UNITED AIRLINES, INC. 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

UNITED AIRLINES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:45:39 EST.

Filings

10-K filed on 2026-02-12

UNITED AIRLINES, INC. filed a 10-K at 2026-02-12 16:45:39 EST
Accession Number: 0000100517-26-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Board and Management Oversight of Cybersecurity Risks The Company considers management of cybersecurity and digital risk as essential for enabling its success. The Audit Committee (the "Audit Committee") of the Board provides oversight of the Company's risk assessment and risk management policies and strategies with respect to significant business risks, including cybersecurity and digital risk. On a regular basis, the Audit Committee reviews reports from the Company's Chief Information Security Officer ("CISO")-as well as its Chief Information Officer, Chief Risk Officer, Chief Legal Officer and Chief Compliance Officer -regarding the Company's processes for assessing, identifying and managing of cybersecurity risks, including when applicable, notable cybersecurity threats or incidents impacting the aviation sector and the Company; results of independent third-party assessments of the Company's cybersecurity program; key metrics, capabilities, resourcing and strategy regarding the Company's cybersecurity program; and updates related to cybersecurity regulatory developments. The Chair of the Audit Committee regularly reports its activities-including those related to cybersecurity risks-to the Board and, as necessary, recommends actions to the Board that the Audit Committee deems appropriate. The CISO leads the Company's Cybersecurity and Digital Risk ("CDR") organization, which oversees the Company's approach to prevent, detect, mitigate and remediate cybersecurity and digital risk. The Company's current CISO has extensive technology and risk management experience in critical infrastructure sectors, including aviation, and is certified as a boardroom Qualified Technology Expert by the Digital Directors Network. She has served on the U.S. President's National Infrastructure Advisory Council, examining and providing recommendations related to cross-sector critical infrastructure security and resilience. She currently serves on the board of directors of the Internet Security Alliance, is currently a member of the Cybersecurity Council at Airlines for America (and has served as its Chair) and is currently a member of the board of directors of the Aviation Information Sharing and Analysis Center (A-ISAC). The Company's CDR organization includes teams focusing on cyber defense, identity and digital trust, secure product solutions and aircraft cybersecurity operations. These teams include individuals with a variety of cybersecurity expertise, including expertise in penetration testing; application cybersecurity; product cybersecurity; cloud cybersecurity; infrastructure cybersecurity; cybersecurity engineering and architecture; identity and access management; vulnerability and asset management; cybersecurity threat intelligence; cybersecurity regulatory compliance; digital fraud; digital trust; incident response; insider threat assessment; and aircraft cybersecurity. The Company's senior leadership-including across the Company's safety, legal, government affairs, operations, aviation security, finance, communications and digital technology organizations as well as others when appropriate-support the CDR organization and contribute to the management of cybersecurity and digital risk by attending regular cybersecurity risk reviews and participating in cybersecurity exercises. Cybersecurity Risk Management and Strategy Managing cybersecurity and digital risk is a significant part of the Company's overall strategy for safely operating its business. The Company has developed a risk-based cybersecurity and digital risk management strategy. This risk-based strategy is informed by guiding principles from industry standard cybersecurity and risk management frameworks-such as those published by the National Institute of Standards and Technology-and industry-recognized practices to protect the confidentiality, integrity and availability of the Company's information technology systems and data. The Company is also subject to extensive cybersecurity regulation, including but not limited to those regulations overseen by the FAA, TSA, and DOT. This risk-based framework is also integrated into the Company's Enterprise Risk Management ("ERM") process that is subject to oversight by the Board. Cybersecurity risks are one of the key risks regularly evaluated, assessed and monitored as part of the Company's overall ERM process. As part of its risk-based strategy, the Company maintains appropriate technical and organizational measures and regularly reviews the appropriateness of those controls based on changes to the technical or regulatory environment to protect as well as minimize threats to the Company's information; the information of the Company's customers, suppliers and other third parties; the Company's information systems; the Company's business operations; and the Company's services. The Company also regularly incorporates cybersecurity awareness training into employee communications, engagement and training activities. The Company participates in various information-sharing organizations to timely share and receive threat information, thereby improving the collective defense of the aviation, retail and hospitality and other critical infrastructure sectors. The Company regularly seeks opportunities to improve its capabilities, including through cybersecurity trainings and skill-development programs for its CDR organization members. The Company utilizes a variety of third parties, as appropriate, in connection with its cybersecurity risk management. The Company employs these third-party cybersecurity companies to add capacity or expertise when necessary. Additionally, internal audits, security maturity assessments, security attestations and certifications, security testing and post-remediation reviews of the Company's cybersecurity program are periodically conducted by independent third-party service provides to identify areas of potential weakness and for continued improvement as well as to ensure ongoing compliance with regulatory requirements to which we are subject. In addition, the Company actively engages with intelligence agencies, law enforcement and advocacy and industry groups. The Company is subject to cybersecurity risks related to its business partners and third-party service providers, as further detailed under the heading "Increasing privacy, data security and cybersecurity obligations or a significant data breach may adversely affect the Company's business" included as part of the risk factor disclosures in Part I, Item 1A. of this report. To assess these risks, the Company considers the impact of third-party incidents as part of its cybersecurity incident response processes. The Company also conducts evaluations of key suppliers based on risk and seeks to incorporate appropriate security standards to address the risk. In addition, the Company regularly monitors the external cybersecurity posture of select third parties through various service providers. The Company strives to design and implement technical and organizational controls comprehensively, consistently and effectively as intended to protect the confidentiality, integrity or availability of systems and data. However, because the Company utilizes a risk-based strategy, based on professional judgment and analysis of the risks, it is possible that the Company may underappreciate or not recognize specific risks and may fail to fully implement the necessary technical and organizational controls. Moreover, even well designed and implemented security controls may not eliminate the occurrence of cybersecurity incidents. Cybersecurity Incident Management The CDR organization monitors the Company's information systems to prevent, detect, mitigate and remediate cybersecurity threats. The CDR organization uses a variety of prevention and detection tools and other resources to monitor cybersecurity vulnerabilities and identify potential cybersecurity incidents. When a cybersecurity incident is identified, the CDR organization's incident response team engages with the appropriate subject matter experts, the relevant management of impacted organization(s) and others to analyze, contain, eradicate, mitigate and recover from the incident as applicable. When appropriate, during the incident response process, the CISO, the CDR organization's leadership and the Company's Chief Legal Officer may be informed and consulted and if deemed necessary, incidents may be escalated for review by the Senior Leader Crisis Team, which consists of cross-functional leaders of the Company. The Company maintains a process in which a subgroup of the Company's Disclosure Council makes a recommendation regarding the materiality of certain cybersecurity incidents to the full Disclosure Council and, if determined to be material, subsequently to the Audit Committee. Additionally, the CDR organization has frequent operating rhythms to, among other things, review cybersecurity incidents and track the progress of cybersecurity initiatives. The Company faces risks from network disruptions, cybersecurity threats (including as a result of any cybersecurity incident) and other efforts to compromise its services and underlying infrastructure that could have a material adverse effect on or are reasonably likely to materially adversely affect-individually or in the aggregate-its business strategy, results of operations, financial condition, cash flows or reputation. To the Company's knowledge, based on information available as of December 31, 2025 and through the date of this filing, such risks did not have a material adverse effect on the Company in the last three fiscal years. However, from time to time the Company has experienced and expects to continue to face increasing cybersecurity risks as well as potential network disruptions-whether directly or through its supply chain or other channels-in the normal course of its business. For more information about the cybersecurity-related risks that the Company faces, see the risks detailed under the headings "The Company relies heavily on technology and automated systems to operate its business and any significant failure or disruption of, or failure to effectively integrate and implement, these technologies or systems could materially harm its business or business strategy" and "Increasing privacy, data security and cybersecurity obligations or a significant data breach may adversely affect the Company's business" included as part of the Company's risk factor disclosures in Part I, Item 1A. of this Form 10-K.

Company Information