SECURITY NATIONAL FINANCIAL CORP - (SNFCA)

10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity

 

The Company maintains a strong information security program and systems (“Cybersecurity System”) to guard against unauthorized access, malicious software, corruption of data, disruption of its networks and systems and unauthorized release of confidential information. The Company’s Cybersecurity System is comprised of multiple layers of controls to reduce the risk of cybersecurity incidents.

 

Risk Management and Strategy

 

The Company’s Cybersecurity System includes administrative, technical, and physical safeguards and is designed to provide an appropriate level of protection to maintain the confidentiality, integrity and availability of the Company’s and its customers’ information. This includes protecting against known and evolving threats to the security of the Company’s systems and information, and against unauthorized access, compromise, or loss of data. The Cybersecurity System is managed centrally, so the same security controls, policies and procedures are implemented across the organization. The Company maintains cybersecurity policies including an Acceptable Use Policy that all system users sign to acknowledge that they understand their security responsibilities. All system users receive security awareness training which includes phishing attack simulation testing.

 

10
 

 

A key element of the Company’s Cybersecurity System is to mature the program to align with the Center for Internet Security (CIS) Critical Security Controls security framework. The CIS controls are designed based on real-world data about cyber-attacks, to ensure that the measures are effective against current threats. The framework provides a prioritized set of actions, which enables the Company to focus its efforts on the most effective defensive measures first. This prioritization helps in optimizing the use of resources for maximum impact on security. This strategy provides a structured and effective approach to cybersecurity, helping the Company to protect its assets, comply with regulations, manage risks, and improve its overall security posture.

 

The Company maintains cyber insurance coverage that may, subject to policy terms, conditions, and limitations, cover certain aspects of cybersecurity risks; however, such insurance coverage may be unavailable or insufficient to cover all losses or all types of claims that may arise in the continually evolving area of cyber risk.

 

Governance

 

The Company has established controls and procedures to escalate enterprise-level issues, including cybersecurity matters, to the appropriate management levels within its organization and to its Board of Directors, or members or committees thereof, as appropriate. The Company’s Board of Directors has oversight for enterprise risk management, including its approach to managing cybersecurity risk, and has delegated oversight responsibility of information security risks to its Audit Committee. Matters determined to present potential material impacts to the Company’s financial results, operations, and/or reputation are reported by management to the Company’s Board of Directors or its Audit Committee, as appropriate, in accordance with its escalation framework.

 

In addition, the Company has established procedures to ensure that management personnel are informed in a timely manner of known cybersecurity risks and incidents that may materially impact the Company’s operations and that timely public disclosure is made as appropriate. The Company’s Cybersecurity System is led by the Chief Information Officer (“CIO”) in collaboration with a third-party virtual Chief Information Security Officer (“vCISO”) and other third-party cybersecurity service providers which in turn assist in monitoring the Company’s exposure from significant information technology suppliers, significant software as service providers and major vendors with access to the Company’s information technology systems. The Company’s CIO has 10 years of cybersecurity industry experience. Further, team members who support the Company’s cybersecurity program have relevant educational and industry experience through various roles involving information technology, security, auditing, compliance, systems, and programming, as well as cybersecurity certifications such as a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM). During the last three years, the Company has not experienced a material security breach and, as a result, the Company has not incurred any material expenses from such a breach. Furthermore, during such time, the Company has not been penalized or paid any amount under any information security breach settlement.

 

11