Western Union CO 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

Western Union CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 16:07:47 EST.

Filings

10-K filed on 2026-02-20

Western Union CO filed a 10-K at 2026-02-20 16:07:47 EST
Accession Number: 0001193125-26-061340

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity To help address cybersecurity threats, Western Union has developed a strategy and implemented a program to identify, assess, and prioritize cybersecurity risks based on their potential impact to our customers, operations, regulatory obligations, and financial condition, as part of our broader enterprise risk management processes. We recognize that cybersecurity threats are constantly evolving and that there is no single solution that can guarantee complete protection. Our cybersecurity strategy is designed to protect the confidentiality of our data from unauthorized access, the integrity of information throughout its lifecycle, and the availability of that information and the related systems, while supporting the reliable operation and ongoing evolution of our business and technology platforms. Our strategy is guided by the National Institute of Standards and Technology Cybersecurity Framework, which helps us identify, assess, and manage cybersecurity risks relevant to our business. Within our cybersecurity program, we have identified and implemented a variety of processes for cybersecurity risk management. These processes are designed to enable timely identification, prioritization, and response to cybersecurity risks and to support informed decision-making regarding risk mitigation and acceptance. - We conduct regular risk assessments to identify and evaluate potential cybersecurity threats, including threats to our business operations, technology infrastructure, and data. - We monitor threat intelligence feeds to stay updated on the latest cybersecurity threats and vulnerabilities. - We scan our systems for vulnerabilities on an ongoing basis, with vulnerabilities prioritized and remediated based on their potential impact to business operations and data protection. - We have implemented a variety of access controls to restrict access to our systems and data, including user authentication, authorization, and encryption. - We conduct regular security awareness training for our employees to help them identify and avoid cybersecurity threats. - We periodically conduct test exercises, including tabletop exercises, across various levels of the Company each year to review our cybersecurity controls and incident response procedures and capabilities, to enhance our operational resilience by seeking to ensure business continuity during potential extended digital outages, and to identify improvement opportunities and increase employee awareness and preparedness. - Our third-party risk assessment program identifies, assesses, and monitors vendors for cybersecurity risk. These include information technology and cybersecurity vendors who are part of our digital supply chain, with particular focus on vendors that support critical business processes or have access to sensitive data. Our cybersecurity governance framework is designed to manage cybersecurity risks at all levels of the organization. As part of this governance framework, our Board of Directors regularly devotes time during its meetings, including at least annually, to review and discuss the most significant risks facing the Company, including cybersecurity threats, and management's approach for identifying, prioritizing, and responding to those risks. Our Audit Committee, which is comprised solely of independent directors, assists the Board of Directors in overseeing the significant risk exposures facing the Company and regularly reviews, including at least annually, cybersecurity risks at its committee meetings. Cybersecurity risks are integrated into the broader company risk management system through our Information Security and Privacy Committee ("ISPC"), which is a subcommittee of our Enterprise Risk Committee (the "ERC"), is co-chaired by the Chief Information Security Officer and Chief Privacy Officer and consists of senior leaders across the company. The ISPC is charged with oversight, advisory, and decision-making responsibilities with respect to information security and privacy risks. T he Chief Information Security Officer is responsible for communicating cybersecurity risks, significant incidents, and key risk trends to the Audit Committee and Board of Directors . Our cybersecurity program, led by our Chief Information Security Officer, who reports to our Chief Risk and Compliance Officer, has a team of dedicated, experienced cybersecurity professionals responsible for day-to-day security operations and strategic cybersecurity programs. As of December 31, 2025, our Chief Information Security Officer and senior management team had over 30 years of combined experience in security risk management. All employees are responsible for protecting Western Union 's data and systems and are required to follow Western Union's cybersecurity policies. We maintain relationships with law enforcement, government agencies, forensic investigators, and legal counsel to inform our cybersecurity and data privacy programs. We and our third-party vendors have been, and continue to be, the subject of cybersecurity attacks and threats, including distributed denial of service and ransomware attacks. As of December 31, 2025 , none of these attacks or breaches has individually or in the aggregate resulted in any material liability to us or any material damage to our reputation, and disruptions related to cybersecurity have not caused any material interruption to our business, strategy, results of operations, or financial condition. However, cybersecurity threats continue to evolve in sophistication and frequency, and there can be no assurance that future attacks or disruptions will not have a material adverse impact on us. For a discussion of these risks, see "Item 1A-Risk Factors-Risks Relating to Cybersecurity, Third-Party Vendors, and Artificial Intelligence."

Company Information