ICC Holdings, Inc. - (ICCH)
10-K Filing Date: March 28, 2024
The Company manages risks through a multi-faceted approach. Steps include outlining guidelines for data access, usage, and protection, ongoing security training and awareness programs for employees, implementation of strong authentication techniques including multi-issue authentication (MFA), regularly updating and patching software and structures facilitates to mitigate vulnerabilities, conducting cybersecurity audits, and closely working with cybersecurity specialists to staying informed about emerging threats and trends and to implement multi-layered protections.
The Company assesses and reports on any findings quarterly at both an internal and external Enterprise Risk Management (ERM) meeting. Our approach to managing cybersecurity risk aligns with the five key functions contained within the COBIT Framework:
• | meeting stakeholder needs; |
• | covering the enterprise end to end; |
• | applying a single integrated network; |
• | enabling a holistic approach; and |
• | separating governance from management. |
Currently, the Company has not been materially impacted from an operational or financial perspective from cybersecurity threats. Cybersecurity is a rapidly evolving area that the Company takes great efforts to mitigate any adverse impacts; however, the Company cannot guarantee that it will not be subject to cybersecurity attacks. See Item 1A, Risk Factors, for more information.
Our Board provides oversight for cybersecurity risks primarily through its ERM committee. The Company's Chief Information Officer (CIO) provides information quarterly to the ERM committee on cybersecurity risks. The CIO has 30 years of experience in technology both on the company and consulting sides and a B.A. in Economics.
Management oversight of cybersecurity risks is provided through the Company's internal ERM committee, which is comprised of executive management and our Director of Actuarial Services. The ERM committee has identified numerous risk attributes and developed risk control reports that identify drivers, characteristics, stress testing levels, potential mitigation efforts, or risk appetite, and any reaction in response to a breach. The ERM committee meets quarterly to review and update risk limit grids, current estimates relative to pre-defined acceptable levels, and make adjustments as needed.
The Company's Networking department, which reports up to the CIO, is responsible for the day-to-day monitoring of cybersecurity risks. Mitigation efforts are executed, if necessary, to cope with the impact of a cybersecurity incident. The Company is finalizing its Cybersecurity Incident Response Plan and anticipates it being available in early April 2024. We anticipate it will provide a framework for the identification, evaluation, and escalation of potential cybersecurity events.
The CIO routinely engages third-party cybersecurity consultants to conduct network security audits. The Company also engages other their-party consultants in a number of areas to support the assessment, identification, and management of cybersecurity risks, including risk assessments, log monitoring, threat intelligence, system penetration testing, and incident response, among others.
The Company performs cybersecurity due diligence and monitoring of third-party vendors, which includes a security questionnaire to identify the cybersecurity controls and protections maintained by a third party. Lasty, the Company requires that all employees participate in monthly training videos that are geared toward identifying potential cybersecurity threats.