CITIZENS, INC. - (CIA)
10-K Filing Date: March 14, 2024
Item 1C. CYBERSECURITY
Like other firms in the financial services sector, insurers like us are particularly vulnerable to cybercrime due to our large amounts of customer data. Insurance-related data is particularly interesting to cybercriminals because of its inherent confidentiality. Often linked to policyholders, sensitive data helps insurers customize their policies, products, and prices for each client. The scope of personally identifiable information and sensitive data processed by insurers puts the industry at increased risk of cybercrime. Cyber attacks can lead to the loss of confidential data, business, and reputation. Additionally, business disruption through cyber incidents is also a major problem for insurance companies, which need to react quickly to fulfill their contracts and maintain the trust of their clients. Because of the risks posed to our business and customers, we have developed robust processes for assessing, identifying and managing our cybersecurity threats.
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, IT security, and external audits. Cybersecurity risks are integrated into our overall enterprise risk management process. To defend, detect and respond to cybersecurity incidents, we, among other things: perform penetration testing using external third-party tools and techniques to test security controls and conduct employee training.
We have implemented incident response and breach management processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such cybersecurity incident responses are overseen by leaders from our Information Security, IT, Finance, Compliance and Legal teams.
Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. We also conduct tabletop exercises to simulate responses to cybersecurity incidents.
Our risk management program also assesses third party risks, and we perform third-party risk management assessments to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers when handling and/or processing our employee, business or customer data. In addition to new vendor onboarding, we perform periodic ongoing security reviews of our critical vendors.
December 31, 2023 | 10-K 24
CITIZENS, INC. | |||||
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Cybersecurity and Technology Risks” included as part of our risk factor disclosures at Item 1A - Risk Factors - of this 10-K.
While we have devoted significant financial and personnel resources to implement and maintain the security measures described above, and in order to meet regulatory requirements and customer expectations, there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our Risk Factors include further detail about the material cybersecurity risks we face, cybersecurity incidents have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.
Cyber Governance.
Cybersecurity is a key element of the Company's enterprise risk management (ERM). Identification and management of the Company's key risks, including cybersecurity, starts with the executive management team, who is responsible for identifying key strategic, insurance, financial, regulatory and operational risks to the Company and managing them on a day-to-day basis. Because of the importance of cybersecurity, the Company has a Chief Information Security Officer ("CISO") who is primarily responsible for managing our cybersecurity risk in conjunction with our Vice President of Information Technology. Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from employees in the information technology team and through the use of technological tools and software and results from third party audits. We have an escalation process in place to inform senior management and the Board of Directors of material issues.
Our CISO has served in that position since 2018 and is an experienced security leader with over 20 years’ experience. In addition to his current role, our CISO has led security and IT audit functions at healthcare technology and population health organizations. His experience includes work in the fields of security, application development, and internal audit at a Fortune 100 company. Our CISO is a Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and a member of the ISACA and ISSA organizations. He received his bachelors’ degree from Middle Tennessee State University and served in the United States Marine Corps. Additionally, Gerald W. Shields, our CEO and a member of the Board, has experience in assessing and managing cybersecurity risk and, in addition to his former roles as Chief Information Officer at several companies, he has a Cyber Security Oversight Certificate from Carnegie Mellon Institute.
Our Audit Committee Charter tasks this committee with oversight of the Company's major enterprise risk exposure, including risks related to cybersecurity, and the steps management takes to monitor and control such exposures. The Audit Committee holds its regular meetings on a quarterly basis and at each of those meetings receives a information security update report from the Company's CISO, which report includes cybersecurity events that may have impacted the Company as well as an overview of the Company's security program and efforts to prevent, detect, mitigate, and remediate issues. The CISO also attends the regularly scheduled Board meetings to give his information security report to all members of the Board.