UNISYS CORP - (UIS)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Unisys’ process for assessing, identifying and managing material risks from cybersecurity threats.
Protecting information, including information of our clients, is a top priority. We have expertise, dedicated resources and technology to identify, assess, respond to and mitigate material risks from cybersecurity threats. Our Global Information Security organization (GIS), led by our Chief Information Security Officer (CISO), establishes and maintains our company-wide information security management program and provides guidance for information security activities and controls at Unisys. Through our GIS, we:
establish and maintain corporate information security policies and procedures for identifying, assessing and addressing cybersecurity events;
track and analyze data as it moves through the information systems;
analyze the overall cybersecurity risk to information and systems (including the physical security and cybersecurity);
remediate known cybersecurity vulnerabilities; and
follow evolving information security regulatory guidance for countries in which we operate and adjust internal policies, processes and remediation actions, as necessary.
Our process for integrating cybersecurity risk management into our overall risk management system
Our overall cybersecurity and privacy strategy is to protect and enable the business. We aim to protect ours and our customers’ information and assets to enable agility in the business. Our GIS manages Unisys’ cybersecurity risk identification, assessment, response, remediation and mitigation processes, and interfaces with other departments, including business units, the information technology department and enterprise risk management, to facilitate the risk processes and ensure the policies and procedures established by the GIS are integrated into our overall enterprise risk management system. The GIS’s processes also work in tandem with the processes maintained by our Global Privacy Office (GPO). Through our GPO, we deploy functional and business unit-specific approaches to data and privacy compliance. Taking into consideration the processes established by the GIS, our GPO has developed a framework of policies, procedures and other initiatives that are implemented across Unisys to help meet data privacy requirements.
Our GPO:
is supported by a network of data protection officers, attorneys and privacy specialists across Unisys;
manages privacy management software that is used across Unisys to facilitate privacy impact assessments, record data processing activities and map data flows; and
follows evolving privacy regulatory guidance for countries in which it operates and adjusts standards, as necessary.
We have also adopted physical, technological and administrative cybersecurity controls including, among other items:
a dedicated cybersecurity incident response team, the Security Incident Response Team (SIRT), which is comprised of internal resources and an external vendor, Managed Security Services Provider (MSSP). The MSSP triages based on a combination of predetermined rules. When the MSSP has validated a true positive event, it is communicated to the internal SIRT team for deeper investigation and response;
a written policy provided to all associates regarding identification, classification of severity and escalation of cybersecurity incidents;
perimeter and endpoints firewalls, intrusion prevention systems, endpoint detection and response, Attack Surface Management, multi-factor authentication and email protection;
annual and ongoing cybersecurity awareness training for our associates — including regular training on information security and data privacy policies.
routine testing of and training on our IT systems, including test phishing emails and awareness training opportunities;
23


cybersecurity policies, standards and practices that follow recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards, and follow evolving information security regulatory guidance for countries in which we operate;
automation and alerts via embedded tools and procedures to monitor data and notify us of threats or other potential unauthorized occurrences on or conducted through our systems;
sharing threat intelligence daily with each business unit;
multiple mechanisms by which employees can report cybersecurity and data privacy concerns, including a “Report Phish” button in the email application;
internal audits on our cybersecurity and data privacy practices;
a vulnerability management program designed to protect our external and internal networks and critical assets;
an ongoing process of identifying, assessing, reporting on, managing and remediating cybersecurity vulnerabilities across endpoints, workloads and systems; and
a level of cybersecurity insurance that Unisys believes is appropriate, taking into consideration the material risks from cybersecurity threats.
We engage third-party service providers to assist us with our cybersecurity risk management system
Third-party cybersecurity experts regularly supplement our cybersecurity risk management efforts, including those we engage to conduct periodic cybersecurity risk assessments. During 2023, Unisys engaged cybersecurity risk experts and external legal counsel to conduct a review of, and advise us on, our cybersecurity risk management processes, current cybersecurity risk environment, leading board governance practices, strategic cyber reporting and cyber resiliency. Following the review, we have further revised our processes for identifying material cybersecurity incidents and enhanced our written policy regarding identification, classification of severity and escalation of cybersecurity incidents.
In 2023, Unisys engaged a leading cybersecurity firm to consult on several technical matters relating to cyber resiliency. This resulted in significant changes to our security technical stack and improvements to our processes and organization.
Our processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers
Unisys recognizes the importance of overseeing and identifying material risks from cybersecurity threats associated with our use of third-party service providers. We have a Third Party Risk Management (TPRM) program, which is integrated into our procurement process and involves cybersecurity risk oversight and identification components. Our TPRM program includes policies and standards requiring that we perform cybersecurity due diligence reviews on our vendors based on the risk profile of a particular supplier or service provider or the service they provide. We also monitor certain of our principal suppliers and service providers on an ongoing basis by conducting additional periodic reviews.
Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect Unisys, including its business strategy, results of operations, or financial condition and if so, how.
The information set forth under “Risk Factors” (Part I, Item 1A of this Form 10-K) — “We have been and could be vulnerable to disruption in our IT systems, cybers incidents, security breaches and loss of data (associate and client) that have occurred, and may continue to occur, and have resulted in and could continue to result in the incurrence of significant costs and harm to our business and reputation.” — on page 14 of this Annual Report on Form 10-K is hereby incorporated by reference. As of December 31, 2023, our financial condition, results of operations or business strategy have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents.
Cybersecurity Governance
Board Oversight of Risks from Cybersecurity Threats
Cybersecurity risk oversight continues to remain a top priority for the Board of Directors. The Board of Directors is responsible for oversight of Unisys’ information security program, including compliance and risk management, and the review of cybersecurity risks. The Security and Risk Committee (S&RC), a Board committee comprised entirely of independent directors, assists the Board in these oversight responsibilities.
The S&RC’s responsibilities include:
reviewing crisis preparedness and incident response plans;
monitoring Unisys’ enterprise risk profile and its ongoing and potential exposure to risks of various types;
24


reviewing summaries of any incidents or activities;
reviewing reports or presentations from management or advisors, including third-party experts, regarding the management of enterprise risk programs;
periodically meeting with the CISO and Chief Privacy Officer (CPO); and
periodically briefing the full Board of Directors on cybersecurity matters.
Our S&RC chair previously served as the Chief Information Officer of a large healthcare company from 2011 to 2020 and as a Global Chief Information Officer at another company from 2004 to 2011. Other members of the S&RC have over forty years of executive and operational leadership experience at several global technology and telecommunications companies.
Additionally, the A&FC has general oversight over Unisys’ cybersecurity as it relates to responsibility for Unisys’ internal audit function, including cybersecurity practices, compliance with legal and regulatory requirements and internal control over financial reporting. In November 2023, the A&FC charter was amended to ensure that it, in conjunction with the S&RC, reviews Unisys’ cybersecurity and other information technology controls and procedures no less than annually.
Management’s Role in Assessing and Managing the Company’s Material Risks from Cybersecurity Threats.
The Disclosure Committee assists in fulfilling our obligations to maintain disclosure controls and procedures and coordinates and oversees the process of preparing our periodic securities filings with the Securities and Exchange Commission. Cybersecurity incidents, based on their severity, are escalated to the Disclosure Committee by the SIRT. The Disclosure Committee is comprised of the Chief Executive Officer (CEO), Chief Operating Officer (COO), Chief Financial Officer, General Counsel, Chief Compliance Officer and Chief Accounting Officer. The COO represents the business units of the company and the CISO reports to the COO. The Disclosure Committee meets on a quarterly basis and more often, if necessary, and invites subject matter experts to meetings, as appropriate. We have policies and procedures in place designed to provide appropriate information of any matters to our Disclosure Committee that should be considered in advance of applicable public filings, including cybersecurity matters, and to address the proper handling and escalation of information to management and the Board of Directors or a committee of the Board of Directors.
In addition to the oversight of the Board of Directors, members of our management are responsible for assessing and managing material cybersecurity risks.
Our CISO served as the CISO for Hertz Global Holdings, Inc. (Hertz), and prior to joining Hertz, held progressively senior information security roles at Hitachi Vantara LLC, Hewlett-Packard Company, Symantec Corp. and Marketo, Inc.
Our CPO previously served as the Global Data Privacy Officer for Hitachi Vantara LLC and prior to that practiced at the law firm of Littler Mendelson, P.C. as an attorney specializing in data privacy among other areas.
Our Chief Information Officer (CIO) has over 20 years at Unisys with experience and knowledge of IT infrastructure, systems and operations; and previously our CIO spent two years as the CIO for Whitney, Bradley & Brown, Inc. (n.k.a. Serco Inc.). At Unisys, the CIO partners with our CISO and CPO on cybersecurity risk management matters.