DONEGAL GROUP INC - (DGICA)

10-K Filing Date: March 06, 2024
Item 1C.
Cybersecurity.

Our insurance subsidiaries utilize the information systems Donegal Mutual maintains. Donegal Mutual has a robust information security program in place as a component of the enterprise-level risk management program of Donegal Mutual and us. The integration of Donegal Mutual’s information security program into the enterprise-level risk management program is intended to promote the inclusion of cybersecurity considerations in decision-making processes throughout Donegal Mutual. Donegal Mutual has implemented multiple layers of cybersecurity systems and related defensive measures that are intended to assist with assessing, identifying and managing material risks from cybersecurity threats to Donegal Mutual’s information systems. Examples of these systems and measures include firewalls, data encryption, intrusion detection and prevention systems, endpoint detection and response systems, data-loss prevention systems and multi-factor authentication requirements for remote and privileged access. Donegal Mutual also regularly evaluates the effectiveness of its information security program through enterprise risk assessments.

Donegal Mutual also requires annual cybersecurity awareness training for all employees who serve Donegal Mutual and our insurance subsidiaries. Donegal Mutual expects all employees to assist in safeguarding its information systems and to assist in the discovery and reporting of cybersecurity incidents. This enterprise-wide program is intended to identify and assess internal and external cyber and information security risks that may threaten the security or integrity of the information stored on the Donegal Mutual’s information systems or those of third-party providers from unauthorized access, use or other malicious acts.

Donegal Mutual employs a third-party security operations center that provides after-hours alert services to help ensure continuous monitoring for cybersecurity threats. On an annual basis, Donegal Mutual also engages third-party cybersecurity consultants to perform cyberattack and penetration testing on its information systems and to conduct tabletop exercises to enhance preparedness of its crisis management team. This crisis management team includes technical and senior-level management personnel, and the exercises are intended to help maintain their readiness by reviewing the roles they will be expected to perform and the procedures they will be expected to follow in the event of a cybersecurity incident. These consultants advise Donegal Mutual on the effectiveness of its cybersecurity processes and assist Donegal Mutual in remediating any identified vulnerabilities and implementing any recommended measures to improve its cybersecurity defenses and readiness.

In addition to monitoring cybersecurity threats to Donegal Mutual’s information systems and information technology infrastructure, Donegal Mutual and we also assess and monitor the information security posture of third-party service providers whose services we deem critical to our operations. This process is designed to help Donegal Mutual’s information security personnel identify and mitigate risks related to data breaches or other cybersecurity incidents originating from third-party service providers in order to better protect Donegal Mutual’s information systems and information technology infrastructure.

Donegal Mutual and we are not aware of any cybersecurity incidents or risks from cybersecurity threats that have materially affected, or are reasonably likely to affect, our business strategy, results of operations or financial condition. While Donegal Mutual maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For more information regarding the risks Donegal Mutual and we face from cybersecurity threats, see “Risk Factors - Risks Relating to Us and Our Business.”

-41-

Donegal Mutual employs an information security officer who has relevant experience and expertise in information security and holds the management position that is primarily responsible for assessing and managing cybersecurity risks. In addition, the chief risk officer of Donegal Mutual and us has extensive experience in the field of risk management, which is helpful for developing and executing Donegal Mutual’s information security program in a manner that aligns with the overall enterprise-level risk management program of Donegal Mutual and us.

In connection with carrying out their overall oversight responsibilities, the boards of directors of Donegal Mutual and us have delegated certain cybersecurity oversight responsibilities to the joint audit committee of those boards. The joint audit committee meets at least quarterly and is central to the boards’ oversight of cybersecurity risks. The joint audit committee actively monitors these risks in order to assist in coordinating prevention and mitigation efforts by, among other things, participating in risk management committee meetings and receiving quarterly reports from the chief risk officer of Donegal Mutual and us on cybersecurity risks and related matters. Donegal Mutual’s information security officer also provides an annual cybersecurity report to the boards of directors of Donegal Mutual and us. The annual cybersecurity reports encompass a broad range of topics, including types of threats and attempted infiltrations, applicable regulatory developments, information security program activities and planned cybersecurity enhancements to address emerging threats.

Donegal Mutual and we also maintain a risk management committee that is comprised of our shared executive officers and other key management personnel. This committee meets quarterly and is responsible for our enterprise risk strategy and management, which includes identifying, assessing, addressing and monitoring cybersecurity risks. Donegal Mutual’s information security officer provides quarterly updates to the risk management committee. Those updates include current cybersecurity issues and trends and any relevant information related to the prevention, detection, mitigation and remediation of cybersecurity incidents.

© 2024 Material-Incidents. All rights reserved.