AMBAC FINANCIAL GROUP INC - (AMBC)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
The Company is exposed to diverse cybersecurity risks that have the potential to significantly impact our business operations, financial standing, and reputation. We seek to identify, assess, and manage these risks, with the aim of safeguarding our critical systems and information, and employ a documented process to respond in the event of a cybersecurity incident. This approach includes regular evaluations of our information systems and infrastructure to identify vulnerabilities and potential weaknesses through the use of system monitoring tools, as well as monitoring industry trends, threat intelligence, and emerging risks to anticipate and proactively assess potential threats. We engage third-party cybersecurity experts to conduct penetration testing, vulnerability scans, and risk assessments, informed by the NIST (National Institute of Standards and Technology) Cybersecurity Framework guidelines, to increase the likelihood that system risks are identified.
To identify potential risks, Ambac also assesses the security measures of vendors and third-party service providers that have access to the Company’s information systems and sensitive data. Each review involves an initial risk assessment of the provider, and initial and periodic reviews of the provider's cybersecurity program to evaluate security standards, access controls and security measures. The Company generally requires vendors and third party service providers to report to the Company any cybersecurity incidents involving the providers’ systems that could affect the Company, or to have cybersecurity incident notice requirements in their cybersecurity programs.
Our approach to managing cybersecurity risks includes implementing cybersecurity measures such as selective use of encryption, firewalls, data loss prevention, security monitoring, endpoint detection and response, anti-spam and anti-phishing email security, and intrusion detection systems to fortify our defenses. We conduct mandatory annual employee cybersecurity training programs and frequent simulated phishing campaigns to enhance cybersecurity knowledge and practices across the organization. Ambac maintains an incident response plan that is updated regularly to respond to changes in the organization, risks and laws. Ambac also conducts an annual test to restore business critical systems and data from back-ups. We have established reporting processes and escalation pathways for our business units and functions to identify, assess and manage potential cybersecurity incidents in a timely manner. Once an incident is identified, the Chief Information Security Officer (“CISO”) (with the assistance of the IT team) will begin the investigation to determine the level of risk of the event and the appropriate response.
The Board of Directors of the Company oversees the management of risks from cybersecurity threats through its review of quarterly reports from the CISO on the status of the Company’s cybersecurity preparedness; updates on information systems; and any cybersecurity threats of which management
Ambac Financial Group, Inc | 25 | 2023 Form 10-K |
has become aware. In addition the Board receives periodic cybersecurity awareness training.
The Company’s technology staff and CISO conduct weekly meetings, attended regularly by the Chief Operating Officer and Chief Information Officer, to review: (i) implementation of new security measures, (ii) results of existing technical system monitoring tools to identify any potential risk and propose remediation, as necessary; (iii) newly disclosed software patch updates to assess risks and set patch implementation priorities; and (iv) threat intelligence from various organizations, such as the Cybersecurity and Infrastructure Security Agency, to assess risks and suggest security measures, as necessary. Cybersecurity risk is also included in the Company’s Enterprise Risk Management (“ERM”) process that involves senior management and other personnel in the identification, assessment and management of a broad range of risks (including cybersecurity risks) that could affect the Company’s ability to execute on its corporate strategy and fulfill its business objectives. The Company’s Chief Operating Officer and Chief Information Officer provide input and updates to the Enterprise Risk Committee (comprised of members of management) on cybersecurity preparedness and emerging risks. The Enterprise Risk Committee produces the relevant risk management information for executive and senior management and the Board of Directors, which receives ERM updates on a quarterly basis. The Chief Operating Officer and Chief Information Officer are also members of the Company's Disclosure Committee and provide updates on cybersecurity threats and emerging risks to the Disclosure Committee prior to the filing of each quarterly report on Form 10-Q and annual report on Form 10-K.
The Company’s Chief Information Officer and CISO bring over 35 years of combined experience in the technology and cybersecurity space. The Chief Information Officer has served as a chief information officer and chief technology officer of both private and public institutions for the past 10 years and was responsible for the IT operations and cybersecurity practices of those institutions. The CISO is a certified cybersecurity professional and technologist. He holds an active ISO/ANSI-accredited cybersecurity certification and has experience managing security programs across multiple industries, including financial services and insurance. Other credentials among Ambac’s IT staff include a Certified Information Systems Security Professional certification and a Masters Degree in cybersecurity risk and management.
Ambac and its subsidiaries are subject to various U.S. Federal and state laws and regulations with respect to privacy, data protection and cybersecurity that require financial institutions, including insurance companies and agencies, to safeguard personal and other sensitive information, and may provide for notice of their practices relating to the collection, disclosure and processing of personal information, disclosure of cybersecurity risk management practices, reporting of cybersecurity incidents, and implementation of governance practices. For example, the National Association of Insurance Commissioners (“NAIC”) adopted the NAIC Insurance Data Security Model Law (#668) (“NAIC Model Law”) that creates rules for insurers and other covered entities addressing data security and the investigation and notification of cybersecurity events involving unauthorized access to, or the misuse of, certain nonpublic information. This
includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event. Legislation based on the NAIC Model Law has been enacted in many states and may be enacted in other states. Certain of our subsidiaries, as insurance companies and agencies licensed in the State of New York, are also required to comply with the New York Department of Financial Services (“NYDFS”) cybersecurity regulation, which establishes requirements for covered financial services institutions to implement a cybersecurity program designed to protect the confidentiality, integrity and availability of information systems of regulated entities, and information stored on those systems. The regulation imposes a governance framework for cybersecurity program, risk based minimum standards for technology systems for data protection, monitoring and testing, third-party service provider reviews, security incident response and reporting to NYDFS of certain security incidents, annual certifications of regulatory compliance to NYDFS, and other requirements. Recent amendments to the NYDFS cybersecurity regulation impose additional security requirements and new governance obligations.
The California Consumer Privacy Act, went into effect in January 2020, and provides additional privacy rights for California residents, and in November 2020, California further expanded privacy rights for California residents by enacting the California Privacy Rights Act, which became effective January 1, 2023. Several other states have enacted similar comprehensive privacy laws. We anticipate federal and state regulators to continue to enact legislation related to privacy and cybersecurity, which may require additional compliance investments and changes to policies, procedures and operations.
The federal Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) impose minimum standards on covered entities, such as health insurers, for the privacy and security of protected health information (“PHI”). The Health Information Technology for Economic and Clinical Health Act, enacted in 2009 (“HITECH”) provides for the extension of certain privacy and security provisions of HIPAA to business associates of covered entities that handle electronic PHI. Xchange specializes in accident and health insurance and is a business associate of the health insurers carriers it partners with, making it subject to compliance with the provisions of HITECH and HIPAA applicable to business associates.