INVESTORS TITLE CO - (ITIC)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

Our enterprise information security program is designed to detect, manage, mitigate, and respond to cybersecurity threats and is integrated into our overall risk management systems. The Company’s Chief Information Security Officer (“CISO”), in concert with a Data Security Committee, is responsible for developing and implementing our enterprise information security program and reporting cybersecurity matters to senior management.

18



Our risk management strategy encompasses a range of policies, procedures, and controls designed to safeguard our information assets. Key elements of our risk management and control framework include Information Technology (“IT”) policies and procedures, employee training, annual disaster recovery tests, and penetration tests performed by third-party experts. The Company has established robust IT policies and procedures governing the use, access, and protection of our digital assets. These policies serve as a foundation for secure operations, outlining best practices and compliance standards for our employees. The Company recognizes the crucial role of employees in maintaining a secure environment and conducts regular cybersecurity training programs. These initiatives are designed to empower our staff with the knowledge and skills necessary to identify and respond to potential threats, reducing the risk of human error in cybersecurity matters. To test the preparedness of our operations in the face of unforeseen events, the Company conducts annual disaster recovery tests. These tests evaluate our ability to recover critical systems and data in the event of a disruption, contributing to our overall business continuity and risk mitigation efforts. As part of our commitment to maintaining a strong defense against cyber threats, the Company engages third-party experts to conduct regular penetration tests on our network. These tests are intended to simulate real-world cyber-attacks, allowing us to identify vulnerabilities and address them proactively.

The Company’s planned investments in cybersecurity include implementing advanced data loss prevention measures, encryption protocols, and continuous monitoring to safeguard sensitive information and mitigate the risk of unauthorized access or disclosure. As part of the Company’s risk management strategy, it has secured comprehensive cyber insurance coverage. The Company regularly reviews and updates its cyber insurance coverage to align with the evolving nature of cyber threats and industry standards.

The Company’s IT systems have been, and likely will continue to be, the target of computer viruses, cyberattacks, phishing attacks, and other malicious activity. While the Company has not experienced a known material breach to date, the occurrence or scope of such events is not always immediately apparent and there can be no assurance that the Company will not suffer additional attacks or incur serious financial consequences or expense in the future. Refer to “Item 1A. Risk Factors” of this Annual Report on Form 10-K for further discussion of cybersecurity risks

Governance

The Company’s Board of Directors oversees the processes for risk management, including cybersecurity risks, to help align risk exposure with strategic objectives. Senior management, including our CISO, periodically briefs the Board of Directors on our cybersecurity framework and assessments of the information security program, key and emerging threats and risks, the status of projects to strengthen our information security systems, and any cybersecurity incidents that could potentially have a material business impact. In the event of an incident, the Company would follow a detailed incident response plan, which outlines the steps to be followed, including notification of senior management and the Board of Directors, as appropriate.

Our CISO has 25 years of experience in the cybersecurity and technology space. Our Data Security Committee is composed of key business and functional stakeholders to include Risk, Legal, Finance, IT, Operations, and Business line leads.