KINGSWAY FINANCIAL SERVICES INC - (KFS)

10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity

 

Identifying, assessing, and managing material cybersecurity risks is an important component of our overall enterprise risk management program.

 

Given our company structure, the management of cybersecurity risks involves coordination between the parent company and our subsidiaries. Senior IT leadership at the parent company and each subsidiary are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. The parent company has issued an IT policy that is required to be adhered to by each subsidiary, and such policy is reviewed and updated annually. It is the responsibility of each subsidiary to communicate any items required by the IT policy to the parent company.

 

The parent company and each of our subsidiaries are responsible for assessing and identifying material risks from cybersecurity threats, as each entity has their own unique IT infrastructure. However, based on experience, cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company and are not reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition.

 

We have various processes for managing and mitigating risks from cybersecurity threats:

 

 

We have an employee education program that is designed to raise awareness of cybersecurity threats to reduce our vulnerability as well as to encourage consideration of cybersecurity risks across functions.

 

Our IT policy requires minimum password lengths and for passwords to be changed on a regular basis. We maintain back-ups and disaster recovery plans to restore our information in the event of an incident.

 

In some locations, we may use third-party IT providers to assist with maintaining our IT structure, including cybersecurity monitoring and testing.

 

Governance

 

Our Board of Directors plays an important role in our risk oversight and discharges its duties both as a full board and through its committees. Our Board of Directors has assigned oversight of cybersecurity risk management to the Audit Committee.

 

The Audit Committee receives reports from senior management of any cybersecurity incidents that may have occurred at the parent company or any of its subsidiaries. If material, the Audit Committee will bring it to the attention of the Board of Directors as promptly as practicable. If not material, the Audit Committee will bring it to the attention of the Board of Directors at its next regularly scheduled meeting.

 

Senior management (currently the Chief Financial Officer) receives reports from IT leadership at the parent company and each subsidiary. These individuals’ expertise in IT and cybersecurity generally has been gained from a combination of education, including relevant degrees and/or certifications, and prior work experience.

 

Information regarding cybersecurity risks and incidents may be elevated to senior leadership through a variety of different channels, including discussions between or among subsidiary and parent company management. It is the responsibility of each subsidiary to communicate any items required by the IT policy to the parent company.

 

15

KINGSWAY FINANCIAL SERVICES INC.