MBIA INC - (MBI)
10-K Filing Date: February 28, 2024
The cybersecurity program of the Company establishes the framework for safeguarding critical information assets through an evolving, multi-tiered security approach. This program encompasses the Company’s policies and controls designed to mitigate risks from malicious and unauthorized use, as well as cybersecurity threats or attacks targeting the Company’s Information Assets ("IA"). These IA primarily include business and technology applications, networks, computing platforms, and the data stored therein. The following is a discussion of our cybersecurity risk management and strategy and our cybersecurity governance.
Risk Management and Strategy
Cybersecurity is a part of the Company’s overall risk management strategy. The Audit Committee oversees risks associated with cybersecurity. Refer to the following "Governance" section for additional information on the Audit Committee's oversight of cybersecurity.
The Company has developed a security architecture designed to minimize and defend against threats, with an emphasis on the capability to effectively assess and identify cyber risks to its IA. This includes regulating access to IA and protection against unauthorized access, malicious software, and hacking attempts. The Company maintains reasonable defenses to protect against known threats by systematic scanning for security vulnerabilities and utilizes more advanced technologies to protect against new threat vectors for which there is not yet a vendor-provided security solution. The Company uses tools such as firewalls, anti-malware software, multi-factor authentication, e-mail and internet security gateways, virtual private networks, and an active vulnerability management program to safeguard IA against cyberattacks. The Company also engages third-party outsourced security services to continuously monitor and provide timely remediation of security events across all information technology ("IT") assets. This serves as a virtual extension of the internal security team. In addition, the Company engages third-party security firms to perform periodic penetration testing to validate the security of its IT infrastructure and applications. Periodic incident response exercises are also conducted as part of the Company's overall cybersecurity program. Our processes also address threats to its IA associated with our use of third-party security providers. Third-party risks are included within our risk management strategy discussed above. Cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threats identified through such diligence. Additionally, we may require certain third-parties to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
The Company manages software using a risk-based approach that assesses software version requirements, technology obsolescence, business value and cost. Web based applications have external penetration testing performed to determine vulnerabilities and/or open exploits before deployment to production. The Company also utilizes data leakage prevention controls to further protect IA. The Company's hardware, including computers, smartphones, and tablets, has security software installed to extend cybersecurity and general technology management controls. In addition, the Company's IT department arranges periodic training for Company employees related to best practices to prevent, identify, and report cybersecurity
22
Item 1C. Cybersecurity (continued)
incidents. All Company employees are required to participate in scheduled training and are obligated to certify the completion of each training session. Additionally, all third parties retained by the Company, including vendors, that are granted access to the Company’s IA are required to certify compliance with all relevant Company policies relating to such access and re-certify compliance as deemed necessary. This certification includes the completion of questionnaires that are reviewed by the Chief Information Security Officer ("CISO") and Chief Information Officer ("CIO").
Despite the Company's implementation and maintenance of the cybersecurity program and its components as identified above and elsewhere herein that includes a variety of best practice security measures, our information technology systems, networks, and data are subject to cyber-attacks or physical break-ins, unauthorized tampering or other security breaches. Notwithstanding these protections, attacks may result in a failure to maintain the security, confidentiality or privacy of sensitive information. To date, the Company has not had any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations, or its financial condition. There can be no assurance that a future cybersecurity incident would not result in a loss and/or have a material adverse effect on our reputation, business, results of operations, or financial condition.
Governance
The Company created an Enterprise Security Council (“ESC”) that is comprised of senior IT management (including the CISO and CIO), Internal Audit and Compliance leaders which meet regularly to evaluate potential security risks to the Company and its IA.
The CISO is responsible for performing a thorough examination of any identified or suspected cybersecurity incidents or violations. The CISO will collaborate with the Company's General Counsel and other relevant personnel during this formal review. Documentation detailing the event and an action plan, if required, will be generated by the CISO. Additionally, communication will be promptly established with the Cyber Incident Response Team ("CIRT"), and if deemed necessary, the Audit Committee.
The Audit Committee receives quarterly or more frequent as appropriate, briefings from the Company’s senior management and CISO. The briefings concern, among other topics, the cyber threat landscape and associated risks to the Company, updates to the Company’s cybersecurity program and associated policies, its ongoing strategy to prevent, identify and react to security incidents, internal and external vulnerability assessments, penetration testing results, and Internal Audit’s periodic reviews of MBIA’s security controls, policies, and procedures. The CIRT is comprised of senior leaders from across the company, which include Legal, Compliance, Investor/Media Relations, and Information Technology.