UNITED PARCEL SERVICE INC - (UPS)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
The Board regularly discusses our most significant risks and how these risks are being managed. The Board has appointed a Risk Committee, consisting entirely of independent directors, whose responsibilities include assisting the Board in overseeing management’s identification and evaluation of strategic enterprise risks, including risks associated with privacy, technology, information security, cybersecurity and cyber incident response and business continuity. The Risk Committee regularly updates the Board on these activities.
The Risk Committee oversees the Company’s approach to cybersecurity risk assessment and mitigation by, among other things, (i) reviewing the Company’s cybersecurity insurance program, (ii) reviewing the Company’s cybersecurity budget, (iii) discussing the results of various internal cybersecurity audits and periodic independent third-party assessments of the Company’s cybersecurity programs, (iv) being briefed on cybersecurity matters by outside experts, and (v) receiving regular updates from the Company’s Chief Information Security Officer (“CISO”) and others on cybersecurity risks, operational metrics, compliance and regulatory developments, training programs, risk mitigation activities, key projects and industry developments. The Company's Chief Legal and Compliance Officer ("CLCO"), Chief Digital and Technology Officer ("CDTO"), CISO and Vice President of Compliance and Internal Audit participate in Risk Committee meetings and meet individually with the Risk Committee on a periodic basis to discuss and address relevant matters, including the Company’s approach to cybersecurity risk assessment and mitigation. The CISO reports to the CDTO, who in turn reports to the Chief Executive Officer ("CEO"). The CISO has more than thirty years of IT experience, has served many years in various information security management roles and has multiple cybersecurity certifications.
17






The Company maintains an enterprise risk management process designed to identify potential events that may affect the achievement of the Company's objectives or have a material adverse effect on the Company. Cybersecurity is among the risks considered as a part of this process. The Company's management, including the CISO, also participates on the Company's Information Security & Privacy Governance Council (“ISPGC”). The ISPGC meets periodically to consider information security and privacy matters.
The Company utilizes various technical and qualitative processes to assist in identifying, assessing and managing cybersecurity risks. The Company's processes include periodic discussions and risk reviews with management and, depending on facts and circumstances, may include internal audits, third-party assessments, post-remediation reviews, engagements with independent third-party service providers and key governmental agencies, regular employee training, an incident response plan and backup and recovery plans. Our periodic engagements with independent third-party service providers are designed to provide qualitative and technical cybersecurity assessments. The Company has a corporate-level cybersecurity team, led by the CISO, that, among other responsibilities, receives and reviews reports regarding potential threats, trends and remediation strategies. The cybersecurity team evaluates threat intelligence and information obtained from various sources, including internal, public or private sources, government agencies and external consultants. Certain of the Company's subsidiaries have separate cybersecurity teams that, along with the corporate-level cybersecurity team, play a role in the Company's efforts to monitor, identify, assess and manage cybersecurity risks.
We interact with the information technology networks and systems of third parties for many aspects of our business. We consider and evaluate cybersecurity risks associated with the use of independent third-party service providers. To help UPS understand and mitigate potential cybersecurity risks, we generally utilize measures such as vendor risk assessments, periodic technical assessments of third-party vendors' controls and contracts governing the use of and access to our data and compliance with our security requirements.
We maintain an Incident Response Plan that includes processes and procedures for reviewing and responding to cybersecurity incidents. We periodically test our readiness to respond to a cybersecurity incident through various scenario-based drills. The Incident Response Plan includes processes for escalation to the CISO, the Executive Leadership Team, including the CEO, the Risk Committee and the Board, and a process for consideration of whether a cybersecurity incident is material and may require disclosure in SEC filings.
For additional information on cybersecurity risks and the impact they may have on our business strategy, results of operations or financial condition see "Risk Factors – Business and Operating Risks – A significant cybersecurity incident, or increased data protection regulations, could materially adversely affect us".