Cybersecurity

Every year, 36 million people trust United to fly them to over 330 global destinations. To build upon that trust and protect United’s customers, employees, and operations, United is focused on ensuring technology, systems, and processes are robust against cyber threats, which continue to evolve.

The importance of cybersecurity

The evolution of cyber threats, the pandemic, and digital transformation at United has accelerated our roadmap to further strengthen our approach to cybersecurity.

Within the last two years we have transformed our capabilities, teams, processes, and technology, including the establishment of a Cybersecurity and Digital Risk Organization, sponsored by United’s leadership team, to protect our operations, customers, and their data.

Managing cybersecurity

United’s Chief Information Security Officer oversees United’s approach to managing cybersecurity and digital risk. This officer is supported by the Company at the highest levels, and regularly engages with cross-functional teams at the Company, including Digital Technology, Legal, Audit, Human Resources, Facilities and Corporate Risk.

The Board and the Audit Committee also regularly review the Company’s management of cybersecurity and digital risk. Both receive reports from United’s Chief Information Security Officer at least twice annually regarding matters such as United’s adherence to leading industry standards, the progression of United’s cybersecurity maturity and compliance efforts related to emerging cybersecurity regulations.

Our approach

United’s Cybersecurity and Digital Risk organization established our risk-based approach using guiding principles from well-regarded cybersecurity and risk management frameworks published by the National Institute of Standards and Technology. We take a risk-based approach with baseline security controls for all systems with additional controls for more critical systems and processes. Our approach is built around the following five pillars.

PILLAR 1. Protect and Defend United’s Critical Assets, Data and Operations

We recognize the importance of protecting the confidentiality, integrity, and availability of data, systems, and assets, and maintaining a cyber-resilient business operation.

United has established certain cybersecurity policies and standards to achieve a baseline set of controls to protect and defend against cyber threats. Aligned with those policies and standards we have deployed technologies and processes to enhance our protections. We regularly review our policies, standards, and technologies to ensure we’re appropriately managing risks and maintaining compliance.

PILLAR 2. Reduce and Mitigate United’s Cybersecurity, Digital and Technology Risks

We are continuing to enhance awareness and foster the appropriate culture at United, as well as operationalize the necessary framework and processes to mitigate cybersecurity and digital risks.

We conduct risk assessments, develop mitigation strategies, and continuously evolve our program, which includes awareness and education programs, social engineering prevention and regular communications and updates throughout the organization. As improvements are made, they are integrated into key business-as-usual operational processes, with risks allocated to business owners for ongoing management and monitoring.

PILLAR 3. Evolve Best-in-Class Cybersecurity and Digital Risk Capabilities

We are leveraging technology and investing in continually improving our teams to deliver capabilities, which enable United to excel at managing evolving cyber threats and support our core business.

We are building secure technology solutions, including for cloud, mobile, and big data. We use vulnerability detection and remediation to maintain a secure technology infrastructure, and enhance our ability to detect attacks with a best-in-class Cybersecurity Defense Center. We regularly review and test our Crisis Management and Incident Response Plans. We are optimizing the use of threat intelligence and developing a capable and competent technology risk workforce, which includes cybersecurity professionals across a variety of subspecialties.

PILLAR 4. Ensure Cyber-Resilient Business Operations

We recognize the importance of being able to withstand and recover from adverse conditions, attacks, or compromises of systems. We regularly refine our resiliency through drills and have contingency plans in place to ensure resiliency across much of the enterprise, including data backups, disaster recovery, and other initiatives. We also collaborate with industry to increase the resiliency of the aviation sector more broadly and engage with regulators to shape sensible regulation that will strengthen cybersecurity in aviation.

PILLAR 5. Enable Business Outcomes and Growth Through Secure Digital Solutions

We believe cybersecurity should help facilitate business outcomes, not complicate them. We aim to reduce the risk profile of our digital products to enable our business and our customers to do things they couldn’t do before. We seek to create security capabilities to enhance the customer experience, reduce cyber fraud, and better manage risk across United’s ecosystem.

Data protection

We strive to be good stewards of data, including confidential and sensitive data. We maintain a publicly-facing policy governing privacy and employ certain best practices when granting access to systems and data. We have multi-layered platforms and processes to protect data, including where applicable, multi-factor authentication, private and third-party network security and firewalls, strong encryption, and security logging.