UPBOUND GROUP, INC. 10-K Cybersecurity GRC - 2026-02-23

Page last updated on February 23, 2026

UPBOUND GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-23 07:11:49 EST.

Filings

10-K filed on 2026-02-23

UPBOUND GROUP, INC. filed a 10-K at 2026-02-23 07:11:49 EST
Accession Number: 0000933036-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We rely heavily on information systems to meet the operational and financial needs of our business. Therefore, we seek to continuously improve our approach to cybersecurity with the goal of ensuring the confidentiality, integrity and availability of our information resources and to reduce the risk of information loss by accidental or intentional modification, disclosure or destruction. We believe we devote appropriate resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. The Cybersecurity and Privacy team, which maintains our cybersecurity function, reports to our Chief Technology Officer ("CTO"), who reports directly to our Chief Executive Officer . The Cybersecurity and Privacy team is led by our Chief Information Security Officer ("CISO"), who is responsible for developing and implementing our cybersecurity program and reporting on cybersecurity matters. The CISO reports to the Cybersecurity, Technology and Innovation Committee of our Board of Directors (the "Committee") at least three times per year . Our CISO has been a cybersecurity leader for more than 20 years, maintains appropriate security certifications, and has extensive experience in building and maintaining cybersecurity risk and compliance programs. The cybersecurity team includes members who also have various levels of cybersecurity experience and maintain relevant cybersecurity certifications. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security controls and technologies and ongoing scanning and testing of Company information systems by internal teams as well as third-party organizations to identify potential vulnerabilities. To maintain knowledge of the latest developments in cybersecurity, evolving threat landscape, and cyber defense techniques, our CISO regularly attends cybersecurity related conferences and events hosted by cybersecurity experts, subscribes to cybersecurity threat intelligence communications and newsletters, and meets with cybersecurity vendors. We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. We regularly assess the cybersecurity landscape to holistically evaluate the threat of cybersecurity risks and seek to mitigate such risks through a layered cybersecurity strategy based on identification, protection, detection, incident response and recovery. Our Enterprise Cybersecurity Policy includes guidance related to encryption standards, vulnerability management, identity management, end point malware protection, security awareness, remote access, multi-factor authentication, protection of confidential information and the appropriate use of the internet, social media, email and wireless devices. This policy is reviewed for updates annually and approved by appropriate members of management. All coworkers are required to acknowledge review of the policy and complete cybersecurity and privacy awareness training annually. We also provide coworkers with additional cybersecurity training through online offerings, company broadcasts and security awareness events. The Committee was formed in December 2024 and is responsible for cybersecurity, technology and innovation oversight previously performed by the Audit and Risk Committee. It is a committee of the Company's Board of Directors that actively participates in discussions with management regarding cybersecurity risks and receives periodic reports regarding the Company's cybersecurity program, which includes discussion of management's actions to identify and detect threats, remedy audit findings, and review enhancements to the Company's defenses and management's progress on implementing its cybersecurity strategy. In addition, the Committee reviews key cybersecurity risks at least three times per year to help ensure such risks are incorporated into the Company's Enterprise Risk Management framework. The Committee also meets at least three times per year in executive session with the Company's CISO. To assist with their oversight of the Company's cybersecurity programs and mitigation efforts as they relate to the broader cybersecurity landscape, our Committee periodically participates in cybersecurity awareness training or other educational events presented by third-party cybersecurity experts. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers . The cybersecurity program has been enhanced to help ensure that critical vendors and other third parties are risk assessed prior to being given access to the Company's information assets and networks. Additionally, processes are currently in place to review existing third-party access to systems that have a material impact on the financial statements of the Company. Privacy is a critical pillar of the program and we routinely monitor evolving state and federal regulations to help ensure that our systems, networks, websites and applications remain compliant and that necessary controls are in place to protect the privacy of our coworkers and customers. We also formed our Data and AI Governance Committee, which includes company executives, to address the risks of AI-based technology use on an ongoing basis. This committee meets on a quarterly basis. 39 In the event of a cybersecurity incident, we have developed and implemented a communication and disclosure framework, which includes processes for escalating communication of the event to members of our internal disclosure committee for assessment of materiality and disclosure, executive management team members, internal and external legal counsel, internal and external audit teams, and other internal stakeholders. Significant cybersecurity events and strategic risk management decisions would be directed to the Committee for additional comprehensive oversight of the Company's response measures and public disclosure of the event as appropriate. Despite our cybersecurity governance program, we cannot assure you that we will be able to effectively prevent, detect or respond to all cybersecurity incidents, which may have a material adverse impact on our reputation and our results of operations.

Company Information