UNITED FIRE GROUP INC - (UFCS)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Overview
We recognize the importance of assessing, identifying, and managing risks associated with cybersecurity threats. Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents.
26
Oversight
Cybersecurity risk oversight is a focus area of our Risk Management Committee and the full Board of Directors. The Risk Management Committee's charter requires it to assist the Board of Directors in identifying and evaluating risks inherent in our business and to oversee and review the significant policies, procedures, and practices employed to manage risks. The Risk Management Committee receives a quarterly cybersecurity update from the Chief Administrative Officer, which is shared with the full Board of Directors. The Board of Directors discusses cybersecurity matters and risks on a quarterly basis or more frequently, as needed, at the recommendation of the Risk Management Committee.
The Company's executive enterprise risk management committee (the "Executive ERM Committee") is tasked with, among other responsibilities, identifying and evaluating operational risks, which includes risks associated with information technology and cybersecurity. The Executive ERM Committee includes senior leaders across business functions, including the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Chief Legal Officer, Chief Risk Officer and Chief Administrative Officer. The Executive ERM Committee, as part of its comprehensive risk management duties, discusses Company strategies to prevent cyber-attacks and the Company's response and remediation of threats. The Chief Administrative Officer provides a quarterly report to the Risk Management Committee that summarizes cybersecurity risks, relevant events and other items of note identified by management or the Executive ERM Committee. The Executive ERM Committee meets independently of the Risk Management Committee, with a representative from the Risk Management Committee in attendance. Certain members of the Executive ERM Committee are invited to attend and participate in meetings of the Risk Management Committee.
In addition, we maintain internal working groups called "corporate risk register groups" dedicated to assessing and managing the various ERM risks facing the Company. There are two corporate risk register groups that relate to cybersecurity risk: Cyber Incident Prevention and Cyber Incident Recovery; the Chief Administrative Officer is the leader of both of these risk register groups. The Chief Administrative Officer likewise serves on the Business Continuity Team as the business continuity technology lead, a role in which she comprehensively evaluates IT system readiness and preparedness should a business continuity event involving cybersecurity or technology interruption occur.
The lead management team member responsible for cybersecurity matters is the Chief Administrative Officer, who has 20 years of experience in information technology and a B.A. in Management Information Systems. She is assisted by the Information Security Manager and the Assistant Vice President and Senior Corporate Counsel for Privacy and Governance.
Cybersecurity Program
We have adopted a Written Information Security Program (WISP) designed to align with the guidelines recommended by the National Institute of Standards and Technology (NIST). We have made ongoing continuous improvements to our information security program; specifically in the implementation of secure remote access solutions with multifactor authentication, next-generation endpoint detection and remediation, cloud-based security controls, automated scanning and outside validation of security controls. Additionally, we require employees to complete cybersecurity training at least annually. When a specific cyber threat is identified, we may create additional trainings with targeted content for our employees. As part of our efforts to manage our cybersecurity risks, we have engaged an independent firm to assist with conducting penetration tests and provide advice on our information security program. We also carry insurance to mitigate losses from cyber events.
We have processes in place to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. All proposed third parties are subject to a preliminary assessment to identify those that may handle or have access to company information and scope appropriate due diligence activities relating to the engagement. Third parties that may handle or have access to company information are subject to enhanced due diligence procedures prior to onboarding and security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by third parties and information obtained through other channels. In addition, we require our
27
providers to adhere to appropriate security requirements and controls, and we investigate security incidents that have impacted our third-party service providers, as appropriate.
We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address – and guide our employees, management and the Board of Directors on – our response to a cybersecurity incident, including the requirements of notification, classification, analysis and communication of cybersecurity incidents based on the identified severity level. The Executive ERM Committee regularly reviews and evaluates the corporate incident response plan and business continuity plan.
Cybersecurity Threats
To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have, or are likely to, materially affect us, our business strategy, results of operation or financial condition. Refer to "Item 1A. Risk Factors" in this Annual Report on Form 10-K, for additional discussion about cybersecurity-related risks.