SAFETY INSURANCE GROUP INC - (SAFT)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

The Company has implemented a cybersecurity program that oversees, assesses, and manages its cybersecurity risks. As a component of the Company’s formal enterprise risk management program, whose goal is to support the business objectives and strategy, the cybersecurity program leverages multiple security measures to protect the integrity of the Company’s information assets. The program's strategy aligns to the National Institute of Standards and Technology Cybersecurity Control Framework, where controls are implemented throughout our environment to achieve five categorical objectives of a cybersecurity program, including identification, protection, detection, response, and recovery.

Our cybersecurity program is regularly assessed to ensure it meets the ever-changing cyber risk environment. This is accomplished via monthly risk assessment meetings performed by our technical cybersecurity

33

committee, periodic risk assessments and audits performed by internal audit, and cyber tests and assessments performed by contracted consultants.  

Our cybersecurity program includes several methods to protect against intrusion by a bad actor, including such techniques as reputational filtering, anti-virus scans, intrusion prevention, multi-factor authentication, and account isolation among others. We also use numerous approaches to detect ransomware and other cyber-attacks, including among others, dark web searches, email sandboxing, endpoint detection, and intrusion detection. The Company continuously monitors and enhances its program to respond to evolving cyber threats and changes in the regulatory environment.

To ensure the effectiveness of the cybersecurity program, we have implemented various assurance methods including ongoing internal audit control reviews, external reviews by third-party consultants including penetration testing, and cyber incident response team exercises. Ongoing monitoring of our systems and security metric reviews are in place to manage external threats. Our cyber monitoring and supporting metrics include such areas as intrusion detection, phishing attempts, cyber training results, and patch management vulnerabilities. Additionally, the Company collaborates with industry associations, government authorities, peers, and external advisors to monitor the threat environment to ensure no gaps exist in our security practices.

A third-party risk management program is in place ensuring those risks associated with our use of vendors to support our business objectives and strategic initiatives are properly understood and mitigated. Through management’s oversight, third-party assessments of vendor’s information security practices and protocols, including their readiness to protect against and respond to cybersecurity breaches are performed. Third-party service providers are categorized into tiers in consideration of the risk of a vendor’s activities. Vendor due diligence questionnaires are issued seeking to understand a service provider’s cyber and information security control environment, as well as their resiliency in the event of an intrusion to their systems. Formalized vendor incident response procedures are in place that support the activities required should a cyber event occur.

We continue to improve our ability to defend against, respond to, and recover from ransomware and other cyber events; enhance application cybersecurity capabilities, including defenses against fraud attacks; and to ensure security capabilities are built into new cloud-based platforms that we adopt. We are also required to maintain strong cyber defense protocols in the states where we are authorized or licensed to write business. We monitor the status of new cybersecurity regulations, including notification requirements.

To the best knowledge of management, no risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Our Board is ultimately responsible for the oversight of risk management strategy, business plan and management of financial resources. As part of these responsibilities, the Board is apprised, annually and as needed, of developments in the external environment and business strategies that present increased cyber risk exposure to the Company. On a weekly basis, The Vice President of Management Information Services (“VP of MIS”) meets with the Chairman of the Board of Directors, President and Chief Executive Officer (“Chairman, President and CEO”), to discuss developments with the Company’s IT environment, including its cybersecurity program. The Chairman, President and CEO would then inform the Board of those developments, as needed. The Board has delegated oversight of cybersecurity risk management to the Audit Committee of the Board of Directors.  

The Audit Committee meets on a quarterly basis. A set agenda of risk matters includes detailed updates of the Company’s preparedness and significant cybersecurity activities. The topics covered by these updates have included discussions of policies and procedures to prevent, detect and respond to cybersecurity incidents, modifications to on-line platforms, and the use of cloud-based applications. Lessons learned from cybersecurity incidents and the internal and external testing of our cyber defenses are provided quarterly. The Board is also provided with an annual cybersecurity technology risk and control update.

34

A management level risk committee exists and oversees the management of the Company’s highest-level risks, including cybersecurity. This committee consists of representatives from the Risk, Financial, Underwriting, Information Technology and Legal Departments. The Risk Committee, as supported by the Cybersecurity Committee, is responsible for keeping the audit committee apprised of the Company’s cybersecurity preparedness and cyber incidents. The Cybersecurity Committee oversees and ensures the Company’s cyber-related controls are sufficient to protect the Company’s information and proprietary assets, in accordance with the acceptable risk policies and risk tolerances.

The VP of MIS has expertise assessing and managing cybersecurity risks, and is a member of both the Risk Committee and Cybersecurity Committee. He has served in his current role since 2014 and has held several senior-level information technology roles in his 31-year tenure with the Company. In his various roles, he has been responsible for providing senior leadership in the areas of information security, IT governance risk & compliance, business continuity, and disaster recovery.