Cigna Group 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Cigna Group reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 12:08:31 EST.

Filings

10-K filed on 2026-02-26

Cigna Group filed a 10-K at 2026-02-26 12:08:31 EST
Accession Number: 0001739940-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Strategy and Risk Management Cybersecurity is a core element of our enterprise risk management strategy. Safeguarding business information, intellectual property, and the data of customers, patients, employees and business partners is vital for operational continuity, regulatory compliance and sustaining stakeholder trust. Our comprehensive cybersecurity program is supported by policies and procedures designed to protect our systems and operations, as well as sensitive personal information and data, fro m foreseeable cybersecurity threats . Core to our security model is our defense-in-depth framework, comprising multiple layers of processes and technologies that help prevent, detect and respond to threats. Our approach to safeguarding against external threats incorporates a suite of preventive technologies, including malicious email blocking, defenses against automated attacks and multifactor authentication. Event monitoring technologies run continuously, detecting suspected intrusion attempts and alerting our Cybersecurity Incident Response Team. We undertake a number of critical security processes to mitigate and protect against cybersecurity risks, which include but are not limited to (i) identity and access management; (ii) security awareness and training; (iii) security operations and monitoring; (iv) change management; (v) disaster recovery/business continuity; (vi) intelligence feeds; (vii) physical security; (viii) third-party vendor security reviews; (ix) vulnerability management/patching; and (x) cybersecurity incident reporting. We routinely manage cybersecurity risks through a defined framework that includes activities aimed at the identification, assessment, treatment and monitoring of risks. Cybersecurity risk assessment results are used by senior management to make informed decisions about where to allocate resources to reduce cybersecurity risks and improve overall security posture. We examine our entire program annually with third parties and measure the program against generally accepted industry standards and frameworks, such as an internationally recognized security control framework established by the NIST and used by companies to assess and improve their ability to prevent, detect and respond to cyberattacks. Our cybersecurity policies and standards are reviewed annually and are mainly guided by the NIST 800-53 Cybersecurity Framework. In addition to the NIST framework, we leverage the International Organization for Standardization 27001 and 27002 standards. To enhance our preparedness and practice our collective cybersecurity response capabilities, we conduct tabletop exercises with leaders, stakeholders, subject matter experts and certain executives. These events are developed in partnership with external security experts and designed to exercise and engage some of the most critical areas of cybersecurity incident response and preparedness through an interactive and evolving simulated scenario. In addition to these internal measures, the effectiveness of components of our overall cybersecurity program is frequently evaluated by external third parties, which includes work performed over various levels of control assessments for specific business lines and core processes. These include Health Information Trust Alliance ("HITRUST") for health care data security, PCI DSS for payment security, and System Organization Controls 2 ("SOC 2") for information security and related controls for specific business lines and core processes. We also perform an annual maturity assessment and benchmark our security controls to identify opportunities to strengthen our cybersecurity program. As part of our Global Threat Management Program, a dedicated Incident Handling Team, comprising both technical and management personnel, determines the severity of a validated cybersecurity event across the enterprise and is responsible for the development and ongoing maintenance of our comprehensive Global Incident Response Plan ("GIRP"). The GIRP is reviewed quarterly at a minimum but may be updated as needed based on lessons learned, changes in key teams or processes, or other circumstances as warranted, and the procedures therein are tested annually. The GIRP's incident handling procedures dictate our actions during each phase of an incident, including the assembly of a broad, cross-functional Computer Security Incident Response Team, the formulation of a response, and post-incident reviews and corrective actions. Our information protection department maintains a risk register that is used to manage cybersecurity risks associated with its business activities, technology assets, and its interaction with internal and external business, information technology and security parties. 32 Cybersecurity risks are also periodically reviewed by Enterprise Risk Management to ensure appropriate oversight of cybersecurity risk management activities. Suppliers that access, host or transmit our data are contractually required to comply with our Security Policies and Standards. Additionally, suppliers may be subject to periodic security audits or risk assessments, which include security questionnaires, security capabilities and maturity assessments, controls evidence reviews, application vulnerability assessments, public internet presence monitoring, and alignment reviews with service-specific industry standards. Follow-up activities are performed as needed. Contracts with suppliers also include critical security requirements, such as right to audit, technology requirements and hiring practices, including background checks for those who have access to our network. To further ensure supplier resilience and continuity, we regularly evaluate and assess our critical supplier relationships and business continuity plans, enabling us to quickly adapt and maintain operations in the event of prolonged disruption. As of the date of this report, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, future cybersecurity threats or incidents could materially affect us, including our business strategy, results of operations or financial condition. For more information on our cybersecurity-related risks, see Part I, Item 1A "Risk Factors - Operational Risks - As a large global health company, we and our vendors are subject to cyberattacks or other privacy or data security incidents. If we are unable to prevent or contain the effects of any such attacks, or fail to ensure vendors do the same, we may suffer exposure to substantial liability, reputational harm, loss of revenue or other damages." Cybersecurity Governance Our Board of Directors (the "Board") has ultimate oversight over our privacy and cybersecurity programs and strategy and is responsible for ensuring that we have risk management policies and processes in place to meet and mitigate evolving risks and threats. Certain members of our Board have cybersecurity certifications. Throughout 2025, the Board executed this oversight directly and through both the Audit Committee, for cybersecurity purposes, and the Compliance Committee, for privacy purposes. In these capacities, these committees were regularly briefed by the Global Chief Information Security Officer ("GCISO") and Chief Privacy Officer on cybersecurity and privacy matters . These briefings were designed to provide visibility about the identification, assessment and management of critical risks, audit findings, and management's risk mitigation strategies. Additionally, these briefings included information about current trends in the environment, incident preparedness, AI, and various components of our cybersecurity and privacy programs. On an annual basis, the Board reviews our cybersecurity program, including the threat landscape and related controls, and periodically conducts cybersecurity tabletop exercises. Our dedicated cybersecurity team is led by our GCISO. Our current GCISO joined the Company in October 2023 and works closely with senior management to develop and innovate the cybersecurity and risk management strategies. Prior to joining the team, our GCISO held senior information security roles at other global organizations, where this individual defined information security strategies; built global information security programs; implemented cybersecurity capabilities that protect consumers, wholesale partners and brands; and oversaw the security of a global payment network, a corporate network and digital assets. Beginning in 2026, oversight of cybersecurity matters has transitioned to the Board's Finance & Technology Committee. The Finance & Technology Committee now receives similar updates on cybersecurity and information protection programs from the GCISO as described above. Throughout 2025, the Compliance Committee, now the Audit & Compliance Committee, oversaw privacy risks and related matters, including through regular updates from our Chief Compliance and Risk Officer.

Company Information