OLD REPUBLIC INTERNATIONAL CORP - (ORI)

10-K Filing Date: February 28, 2024
Item 1C - Cybersecurity

Old Republic depends upon technology-based information systems to conduct business. The Company uses computer systems and other electronic information resources, including both proprietary and third-party technology systems and tools, to process, transmit, receive, and store certain personal, confidential, and proprietary information; to communicate with customers, service providers, and other third parties by email and other electronic means; and perform various business operations, including transferring significant amounts of funds.

The Company’s systems and processes have been, and will likely remain, subject to cyber threats and cyber-attacks and other intrusions. These threats and attacks are occurring with greater frequency and sophistication, and include malware and computer virus attacks, ransomware, unauthorized access, misuse, denial-of-service attacks, system failures and disruptions. While these cyber threats and attacks have not resulted in a material adverse effect on the Company, a future cyber incident involving breach of the Company’s information systems or the information
19






systems of a third-party vendor or services provider could adversely affect the Company’s business strategy, results of operations or financial condition by exposing the Company to substantial costs and negative consequences, including the loss of funds, costs of investigation and remediation, lost revenues and reputational damage.

Old Republic dedicates significant resources across the enterprise to regularly monitor its networks, infrastructure and procedures in an effort to prevent, detect, address and mitigate these risks. The Company’s Chief Information Security Officer (CISO) oversees the Company’s enterprise cybersecurity strategy while the Company’s Chief Executive Officer (CEO) retains primary responsibility for managing enterprise-wide risks, including those related to cybersecurity. The Company’s Board of Directors’ oversight responsibilities include ascertaining that appropriate policies and practices are in place for managing the identified risks faced by the enterprise, and, as discussed below, the Audit Committee of the Board of Directors has oversight authority over data protection and cybersecurity risk exposure. The Company’s CISO has more than 26 years of experience in the field of information technology and security, comprised of six years in the U.S. Defense Industry and 20 years in the civilian sector. The CISO has a bachelor’s degree in computer studies and is an EC-Council Certified Chief Information Security Officer, as well as a member of ISACA (formerly known as the Information Systems and Audit and Control Association) and the governing bodies for the Evanta National CISO community and the Evanta Regional (Dallas, Texas) CISO community.

Each Old Republic operating subsidiary maintains its own security program based on its particular risk, applicable insurance industry requirements, and mandates and guidance from the CISO and enterprise-wide security advisory team. These programs encompass asset protection, threat identification, monitoring, timely response procedures, containment and recovery measures, and internal escalation procedures. An enterprise-wide information technology team consisting of a working group of information technology leaders representing all operating subsidiaries meets regularly for the review and monitoring of and updates to information security business processes due to significant changes in operating environments, statutory or regulatory changes or changing or emerging threats. Operating subsidiaries are required to report certain cyber incidents based on documented severity classification to the enterprise-wide information technology team. This team consists of key information technology personnel, including the CISO and the Chief Information Officer (CIO). They are responsible for overseeing incident response and escalation to the Company’s General Counsel and Chief Financial Officer (CFO) when necessary. As part of the Company’s overall risk management strategy, the General Counsel, CFO, and CIO, in consultation with the CEO, navigate escalated incidents for law enforcement and other external engagements and assess the impact and materiality of such incidents on the Company’s enterprise-wide business.

While exact practices vary depending on each operating subsidiary’s particular business and risk, risk assessments performed at the enterprise-level and subsidiary level generally incorporate threat and vulnerability analyses and consider mitigations provided by in-place security controls. These procedures are intended to identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the Company’s information systems by use of defensive infrastructure and the implementation of policies and procedures to protect the Company’s information systems from unauthorized access, use or other malicious acts.

When engaging third-party vendors, operating subsidiaries are directed to use cybersecurity screening and risk assessment measures and to include appropriate data security privacy terms and conditions in vendor agreements, including, as necessary for certain vendors, a duty to report certain security incidents to the Company’s information technology team. Third-party engagement procedures generally include (1) the identification and risk assessment of third-party service providers; (2) minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the Company; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers; and (4) periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.

Third-party cybersecurity consultants are periodically retained by the Company to conduct targeted security control assessments, and to review the Company’s security policies, standards, procedures, and controls, when applicable. Annual third-party penetration testing is used to simulate cyber-attacks and to identify potential vulnerabilities. The Company subscribes to paid third-party threat intelligence services that provide real-time information on emerging threats. The Company engages security platform partners to provide advisory services related to security technologies and practices.

At the holding company level, Old Republic employs security awareness and training initiatives to inform associates about their role in cybersecurity risk mitigation.

The Audit Committee of the Company’s Board of Directors has oversight authority to review the Company’s data protection and cybersecurity risk exposure and the steps management has taken to assess and respond to the overall threat landscape, including the strategy management implemented to mitigate the Company’s cyber risk exposure. The CISO and CIO report to the Audit Committee on current data protection and cybersecurity matters quarterly, and as may otherwise be needed. The CISO is authorized to report directly to the Audit Committee on the Company’s security program and status of cybersecurity risk management efforts. The Chair of the Audit Committee reports these matters, as appropriate, to the Board of Directors.


20