Primerica, Inc. - (PRI)
10-K Filing Date: February 28, 2024
Risk Management and Strategy
Primerica has processes in place aimed at assessing, identifying, and managing material risks from cybersecurity threats. Cybersecurity risk is integrated into Primerica’s enterprise risk management system. Primerica’s enterprise risk management and internal audit functions conduct regular assessments and audits of risks from cybersecurity threats and report the results to the Board of Directors at least quarterly. The Board considers cybersecurity risk as part of its business strategy, risk management, and financial oversight.
42
Primerica institutes a three-lines-of-defense model for information security risk assurance, in which management owns the risk, our enterprise risk management team assesses the risk and oversees compliance with internal guidelines and policies, and our internal audit team reviews the effectiveness of the first two lines of defense. Management works with external assessors, consultants, auditors, and other third parties from time to time in conducting maturity and technical assessments.
Primerica has processes in place to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers. The Company maintains a policy governing information security, which includes risk assessment policies and procedures relating to third-party vendors, as well as a data loss prevention policy. The Company’s policies address technical requirements needed to protect the environments in which data is processed, as well as how it is maintained, governed, and protected. Primerica also imposes mandatory privacy and information security controls and data security protection requirements on the independent contractor sales force. We train all regular employees in information security and privacy-related risks and we perform regular tests to determine whether our employees can recognize phishing emails. Similarly, our annual compliance training for the independent sales representatives includes training on maintaining data security and privacy. e-TeleQuote operates under certain of its own separate policies and procedures related to physical and information security. These policies and procedures are similar in nature to the ones discussed above.
We have an incident response plan designed to help us monitor the prevention, detection, mitigation, and remediation of information security incidents. The incident response plan documents the roles and responsibilities of Primerica personnel in responding to information security incidents, including the process by which the Chief Information Security Officer, the Chief Information Officer, senior management, and the Board is informed about such incidents.
The Chief Information Security Officer leads the Company’s Incident Advisory Committee (“IAC”), which is notified in the event of high or medium severity incidents. The IAC includes representatives from information technology, legal, and often the impacted business unit. The Incident Response Team (“IRT”) consists of the IAC and a larger group of managers that is typically notified of more significant incidents. The IRT reports findings to management and the Board as necessary. Each IRT member has specific responsibilities related to his or her function at the Company. On a semi-annual basis, the IRT and management undertake facilitator-led trainings and simulations of information security incidents.
Previous cybersecurity incidents have not materially affected the Company. For a discussion of risks to the Company related to cybersecurity threats, see “Item 1A. Risk Factors – Risks Related to Information Technology and Cybersecurity”, which is incorporated herein by reference.
Governance
The Board of Directors has responsibility for oversight of risks from cybersecurity threats. The Board receives a quarterly report from the Chief Information Officer and Chief Information Security Officer on risks from cybersecurity threats and, under the Company’s incident reporting plan, the Board is informed by management of certain cybersecurity incidents as appropriate. In 2023, the Board participated in a facilitator-led training and simulation of an information security incident.
Primerica’s senior executive leadership is actively involved in managing material risks from cybersecurity threats. Primerica’s cybersecurity operations risk steering group is chaired by the Chief Operating Officer and holds quarterly meetings. It includes key executives from the Company’s technology, security, privacy, and legal teams, coordinates corporate security initiatives and provides high-level guidance on technology-and security-related issues. The Chief Information Security Officer has responsibility for assessing and managing the Company’s material risks from cybersecurity threats. The Chief Information Security Officer has served in various roles in information technology and information security for 35 years, including serving as the Company's Chief Information Security Officer for over 23 years.