UNIVERSAL CORP /VA/ 10-K Cybersecurity GRC - 2025-05-30

Page last updated on June 2, 2025

UNIVERSAL CORP /VA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-30 16:30:45 EDT.

Filings

10-K filed on 2025-05-30

UNIVERSAL CORP /VA/ filed a 10-K at 2025-05-30 16:30:45 EDT
Accession Number: 0000102037-25-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Cybersecurity risks are considered within our broader enterprise risk management (“ERM”) framework as part of our overall risk assessment process. We maintain a comprehensive Information Security Program and controls that are designed to assess, identify, manage, contain, and recover from material cybersecurity risks. The Information Security Program is also designed to identify emerging cybersecurity and information security risks and apply safeguards to the Company, our assets, customer, and employee data. The Information Security Program also addresses cybersecurity risks associated with our use of third-party service providers through systems and processes that are designed to assess, identify, and reduce the potential likelihood and impact of a cybersecurity incident at our third-party service providers. However, we rely on our third-party partners to implement effective information security programs commensurate with the risk associated with the nature of their business relationships to us and cannot ensure in all circumstances their efforts will be successful. The Information Security Program is based on Center for Internet Security (“CIS”) Controls, a cybersecurity framework that is acknowledged worldwide and is designed to comply with applicable laws and guidelines. We also have adopted a cybersecurity incident response and recovery plan to enable us to respond to cybersecurity incidents that may affect the function and security of the Company, our information technology assets, customer and employee data, information resources, and business operations. We have adopted cyber and data security policies, that address matters including user access, incident response, third-party compliance , personal devices, and data privacy. These policies are reviewed annually. We also maintain insurance covering certain costs that may be incurred in connection with cybersecurity incidents, should they occur. Our Information Security Program is further supported by regular educational and awareness training for employees. The training includes an annual assessment, focused on security, appropriate use, incident reporting, and social engineering, as well as multiple courses per year on global security trends and emerging risks. We also provide employees with educational materials about emerging cybersecurity threats and update employees when our information security policies are amended. 19 We regularly evaluate our Information Security Program based on software vendor assessments and reports, insurance underwriter evaluations, and internal and external audits, including customer audits. We also periodically engage third parties to review the effectiveness of its Information Security Program. To date, these engagements have included third-party penetration testing, risk identification, and a fiscal year 2023 comprehensive evaluation of the maturity of our Information Security Program. Management has determined that no cybersecurity incidents that we have experienced to date have resulted in, or are reasonably likely to result in, a material adverse effect on our financial condition, results of operations, or business strategy. For additional information on risks from cybersecurity threats and potential related impacts on the Company, please see Item 1A. “Risk Factors.” Cybersecurity Governance Board Oversight The Board of Directors is ultimately responsible for our Information Security Program, and it has delegated to the Audit Committee primary oversight responsibility for this information security and technology (including cybersecurity) risk management program. The Audit Committee periodically reviews the program and information security, cybersecurity, and technology risks. At least quarterly, the Audit Committee reviews and discusses with management and our senior information officers the Information Security Program, including the structure and function of the program and any enhancements made to the program as a result of third-party reviews or an identified security risk. The Audit Committee regularly briefs the Board on these discussions. In addition, our Incident Response Policy outlines procedures pursuant to which cybersecurity incidents or risks are escalated within the Company, and, as applicable, timely reported to the Audit Committee and Board. Management Oversight Our Information Security Program is a comprehensive framework of policies, procedures, and guidelines designed to ensure the security, availability, and confidentiality of our systems. Our Chief Information Officer (CIO) and Corporate Director of Information Technology Security (CDIS) , in coordination with our Information Technology Department and other appropriate personnel, are responsible for assessing and managing our risks from cybersecurity threats. The CIO has served various roles in information technology and information security for over 25 years, including Corporate Director, Technology & IS Strategy and Director of Applications and Technology, has been in his current role for more than 10 years, and holds a BS degree in Computer Science. Our CIO has various industry certifications, including being a Microsoft Certified Professional (MCP) and holding the Project Management Professional (PMP) certification, offered by the Project Management Institute (PMI). The program is led by our CDIS, who operates under the direction of the CIO. With over 30 years of experience in IT and cybersecurity, the CDIS heads our global Information Security team and the Security Steering team. This multidisciplinary team comprises experts from IT, Infosec, Legal, Audit, and Risk. The CDIS brings extensive expertise across a diverse array of platforms, services, and technologies. A third-party security operations center, which is in operation at all times, is responsible for monitoring all logs, events, and alerts from our Endpoint Detection & Response (“EDR”) platforms and cloud deployed services. This third-party also quarantines any systems displaying suspicious behavior for automatic or approved remediation. Our Information Technology Department maintains regular oversight of this third-party’s actions through the monitoring of alerts displayed on the third-party’s threat management dashboard to identify and respond to any irregularities that could be associated with threats. Significant threats are promptly reported to our Information Security Steering Team, who will assess the respective threat, with the help of external advisers as necessary, and initiate a plan to address it. The Information Security Steering Team will advise the General Counsel and Audit Committee of the threat as well as other third parties or authorities who are required to be notified pursuant to applicable law or contract. 20

Company Information