Cigna Group - (CI)

10-K Filing Date: February 29, 2024
Item 1C. CYBERSECURITY
Cybersecurity Strategy and Risk Management
The Cigna Group’s comprehensive cybersecurity program is supported by policies and procedures designed to protect our systems and operations as well as the sensitive personal information and data of our clients and customers from foreseeable cybersecurity threats. This program is an integral component of our enterprise risk management program.
Core to our security model is our defense-in-depth framework, comprising multiple layers of processes and technologies that help prevent, detect, and respond to threats. Our approach to safeguarding against external threats incorporates a suite of preventive technologies, including malicious email blocking, defenses against automated attacks and multifactor authentication. These strategies act to proactively intercept and neutralize cyber threats to help ensure data remains secure within our environment. Event monitoring technologies run continuously, detecting suspected intrusion attempts and alerting our Cybersecurity Incident Response team. The Cigna Group undertakes a number of critical security processes to mitigate and protect against cybersecurity risks, which include but are not limited to:
Identity and Access Management. Employees are provided with the minimum amount of access required to perform their jobs using role-based access control methodology, which defines access to our information systems based on job function. Privileged or elevated access to our systems is subject to supplemental approval requirements, increased authentication processes, and additional logging and monitoring.
Security Awareness and Training. Events and education activities are hosted throughout the year, such as the Cybersecurity Awareness Month, expos, videos, training programs and frequent phishing simulations. The Cigna Group continuously trains workforce members on the importance of preserving the confidentiality and integrity of customer data. All new hires have mandatory information protection and privacy training as part of their onboarding, and all workforce members complete an annual cybersecurity refresh training.
Security Operations and Monitoring. Our operational monitoring processes provide valuable insight into the effectiveness of our security program. A centralized system collects security logs and performs event correlation that creates an alert if a trigger occurs. We review any deviations from our established targets and implement corrective actions.
Change Management. Changes to hardware, software, network components, and/or processes introduced into any production environments are managed by a formal change control process. These requests include the submission of required documentation as well as the business justification for the change.
Disaster Recovery / Business Continuity. These processes are designed to maintain service to our customers, providers and members through a wide range of adverse circumstances. Methods of recovery include rerouting business functions, relocating to an alternative site, independent “hot sites”, mobile recovery and work at home.
Intelligence Feeds. These are used to monitor the security industry for the latest global security threats, exposures and patches to help keep company servers current with the latest security service packs, patches and hot fixes.
Physical Security. Our physical security system is utilized in an effort to properly identify appropriate individuals, authorize entry and define the working areas to which they have access. Additional controls at our data centers includes a combination of guard service, access keys and magnetic card systems.
Third-Party Vendor Security Reviews. Suppliers that have access to, host, or pass sensitive data are subject to a rigorous vendor security review which includes questionnaires, security controls and maturity assessments, inspection of evidence of compliance and remediation or acceptance of items identified during a Risk Assessment.
Vulnerability Management / Patching. Any discovered vulnerability is rated by severity and assigned a timeline for remediation. Patching activities are centrally managed with a focus on the identification, remediation, and analysis and closure of vulnerabilities throughout the vulnerability management lifecycle.
Cybersecurity Incident Reporting. Our incident reporting protocol assists prompt and efficient response to cybersecurity threats. This includes links on our internal site listing globally accessible contact numbers for immediate incident reporting, a user-friendly phishing reporting tool in Outlook, and group email boxes that are monitored 24/7 for incident submissions.

We routinely manage cybersecurity risks through a defined framework that includes activities aimed at the identification, assessment, treatment and monitoring of risks. Cybersecurity risk assessment results are used by senior management to make informed decisions about where to allocate resources to reduce cybersecurity risks and improve overall security posture. We examine our entire program annually with third-parties and measure the program against generally accepted industry standards and frameworks, such as an internationally recognized security control framework established by the NIST and used by companies to assess and improve their ability to prevent, detect and respond to cyberattacks. Our cybersecurity policies and standards are reviewed annually and are mainly guided by the NIST 800-53 Cybersecurity Framework. In addition to the NIST framework, we leverage the International Organization
45


for Standardization ("ISO") 27001 and 27002 standards. NIST and ISO standards are internationally accepted and provide best practice recommendations for initiating, implementing, and maintaining information security management systems. Cigna's Information Protection policies and standards are informed by NIST 800-53b, moderate level security control baseline requirements. This includes a myriad of NIST controls/control enhancements which are mapped to Cigna Information Protection policies, standards and control library.

To enhance our preparedness and practice our collective cybersecurity response capabilities, we conduct tabletop exercises developed in partnership with external security experts. These events are designed to exercise and engage some of the most critical areas of cybersecurity incident response and preparedness through an interactive/evolving, simulated scenario. This exercise provides an opportunity for us to test our response procedures, escalation and communication protocols, roles and responsibilities, legal/privacy considerations and key decision-making processes, in a safe and controlled environment. The participants in these exercises include leaders, stakeholders, subject matter experts and certain executives.

In addition to these internal measures, the effectiveness of components of our overall cybersecurity program is frequently evaluated by external third parties, exclusive to our independent registered public accounting firm and scope of internal control over financial reporting. This includes work performed over various levels of controls assessments for specific business lines and core processes. These include Health Information Trust Alliance ("HITRUST") for health care data security, Payment Card Industry Data Security Standard (PCI DSS) for payment security, and System Organization Controls (SOC) 2 for information security and related controls. We also perform an annual maturity assessment and benchmark our security controls to identify opportunities to strengthen our cybersecurity program.

As part of our Global Threat Management Program, a dedicated Incident Handling Team, comprising both technical and management personnel, determines the severity of a validated cybersecurity event across the enterprise and is responsible for the development and ongoing maintenance of our comprehensive Global Incident Response Plan ("GIRP"). The GIRP is reviewed quarterly at a minimum but may be updated as needed based on lessons learned, changes in key teams or processes, or other circumstances as warranted. Within the GIRP, incident handling procedures dictate actions during each phase, which include communications, actions to be performed, methods of operation and contingencies for unanticipated outcomes. Using industry best practices and continuous improvement principles, we validate strategies, document business recovery plans, and test these procedures enterprise-wide annually. Upon the discovery of an incident, a broad cross-functional Computer Security Incident Response Team is assembled, which may include but is not limited to experts from key business, technology, legal, privacy and finance sectors, to collaboratively assess the impact and materiality in order to execute a comprehensive and informed response. After an incident is contained, a thorough review is performed to determine if any existing detective or preventative controls were bypassed, or if there was a delay in detection or response. This review, which includes members from our internal audit team, drives the implementation of corrective actions to enhance and strengthen the effectiveness of our prevention, detection, and incident response controls, as applicable.

Cigna Information Protection ("CIP") maintains a risk register that is used to manage cybersecurity risks associated with its business activities, technology assets, and its interaction with business, Information Technology ("IT"), and security parties; internal and external. Cybersecurity risks are also periodically reviewed by Enterprise Risk Management ("ERM") to ensure appropriate oversight of cybersecurity risk management activities.

Suppliers that have access to, host, or transmit The Cigna Group data are contractually required to comply with our Security Policies and Standards. Additionally, suppliers may be subject to periodic security audits or risk assessments, which include security questionnaires, security capabilities and maturity assessments, controls evidence reviews, application vulnerability assessments, public internet presence monitoring, and alignment reviews with service-specific industry standards (e.g., NIST, ISO, HIPAA, and Payment Card Industry standards). Follow-up activities are performed as needed to discuss observations, track issues and ensure remediation plans are completed to maintain compliance. Contracts with suppliers also include critical security requirements including right to audit, technology requirements, key performance metrics and service levels, and hiring practices including background checks for those who have access to The Cigna Group's network.

As of the date of this report, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. That said, as discussed more fully under Part 1, Item 1A. "Risk Factors – Strategic and Operational Risks – As a large global health company, we and our vendors are subject to cyberattacks or other privacy or data security incidents. If we are unable to prevent or contain the effects of any such attacks, or fail to ensure vendors do the same, we may suffer exposure to substantial liability, reputational harm, loss of revenue or other damages," the sophistication of cybersecurity threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may become insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all attacks of these types, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
46



Cybersecurity Governance

The Cigna Group’s Board has ultimate oversight over the Company’s privacy and cybersecurity programs and strategy and is responsible for ensuring that the Company has risk management policies and processes in place to meet and mitigate evolving risks and threats. Certain members of the Board have cybersecurity expertise, including certifications. The Board executes this oversight directly and through both the Audit Committee, for cybersecurity purposes, and the Compliance Committee, for privacy purposes. In these capacities, these committees are regularly briefed by the Global Chief Information Security Officer ("GCISO") and Chief Privacy Officer on cybersecurity and privacy matters. These briefings are designed to provide visibility about the identification, assessment, and management of critical risks, audit findings, and management’s risk mitigation strategies. Additionally, these briefings include information about current trends in the environment, incident preparedness, artificial intelligence and various components of the Company’s cybersecurity and privacy programs. Annually, the full Board reviews the Company’s cybersecurity program, including the threat landscape and related controls and periodically conducts cybersecurity tabletop exercises.

The Cigna Group’s dedicated cybersecurity team is led by our GCISO. Our current GCISO joined Cigna in October 2023 and works closely with senior management to develop and innovate the cybersecurity strategy and risk management. Prior to joining the team at The Cigna Group, our GCISO held senior information security roles at other global organizations where this individual defined information security strategies, built global information security programs, implemented cybersecurity capabilities that protect consumers, wholesale partners and brand, and oversaw the security of a global payment network, a corporate network and digital assets.