Unum Group 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

Unum Group reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 16:30:42 EST.

Filings

10-K filed on 2026-02-17

Unum Group filed a 10-K at 2026-02-17 16:30:42 EST
Accession Number: 0000005513-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We take our responsibility for the privacy and security of the information our customers share with us seriously. Through our cybersecurity program, we continuously watch for threats to our systems and make real-time adjustments to our defenses to protect customer data and minimize service disruptions. We identify and assess cybersecurity risks on an ongoing basis by maintaining a cybersecurity program that involves a defense-in-depth approach with multiple layers of security controls to protect our environment. We have invested in and deployed a security operating model involving people, processes, and technology that is designed to protect against potential and known cybersecurity risks and threats. Our cybersecurity program involves collaboration with partners, including financial industry groups, to understand and incorporate best practices and engage in cybersecurity threat intelligence sharing. Our security operations team includes cyber threat intelligence, threat hunting, and cybersecurity engineers and analysts, who are working directly with third parties to monitor the threat landscape. Alerts from monitoring are analyzed by our security teams for 33 T able of Contents preemptive engagement to avoid or minimize the impact of potential cyber threats. We rely on third-party cybersecurity software tools and services to enhance cybersecurity functions such as incident logging, network monitoring, detecting and blocking malicious attacks, as well as to govern identity and access management, and for security operations and data loss prevention. We utilize an internal global incident management team, comprised of executive and senior management-level personnel, that is responsible for oversight of our business resiliency and cybersecurity incident response programs. Our cybersecurity incident response team works closely with the business continuity, disaster recovery, and crisis management functions to plan, prepare, and practice response to simulated cybersecurity incident scenarios for response readiness. In the event of a cybersecurity incident, our incident response team would assess whether to engage the support of law enforcement or other third parties. In addition to our cybersecurity incident response team, we have retainers with leading incident response organizations to augment response activities, if needed. We also conduct one or more annual cybersecurity incident response tabletop exercises with senior management and third-party experts to test our incident response plan and enhance our readiness for a potential cybersecurity incident. Additionally, we carry cybersecurity insurance to help reduce financial risk posed by cybersecurity incidents. Additionally, we engage an external firm to conduct an annual System and Organization Controls 2 Type 2 examination of certain cybersecurity controls. Our internal audit organization also provides independent assurance of the cybersecurity program through related audit engagements to complement external assessments and reviews. Additional third parties are engaged, as needed, to perform risk assessments, penetration testing, and other services related to cybersecurity. Cybersecurity risks associated with third-party service providers are managed in accordance with our Third-Party Risk Management (TPRM) program. Components of this program include cybersecurity due diligence and review of contractual terms with third parties that access our network or sensitive information. The TPRM program works to conduct appropriate review of all new third parties and performs ongoing monitoring of our existing relationships based on the risk presented by the third-party. As part of our cybersecurity program, we perform an annual cybersecurity risk assessment to evaluate our cybersecurity program and related controls. The cybersecurity risk assessment is informed by the guidelines published by the National Institute of Standards and Technology, which are aimed at identifying and determining the potential impact of threats and vulnerabilities and assessing the controls in place to mitigate those threats and vulnerabilities. Risks from cybersecurity threats have not materially affected, and are not reasonably likely to materially affect, our business strategy, operations, or financial condition. Management's role in assessing and managing cybersecurity risks is led by our Chief Information Security Officer (CISO) , who is a senior vice president and officer of the Company. As of the date of this report, our CISO has over twenty years of experience in information security leadership, including leading threat and vulnerability management, cybersecurity operations and cybersecurity defense, cybersecurity incident response, and technology risk management. He holds a bachelor's degree in computer science and several professional qualifications, including Certified Information Systems Security Professional and Information Systems Security Management Professional. The responsibilities of prevention, detection, mitigation, and remediation of cybersecurity incidents are allocated across the CISO's organization, and each organizational unit reports risks and incidents to the CISO, who in turn informs other senior management of cybersecurity incidents that may be material to the company. Our cybersecurity program is overseen by the Information Security Committee (ISC), a cross-functional management committee whose membership include the CISO, Chief Risk Officer (CRO), Chief Technology Officer, Chief Compliance Officer, and others. Members of the ISC possess substantial experience in risk management, finance, and information security. The ISC is responsible for ensuring that the cybersecurity strategy and program align with our overall risk strategy. Our TPRM program is governed by the TPRM Steering Committee, a cross-functional leadership team with representation from sourcing, compliance, legal, information security, and enterprise risk. The committee provides guidance and oversight for the TPRM policy and program framework to manage risks associated with third-party vendors. The TPRM Steering Committee also ensures that the TPRM program and strategy remain aligned with our broader business objectives. Both the TPRM Steering Committee and the ISC escalate relevant risks to our Executive Risk Management Committee (ERMC), which is comprised of senior leaders from our corporate functions and business segments. The ERMC oversees our 34 T able of Contents enterprise-wide risk management framework and ensures strategic alignment across the organization. The ERMC is chaired by the CRO, who maintains a direct line of communication with the Risk and Finance Committee (RFC) of our board of directors. The RFC is the board committee that oversees our cybersecurity risk management. Our CISO makes quarterly reports to the RFC about material cybersecurity risks, updates to the cybersecurity program, metrics that evaluate the effectiveness of the cybersecurity program, material cybersecurity incidents and remediation plans. The RFC also receives timely reports from the CISO when there are significant cybersecurity incidents or updates to the cybersecurity risk assessment. The board of directors also takes an active role in overseeing cybersecurity risk, including receiving an annual report from the CISO that provides an overview of the status and effectiveness of our cybersecurity risk management program and participating in cybersecurity incident response tabletop exercises. See "Quantitative and Qualitative Disclosures About Market Risk" contained herein in Item 7A for further information. Also see "Risk Factors" included in Item 1A for additional information regarding cybersecurity risk.

Company Information