UNION PACIFIC CORP - (UNP)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity

 

Risk Management and Strategy

 

The Company is subject to cybersecurity threats that could have a material adverse impact on our results of operations, financial condition, and liquidity. See also our discussion in the Risk Factors in Item 1A of this report. As a component of our Company-wide enterprise risk management framework, we implemented a cybersecurity program whose objective is to assess, identify, and manage risks from cybersecurity threats that may result in adverse effects on the confidentiality, integrity, and availability of the electronic information systems that we own. We regularly perform internal security assessments, engage third-party consultants to conduct external security assessments, and participate in, conduct, and/or administer exercises, drills, and recovery tests as part of this program. We also maintain training programs and policies and procedures designed to safeguard employee handling and use of data, internet usage, controlled access measures, and physical protections. We consult with industry groups, monitor threat intelligence reports, and communicate with various government agencies in an effort to stay up-to-date on changes in the cybersecurity threat landscape. This program, in addition to addressing our own information systems, is also designed to oversee, identify, and reduce the potential impact of a security incident at a third-party service provider or that otherwise impacts third-party technology and systems we use.

 

Internal Cybersecurity Team

 

The Company’s internal information security organization (Internal Cybersecurity Team), led by our Executive Vice President and Chief Information Officer (CIO) as well as the Assistant Vice President and Chief Information Security Officer (CISO), is responsible for coordinating all aspects of the Company’s electronic information security systems, including prevention, detection, mitigation, and remediation of cybersecurity incidents, as well as implementing, monitoring, and maintaining our enterprise-wide security strategy, standards, architecture, policies, and processes. Our CIO reports directly to our Chief Executive Officer, our CISO reports to our CIO, and reporting to our CISO are our Deputy Chief Information Security Officer (Deputy CISO) and other experienced information security personnel responsible for various parts of our business. In addition to our internal cybersecurity capabilities, we also periodically engage assessors, consultants, auditors, and other third parties to assist with assessing, identifying, and managing cybersecurity risks. When the Company learns of a cybersecurity incident at a third-party service provider, the Company’s respective department contacts maintain communication with the third-party service provider and communicate any cybersecurity incidents to the CISO.

 

Security Policy and Requirements

 

As part of the Company’s Crisis Management Plan, the Company's cybersecurity Incident Response Plan (the IRP) provides a framework for responding to cybersecurity incidents. The IRP sets out a coordinated approach to discovering, investigating, containing, tracking, mitigating, and remediating cybersecurity incidents, including a framework for elevating and reporting findings and keeping senior management and other key stakeholders informed and involved, based on assessments regarding the scope or significance of incidents. The IRP applies to the Company’s extended computing environment, including electronic information resources that are owned or used by the Company and are routinely relied on to support our operations.

 

The Internal Cybersecurity Team has robust processes and redundancies in place designed with the objective of deterring, detecting, mitigating, and responding to potential cybersecurity threats, which includes a vulnerability assessment, prioritization, and remediation program. The Internal Cybersecurity Team also performs regular system penetration testing to validate our security controls and assess our infrastructure and applications. All management employees take mandatory periodic security awareness training on the Company’s data security policies and procedures, which is supplemented by Company-wide testing initiatives, including periodic phishing tests. Additionally, in 2023, our Board of Directors and certain management employees participated in a tabletop exercise to simulate a response to a cybersecurity incident, and our Internal Cybersecurity Team incorporated the findings from this exercise into our processes.

 

16

 

Our information security program is designed to align our defenses and resources to identify, assess, and address more likely and more damaging cyber events, to provide support for our organizational mission and operational objectives, and to position us to deter, detect, mitigate, and respond to a wide variety of potential attacks in a timely fashion. Our information security program employs quantitative and qualitative approaches to evaluate the effectiveness of controls and assess the resiliency of critical computing resources. This data is combined with knowledge of common attack techniques to assess the likelihood of components being compromised and assess potential financial implications under different scenarios. The results are used to help identify potentially material risks and provide insights which are taken into account when prioritizing our security initiatives.

 

Material Cybersecurity Risks, Threats, and Incidents

 

Due to the evolving nature of cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. While we are not aware of having experienced any material effects or reasonably likely material effects on our Company, its business strategy, results of operations, or financial condition resulting from cybersecurity threats or incidents to date, as a critical infrastructure provider, we may be a target of well-funded and sophisticated adverse actors. There can be no guarantee that we will not be the subject of future risks or incidents that have such an effect, or that we are not currently the subject of an undetected risk or incident that may have such an effect.

 

We also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary, and other types of information. Despite ongoing efforts to continue improvement of our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all of the information systems we use. Incidents may lead to reputational harm, revenue and client loss, legal actions, or statutory penalties, among other consequences. For a more detailed discussion of these risks, see our discussion in the Risk Factors in Item 1A of this report.

 

Governance

 

The Board of Directors has delegated primary oversight of the Company’s cybersecurity risk to the Audit Committee, which receives updates on cybersecurity risks and incidents at each regularly scheduled Audit Committee meeting from the CIO, CISO, and other members of management, as needed. When making decisions regarding director appointments and committee assignments, the Board of Directors takes into consideration the cybersecurity experience of directors and director candidates and strives to maintain cybersecurity expertise on the Board of Directors and Audit Committee. We have protocols by which certain cybersecurity incidents are reported to the Audit Committee and Board of Directors.

 

At the management level, our CIO, CISO, and Deputy CISO, each of whom has extensive cybersecurity knowledge and skills gained from over 27 years, 28 years, and 19 years of relevant work experience, respectively, head the Internal Cybersecurity Team that is responsible for implementing and maintaining cybersecurity and data protection practices across our business, with our CIO reporting directly to our Chief Executive Officer. In 2023, our CIO was appointed to serve as a member of the U.S. Cybersecurity Advisory Committee (CSAC) of the Cybersecurity and Infrastructure Security Agency (CISA), which provides recommendations to CISA on a range of cybersecurity issues, including corporate cyber responsibility, technology product safety, and efforts to raise the baseline of cybersecurity practices for a variety of entities to enhance the United States’ cyber defense. Our CISO and Deputy CISO receive reports on cybersecurity threats from a number of experienced information security professionals for various parts of our business on an ongoing basis and, in conjunction with other management personnel, regularly consult on risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks.

 

In addition, our Risk and Compliance Committee (RCC) is responsible for oversight and support of the Company’s Enterprise Risk Management and Compliance and Ethics programs and is comprised of the Executive Leadership Team and the Senior Vice President and Chief Accounting, Risk, and Compliance Officer (Compliance Officer). The RCC also created a subcommittee, the Enterprise Risk Management Committee (ERMC), who is charged with continually monitoring, evaluating, and managing enterprise risks. The ERMC includes the Compliance Officer, General Auditor, Vice President Law - Finance and Compliance, Vice President and Chief Safety Officer, CISO, and Assistant Vice President - Corporate Strategy. The RCC and ERMC both meet throughout the year and receive periodic updates on cybersecurity from the CISO and Deputy CISO.

 

17