Cannae Holdings, Inc. - (CNNE)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
At Cannae, the board of directors oversees management’s process for identifying and mitigating risks, including cybersecurity risks. Senior leadership, including our Chief Information Security Officer ("CISO"), works diligently to identify, assess and manage material risks through our Enterprise Risk Management ("ERM") program. As part of that program, we conduct risk assessments to identify and assess our material business, operational and environmental risks and works with our management team to develop strategies and plans to mitigate and manage those risks, including cybersecurity risks related to the use of third-party service providers.
23
Our ERM program is overseen by a group of proficient individuals and is tailored to the unique structure of our business. As a holding company with a small group of highly qualified employees, we are well positioned to maintain operations in the event of a disaster or a material disruption to our information technology ("IT") infrastructure and networks. Our CISO has extensive information technology and program management experience as do many of the employees in the information security group for our third-party provider. Our CISO, as well as others in our third-party provider's information security group, hold certifications such as the Certified Information System Security Professional certification. Each of our various businesses separately maintains business continuity functions that adhere to the unique requirements of their business.
On an ongoing basis, management assesses the cybersecurity risks of Cannae and aligns its procedures and its audit plan with the identified and addressable risks. The underlying controls of the cyber risk management program are based on the recognized standards as outlined in the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. We utilize a third party to manage our IT network and processes and our ERM personnel work directly with the provider on all aspects of the Company's IT infrastructure and cybersecurity risks. Risks are evaluated over various timeframes; however, the focus of management’s risk assessment is on risks to the long-term solvency and sustainability of the ongoing operations of Cannae. Risks with the potential for an adverse impact to the Company in the near term are prioritized to the extent they present a material risk to the financial viability of the Company.
We apply a comprehensive approach to the mitigation of identified security risks, including monitoring our third-party IT service provider and management of our unconsolidated affiliates. As a holding company with relatively low volumes of personnel and third-party data, we have established policies, procedures and controls, including those related to privacy, information security and cybersecurity, and we employ a broad and diversified set of IT risk monitoring and risk mitigation techniques tailored to the unique nature of our business, including threat and vulnerability management, security monitoring, identity and access management, phishing awareness, risk oversight, third-party risk management, disaster recovery and business continuity management.
In the event of a cybersecurity incident, we have established protocols for management's response to incidents and we regularly test those protocols with appropriate management personnel. Such protocols include an incident response playbook with the assessment of cybersecurity risks and procedures and hierarchies for escalating and reporting incidents to executive management, the board of directors, investors, government agencies and the general public.
The employees at our consolidated companies are the strongest assets in protecting information and mitigating risk. We monitor the security practices of our employees, including training programs that focus on applicable privacy, security, legal, and regulatory requirements that provide ongoing enhancement of their respective security and risk cultures. Our employees participate in an annual Information Security Training.
The Board administers its risk oversight function directly and through committees and our Board has a strong focus on cybersecurity. Our approaches to cybersecurity and privacy are overseen by the audit committee. At each regular meeting of the audit committee of our Board, management provides reports relating to existing and emerging risk at our companies, including, as appropriate, cyber and data security risks, and any security incidents. At least annually (or more frequently in the event of material changes to the Company) the update to the audit committee includes a summary of management’s complete reassessment of the Company’s risk and control environment identified through our ERM program. Our audit committee chairman reports on these discussions to our Board on a quarterly basis.
See Item 1A Risk Factors for discussion of material risks faced by the Company, including risks related to cybersecurity and IT.