerabilities. To maintain knowledge of the latest developments in cybersecurity, evolving threat landscape, and cyber defense techniques, our CISO regularly attends cybersecurity related conferences and events hosted by cybersecurity experts, subscribes to cybersecurity threat intelligence communications and newsletters, and meets with cybersecurity vendors.
We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. We regularly assess the cybersecurity landscape to holistically evaluate the threat of cybersecurity risks and seek to mitigate such risks through a layered cybersecurity strategy based on identification, protection, detection and recovery. Our Enterprise Cybersecurity Policy includes guidance related to encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information and the use of the internet, social media, email and wireless devices. This policy is reviewed for updates annually and approved by appropriate members of management. All coworkers are required to acknowledge review of the policy and complete cybersecurity and privacy awareness training annually. We also provide coworkers with additional cybersecurity training through online offerings, company broadcasts and security awareness events.
In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. The cybersecurity program is being enhanced to ensure that critical vendors and other third-parties are risk assessed prior to being given access to the Company's information assets and networks. Additionally, processes are currently in place to review existing third-party access to systems that have a material impact on the financial statements of the Company.
The Audit and Risk Committee, a committee of the Company’s Board of Directors, actively participates in discussions with management regarding cybersecurity risks and receives quarterly reports regarding the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, remedy audit findings, and review enhancements to the Company’s defenses and management’s progress on implementing its cybersecurity strategy. In addition, the Audit and Risk Committee reviews key cybersecurity risks, on a quarterly basis, to help ensure such risks are incorporated into the Company’s Enterprise Risk Management framework. The Audit and Risk Committee also meets quarterly in executive session with the Company's Chief Information Security Officer. To assist with their oversight of the Company's cybersecurity programs and mitigation efforts as they relate to the broader cybersecurity landscape, our Audit and Risk Committee has previously and will continue to attend cybersecurity awareness training events hosted by third-party cybersecurity experts.
In the event of a cybersecurity incident, we have developed and implemented a communication and disclosure framework, which includes processes for escalating communication of the event to members of our internal disclosure committee for assessment of materiality and disclosure, executive management team members, internal and external legal counsel, internal and external audit teams, and other internal stakeholders. Significant cybersecurity events and strategic risk management decisions would be directed to the Audit and Risk Committee for additional comprehensive oversight of the Company’s response measures and public disclosure of the event as appropriate. While we have experienced cybersecurity incidents in the
32


past, none have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.
Despite our cybersecurity governance program, we cannot assure you that we will be able to effectively prevent, detect or respond to all cybersecurity incidents, which may have a material adverse impact on our reputation and our results of operations.