GLOBE LIFE INC. - (GL)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have implemented a comprehensive Enterprise Risk Management (“ERM”) process to identify, assess and manage risks related to our overall organization, including material risks from cybersecurity threats. Our ERM process takes a holistic view of our specific risks and our strategy to anticipate and manage possible risks. Our Executive Vice President, General Counsel and Chief Risk Officer (“CRO”) oversees our ERM program and execution of our risk strategy, including as it relates to cyber risk. The Chief Information Security Officer ("CISO"), who reports to the CRO, leads our cyber risk management and strategy and the Information Security Department.
Our cyber risk management and information security strategy includes elements to identify threats, assess risks, implement protective controls, detect attempts from threat actors to compromise the confidentiality, integrity, and availability of information and information systems, respond to those events and ultimately recover from incidents. We use a threat-based approach to identify and assess cyber risks. This approach includes membership in threat intelligence organizations such as the FS-ISAC (Financial Services Information Sharing and Analysis Center) to identify standard and emerging cyber-threats to financial services organizations and specifically to insurance companies. We also monitor for threats through vendor alerts, manufacturer bulletins, and government advisories.
Identified threats are analyzed using a recognized risk assessment model to consistently assess the likelihood and impact of these threats. We then map these threats to a well-established industry model called MITRE ATT&CK to identify areas of vulnerability. This analysis produces a likelihood score that is used in conjunction with an impact analysis to calculate the preliminary level of risk. The impact analysis includes factors such as disruption to business operations, employee and customer data, legal issues, reputational harm, and regulatory compliance. Based on the preliminary level of risk, we also analyze compensating controls and other factors to arrive at a residual risk level. If appropriate, additional mitigations may be planned based on this risk level.
We manage identified cyber risks by designing and implementing information security policies and controls addressing a wide range of current cyber threats. These policies and associated standards are designed to comply with current applicable legal and regulatory requirements and align with recognized frameworks for cybersecurity risk management. We review and update these policies and controls regularly in order to confirm ongoing alignment with the constantly changing threat landscape and evolving compliance requirements.
We assess the effectiveness of our policies and controls internally as well as through the engagement of third parties to conduct regular reviews, penetration tests, and vulnerability scans of information systems and applications. Results from these assessments help inform updates to risk assessments, changes to security controls and processes, and updates to policies and standards as appropriate. We employ a variety of measures to detect, prevent, and reduce the frequency and severity of cybersecurity incidents, which may include, but are not limited to, the use of encryption, intrusion prevention, endpoint security, password protection, multi-factor authentication, internal phishing testing and security awareness training, and vulnerability scanning and penetration testing.
In addition, we have implemented a third-party risk management program to assess our vendors’ ability to adequately protect information, which includes requiring agreements with our vendors that address cybersecurity. We periodically review and assess certain third parties’ adherence to these agreements and review for information security (including cybersecurity) incidents experienced by our third-party vendors.
Due to the type and volume of information that we collect and store to provide insurance coverage to prospective and current policyholders, we are an attractive target for cyber threat actors seeking financial gain. Our failure to maintain the safety of our policyholder’s information could have a material adverse effect on our reputation, financial condition and results of operations. To date, we have not experienced a cybersecurity incident that resulted in a material adverse effect on our business strategy, results of operations, or financial condition; however, there can be no guarantee that we will not experience such an incident in the future. Although we maintain cybersecurity insurance, the costs and expenses related to cybersecurity incidents may not be fully insured. We describe whether
15
GL 2023 FORM 10-K
and how risks from identified cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition under Item 1A. Risk Factors, General Risk Factors, "The failure to maintain effective and efficient information systems at the Company could adversely affect our financial condition and results of operations."
Governance
Our Board of Directors considers information security to be an enterprise-wide risk management issue and oversees material cybersecurity risks through the Audit Committee. The Audit Committee is designated with the responsibility to monitor and periodically report to the full Board regarding management’s risk management and information security processes. The ERM Committee and the Operational Risk Committee (“ORC”) are the senior management-level entities designated with the responsibility to oversee the execution of our risk strategy, including as it relates to cyber risk. These Committees are composed of an enterprise-wide representative group of the Company’s Executive and Senior Vice Presidents, as well as other essential directors and personnel. The ERM Committee is chaired by our CRO, and the ORC is chaired by our Chief Security Officer (“CSO”). The Chief Information Officer (“CIO”) and CISO serve on both Committees. Our CRO has over a decade of experience managing risks at the Company, including risks from cybersecurity threats. Our current CIO has over 15 years of experience managing risks, including risks from cybersecurity threats. Our current CSO has a Certified Information Systems Security Professional certification, a Certified Information Systems Auditor certification, a Certified in Risk and Information Systems Control certification, and over 20 years of experience in cybersecurity. The CISO serves on both Committees and leads cyber governance and strategy, as well as cyber risk and incident management. The current CISO holds a master's degree in cybersecurity, has a Certified Information Systems Security Professional certification, and has over a decade of experience in cybersecurity.
The CISO assesses cyber risk and provides recommendations for management decision(s) by the ORC on a routine basis. The CISO briefs the Audit Committee on a quarterly basis. These updates include compliance with applicable regulations as well as current or planned changes to the regulations, an overview of the current cyber threats, risk management activities, and discussions of cyber incident investigations that warrant the attention of the Board. The CISO also provides an annual update to the entire Board of Directors on changes in cybersecurity, top threats facing the Company, key risks and mitigation efforts, and any potential material cybersecurity incidents. The Chair of the Audit Committee also provides a quarterly report to the Board on any information security topics presented to the Audit Committee by management.
Incident Management
The Company maintains and tests a cybersecurity incident response plan that outlines steps for the containment, investigation of, response to and recovery from cyber events. The plan also includes information pertaining to roles and responsibilities, escalation, third party support, documentation, reporting, and law enforcement engagement. Escalation is designed to raise awareness of events that may require disclosure to help ensure assessments are performed without unreasonable delay. In alignment with our plan, we maintain playbooks that outline processes for responding to certain incidents commonly observed in the insurance industry. In addition, we have implemented a formal crisis management process, which outlines an incident response communication plan with executive leadership as well as criteria for communication with the chair of the Audit Committee and the Lead Director of the Board.