Item 1C. Cybersecurity

To help address cybersecurity threats, Western Union has developed a strategy and implemented a program to identify, assess, and prioritize cybersecurity risks as part of our broader enterprise risk management processes. We recognize that cybersecurity threats are constantly evolving and that there is no single solution that can guarantee complete protection.

Our cybersecurity strategy is designed to protect the confidentiality of our data from unauthorized access, the integrity of information throughout its lifecycle, and the availability of that information and the related systems. Our strategy is guided by the National Institute of Standards and Technology Cybersecurity Framework, which helps us identify, assess, and manage cybersecurity risks relevant to our business.

Within our cybersecurity program, we have identified and implemented a variety of processes for cybersecurity risk management:

 

Our cybersecurity governance framework is designed to manage cybersecurity risks at all levels of the organization. As part of this governance framework, our Board of Directors regularly devotes time during its meetings to review and discuss the most significant risks facing the Company, including cybersecurity threats, and management’s process for identifying, prioritizing, and responding to them. The Audit Committee of the Board of Directors assists the Board in overseeing the significant risk exposures facing the Company and regularly reviews cybersecurity risks at its committee meetings. Cybersecurity risks are integrated into the broader company risk management system through our Information Security and Privacy Committee (“ISPC”), which is a subcommittee of our Enterprise Risk Committee (the “ERC”), is co-chaired by the Chief Information Security Officer and Chief Privacy Officer, and consists of senior leaders across the company. The ISPC is charged with oversight, advisory, and decision-making responsibilities with respect to information security and privacy risks. Management, including the ERC, is responsible for communicating cybersecurity risks to the Audit Committee and Board of Directors. Our cybersecurity program, led by our Chief Information Security Officer, who reports to our Chief Risk and Compliance Officer, has a team of dedicated, experienced cybersecurity professionals responsible for day-to-day security operations and strategic cybersecurity programs. The Chief Information Security Officer has over 20 years of experience in security risk management, with over 10 years of experience leading cybersecurity teams. All employees are responsible for protecting Western Union’s data and systems and are required to follow Western Union’s cybersecurity policies.

We have been, and continue to be, the subject of cybersecurity attacks and threats, including distributed denial of service and ransomware attacks. Historically, none of these attacks or breaches has individually or in the aggregate resulted

---

in any material liability to us or any material damage to our reputation. Disruptions related to cybersecurity have not caused any material interruption to our business, strategy, results of operations, or financial condition. There can be no assurance that such attacks or disruptions will not have a material adverse impact on us in the future.