Fidelity National Financial, Inc. - (FNF)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
We are highly dependent on information technology in the operation of our various businesses. Cybersecurity is an integral part of our operations and is a focus of all employees, including senior management, and our board of directors.
Risk Management and Strategy
We assess, identify and manage cybersecurity risks through various processes within our Enterprise Risk Management Program and Information Security Program. We focus on all areas of cybersecurity, including threat and vulnerability management, security monitoring, identity and access management, phishing awareness, risk oversight, third-party risk management, disaster recovery and continuity management. We have established policies, including those related to privacy, information security and cybersecurity, and we employ a broad and diversified set of cybersecurity risk monitoring and risk mitigation techniques. Internal audits, external audits, and self-assessments are conducted to assess the effectiveness and maturity of our Enterprise Risk Management Program and Information Security Program.
Our employees are one of our strongest assets in protecting our customers' information and mitigating cybersecurity risk. We maintain comprehensive and tailored training programs that focus on applicable privacy and cybersecurity requirements. Additionally, we make strategic investments in cybersecurity to protect our customers and information systems, including both capital expenditures and operating expenses for hardware, software, personnel and consulting services.
43

Our processes to assess, identify and manage cybersecurity risks, including cybersecurity risks related to the use of third-party service providers, are fully integrated into our Enterprise Risk Management Program. In some circumstances we use third-party service providers to provide expertise and to monitor utilization of specific cyber tools, and in certain cases, to supplement staffing services. Through our vendor risk management process, these vendors undergo various assessments such as financial, reputational, contractual and informational security. These assessments are performed to ascertain that these vendors meet our policy requirements relative to the services they perform on our behalf.
To further reduce the residual risk associated with cybersecurity, we maintain Miscellaneous Professional Liability Insurance, which provides coverage for cybersecurity incidents. The deductible limits on these policies are determined by a corporate insurance risk management group and executive management at least on an annual basis. This group determines appropriate coverage levels and deductibles for each policy based on tolerance and weighs the coverage against the premium for the policy.
Governance
Management's Role in Assessing and Managing Cybersecurity Risk
Our Corporate Information Security Group is led by our Chief Information Security Officer (CISO) who is responsible for our information security strategy. This strategy includes policy management, security engineering, identity and access management, vulnerability management and cyber threat detection and response through our Security Operations Center. Our CISO has extensive information technology and program management experience as do many of our employees in our information security group. Our CISO, as well as others in our information security group, hold certifications such the Certified Information System Security Professional certification. We believe cybersecurity is a shared responsibility throughout the organization and thus we also manage cybersecurity risks, through a cross-functional committee of members of senior management known as the Enterprise Risk Steering Committee, which includes the CISO. The diversity of this group allows for identification of key enterprise risks from strategic, operational, financial, legal, information technology, and compliance perspectives. These individuals receive reporting on our cybersecurity programs and also participate in table-top exercises relating to potential security incidents. The CISO is also the primary point of contact for reporting information security incidents and for coordinating information security activities including incident response and digital forensics. Our CISO reports to our Chief Security Officer who also has extensive experience in the information security space.
Board Oversight of Cybersecurity
Our board has a strong focus on cybersecurity. Our approaches to cybersecurity and privacy risk are overseen by the audit committee. At each regular meeting of the audit committee of our board of directors, our Chief Risk Officer, Chief Compliance Officer, Chief Security Officer, Chief Information Security Officer and Chief Audit Officer provide reports relating to existing and emerging cyber and data security risks, as well as reports on the Company’s risk assessments and security incidents. Our audit committee chairman reports on these discussions to our board of directors on a quarterly basis. "See Item 1A Risk Factors for discussion of material risks faced by the Company, including risks related to cybersecurity."
2023 Cybersecurity Incident
On November 19, 2023, we became aware of a cybersecurity incident that impacted certain of our systems. We promptly commenced an investigation, retained leading experts to assist the Company, notified law enforcement authorities, regulatory authorities and other stakeholders and followed our incident response plans. In addition, we took containment measures such as blocking access to certain of our systems resulting in varying levels of disruption to our businesses. The incident was contained on November 26, 2023.
We completed our forensic investigation on December 13, 2023. We determined that an unauthorized third-party accessed certain of our systems, deployed a type of malware that is not self-propagating, and exfiltrated certain data. We have no evidence that any customer-owned system was directly impacted in the incident, and no customer has reported that this has occurred. The last confirmed date of unauthorized third-party activity in our network occurred on November 20, 2023.
We have identified and analyzed the nature and scope of the affected systems and data. We have notified our affected customers and applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers; are providing credit monitoring, web monitoring, and identity theft restoration services; and are fielding questions from customers. We are continuing to coordinate with law enforcement, our customers, regulators, advisors and other stakeholders. We have been named as a defendant in several lawsuits related to this incident. The Company will vigorously defend itself against any litigation filed related to this incident.
At this time, we do not believe that the incident will have a material impact on the Company.


44