NI Holdings, Inc. - (NODK)
10-K Filing Date: March 15, 2024
Cybersecurity risk is an important and evolving focus for the Company. The increased sophistication and activities of unauthorized parties attempting to access our systems is an ever-present risk. Cybersecurity risks may also arise from human error, fraud, or malice on the part of employees or third parties who have authorized access to our systems or information.
Our information security program is directly managed by a dedicated Director of Information Systems, whose team is responsible for enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Company employees are periodically required to affirm their understanding of several policies and standards, including those related to cybersecurity. Our cybersecurity strategy is primarily focused on network security, data security, vulnerability management, incident management, and disaster recovery. We utilize internal resources as well as third-party consultants and vendors to periodically conduct cybersecurity vulnerability testing, facilitate employee training, perform system assessments, and provide recommendations based on industry best practices.
The Director of Information Systems provides periodic reports to our ERMC related to cybersecurity risks and threats, the status of projects to strengthen our information security systems and controls, assessments of the information security program and related third-party service providers, and the emerging threat landscape. The ERMC provides oversight and support related to our cybersecurity program and consists of our Chief Executive Officer, Chief Financial Officer, Director of Information Systems, and other appropriate members of senior management who possess the relevant expertise to assess and manage cybersecurity risks as part of the broader enterprise risk management process. Periodic reports are also provided to appropriate members of senior management that include information regarding prevention, detection, mitigation, and remediation efforts related to cybersecurity incidents.
Our Chief Executive Officer and Director of Information Systems also provide periodic reports to the Audit Committee of the Board of Directors regarding ERMC activities and assessments, including those related to cybersecurity and cybersecurity incidents. The
24
Audit Committee of the board oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframes. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity threats, and reports from management on our enterprise risk profile on an annual basis.
As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. Refer to the risk factor captioned “Cyberattacks, security breaches, or similar events affecting the technologies and systems we rely on to operate our business and to maintain and protect sensitive Company and customer data could disrupt our operations, harm our reputation, and result in material losses” in Part I, Item 1A. “Risk Factors” for additional details regarding cybersecurity risks and potential impacts on our business.