PROASSURANCE CORP - (PRA)
10-K Filing Date: February 27, 2024
ITEM 1C.CYBERSECURITY
Risk Management & Strategy
As previously discussed under the section titled "Enterprise Risk Management", through our ERM program we have a risk management framework that recognizes the risks inherent in our operating segments as well as the risks associated with the operations of our holding company. This process includes assessing, identifying and managing material risks related to cybersecurity.
ProAssurance's Information Systems Security department, with assistance from third-party security vendors, regularly monitors the Company's systems for indicators of attack or compromise to mitigate the risk of cyberattacks. The Company continually enhances its cyber and information security in order to identify and neutralize emerging threats and improve its ability to prevent, detect and respond to attempts to gain unauthorized access to the Company's data and systems. ProAssurance regularly adds additional security measures to its computer systems and network infrastructure to mitigate the possibility of cybersecurity breaches, including firewalls and penetration testing. The Company encrypts sensitive information and data and utilizes stringent access controls. Team members are required to complete quarterly security training which encompasses a wide range of cybersecurity topics. This training informs all team members of the processes and procedures to follow in the case they encounter a possible cybersecurity threat. This training is reinforced through periodic simulated phishing tests.
The Company also evaluates the integrity and security of the technology infrastructure of certain third parties that access, process or store data that the Company considers to be sensitive, significant, or legally protected. ProAssurance reviews and assesses its third-party providers' cybersecurity controls, as appropriate, and makes changes to the Company's business processes to manage these risks.
Governance
While our Board is responsible for ensuring that our entire ERM process is in place and functioning, our Audit Committee has the primary oversight responsibility for risks relating to cybersecurity. Our Vice President of Information Security regularly attends and presents to our Audit Committee on material cybersecurity risks and mitigating procedures. Our Vice President of Information Security oversees ProAssurance's information security and data privacy programs and is responsible for establishing and implementing our security strategy alongside our General Counsel, to whom the Vice President of Information Security reports directly. Our Vice President of Information Security has been with ProAssurance since 1998 and has over 25 years of IT and cybersecurity experience.
The Company has a formal process in place for identifying, handling and disclosing of material cybersecurity incidents. The Company's Security Oversight Committee ("SOC") includes our Chief Financial Officer, General Counsel, Vice President of Information Security, and representatives from our Internal Audit, Legal, Compliance and Information Systems departments. The purpose of the SOC is to develop and review the Information Security policies, standards and guidelines for the Company that manage Cyber Risk. Furthermore, the Company's Code of Ethics and Conduct explicitly prohibits officers, directors, team members, or other insiders who are subject to the Code from transacting in the Company's stock during a time when such individuals have knowledge of any material undisclosed cybersecurity incident or breach.
Effective July 26, 2023, the SEC finalized rules requiring registrants to disclose material cybersecurity incidents. Per the ruling, any cybersecurity incident deemed to be material shall be disclosed within four business days of materiality determination. The determination of materiality related to cybersecurity incidents is subjective, however, the Company has implemented materiality consideration in its formal process.
All possible cybersecurity incidents are reported to our General Counsel for consideration of materiality. Our General Counsel escalates consideration of materiality to our Chief Executive Officer, Chief Financial Officer and other corporate officers as appropriate. The Company does not utilize any third-party service providers for consideration of materiality for cybersecurity incidents. Upon determination that the Company has experienced a material cybersecurity incident, the Company will disclose the incident within four business days as required by regulation. Our Board is also notified of any material cybersecurity incidents immediately upon determination of materiality.
To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. Please refer to Item 1A, Risk Factors under the heading "Technology, Data Security and Privacy" for additional information on our cybersecurity threats.
34