Unity Software Inc. 10-K Cybersecurity GRC - 2026-02-11

Page last updated on February 11, 2026

Unity Software Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 07:03:35 EST.

Filings

10-K filed on 2026-02-11

Unity Software Inc. filed a 10-K at 2026-02-11 07:03:35 EST
Accession Number: 0001810806-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are committed to our privacy and security programs, and our security team strives to protect our customer and employee data from cybersecurity risks. We have procedures in place to address suspected security breaches and notify users determined to be affected and applicable regulators of a breach where we are legally required to do so. Because our business involves the collection, use, storage, and transmission of personal information, we are subject to numerous federal, state, local, and foreign laws, regulations, and other obligations relating to privacy and data security. Countries around the world have adopted or are proposing similar laws and regulations relating to privacy and data security, and we may become subject to them as we expand our operations into new geographic markets. From time to time, and at least annually, we review and update if necessary our privacy standards and policies in response to evolving regulatory requirements and internal Unity requirements. Unity personnel are provided annual privacy training, with additional targeted training for key participants in our privacy program. We have a security policy which outlines mandatory security requirements for all of our employees, contractors or other agents. This policy is supported by internal standards, directives and procedures and our security infrastructure and tools. The security program includes implementation of software security throughout the development life cycle, vulnerability and configuration management software across certain of our data infrastructure, and our products and services offerings. Our risk management process includes annual employee education and annual analysis of security-related risks from across the company, which are then prioritized for mitigation or remediation. Our approach to cybersecurity is integrated into our overall company-wide approach to risk management, including regular consultations between our Data Privacy Officer and Interim Chief Information Security Officer and our internal audit team. Our management team, including our Interim Chief Information Security Officer and our Data Privacy Officer, also regularly reports to the Audit Committee of our board of directors regarding their evaluation of risks from cybersecurity threats against our overall business objectives and other relevant cybersecurity matters. We engage third party services in connection with our processes for vendor security reviews and security incidents. Assessments of our program are performed by our internal audit team or through independent third-party engagements. We are continuing to refine our processes to oversee and identify the risks from cybersecurity threats associated with our use of any third-party service provider. Our Interim Chief Information Security Officer and Data Privacy Officer oversee our assessment, prevention, detection and management of cybersecurity risks, and report to our executive team, including our Chief Financial Officer and Chief Legal Officer. Collectively, they have expertise in cybersecurity, privacy law and regulation, and governance, and their teams comprise personnel with a broad range of experience across the private and public sectors, the technology industry, and in different geographic regions. Our Interim Chief Information Security Officer has over 30 years of experience in multiple business verticals and has led security organizations and managed global practices for Fortune 500 technology companies. Our security team follows a documented incident response process, which we are continuing to evaluate and enhance. Pursuant to this process, incidents which may result in economic loss to the company, reputational harm or require notifications to individuals or government authorities are reported Unity Software Inc. to relevant members of our executive team. Our Interim Chief Information Security Officer also provides a regular summary of significant investigations to our Chief Financial Officer and Chief Legal Officer, as well as our Audit Committee, and our Data Privacy Officer reports on our compliance posture with respect to new and pending laws and regulations periodically as well. The Audit Committee of our board of directors is responsible for overseeing our cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats. The Audit Committee of our board of directors meets on a quarterly basis with our Interim Chief Information Security Officer about our cybersecurity risk management and strategy, including any significant investigations, and periodically with our Data Privacy Officer about our privacy program. In 2025, we did not identify any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents. Refer to "Item 1A. Risk Factors" for a description of the risks from cybersecurity threats that may materially affect the Company, including the risk factor titled, "If we or the third parties with whom we work experience a security breach or unauthorized parties otherwise obtain access to our customers' data, our data, or our platform, our platform may be perceived as not secure, our reputation may be harmed, our business operations may be disrupted, demand for our solutions may be reduced, and we may incur significant liabilities".

Company Information