HORACE MANN EDUCATORS CORP /DE/ - (HMN)
10-K Filing Date: February 27, 2024
ITEM 1C. I Cybersecurity
As a multi-line insurance company, our business operations rely upon secure information technology systems for data processing, storage, and reporting. Despite security and controls design, such information technology systems could become subject to cyberattacks. Network, system, application, and data breaches could result in operational disruptions or information misappropriation, which could have a material adverse effect on our business, results of operations and financial condition. Unauthorized access to or unintentional dissemination of confidential, highly-sensitive customer, employee, or company data through breach in our facilities, networks, or databases, or those of our agents or third-party information technology and software vendors, could result in loss or theft of assets or operational disruption.
To address cybersecurity risk, we maintain a cybersecurity risk management program that is overseen by the Chief Information Security Officer (CISO). The CISO is responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations and third-party risk assessments; identifying and keeping abreast of developing security threats; as well as overseeing and implementing regular security awareness training of all employees on cybersecurity. In leading the cybersecurity risk management program, the CISO regularly works with other divisions of the company, including legal, compliance, IT, audit, and others to address potential risk from external threats, internal actions, and relationships with third-party service providers.
Horace Mann’s CISO has more than two decades of experience in IT, including network, infrastructure, and cybersecurity. Before coming to Horace Mann, he led perimeter security at a publicly traded company, and the cybersecurity team of more than 150 members at another publicly traded company. In addition to the CISO, our internal cybersecurity team also works with third-party cybersecurity vendors to both mature the cybersecurity program and assess, monitor, and respond to cybersecurity threats.
The Board of Directors exercises risk management oversight, including cybersecurity risk, through the Audit Committee. The Audit Committee receives regular reports on our risk management program. These include regular reports from the CISO on the state of our cybersecurity risk management program and updates on cybersecurity matters.
The CISO is responsible for identifying and reporting any cybersecurity incidents to the Disclosure Committee. The Disclosure Committee is composed of senior executives from across Horace Mann and has oversight over SEC disclosure controls. After notification, the Disclosure Committee or designated subgroup would review known information and develop an action plan, which would include Board outreach, expert retention, insurance notification, communication plans, and a materiality assessment.
Although we believe we and our IT providers employ appropriate security technologies (including data encryption processes, intrusion detection systems), and conduct comprehensive risk assessments and other internal control procedures to assure the security of our and our customers' data, we can provide only reasonable, not absolute, assurance that these objectives will be met. Further, the design of any cybersecurity risk management program or control system must reflect the fact that there are resource constraints, and the benefits must be considered relative to their costs. As a result, the possibility of material financial loss remains despite our significant and comprehensive cybersecurity efforts. An investor should carefully consider the risks and all other information set forth in this Annual Report on Form 10-K, including disclosures in Part I - Item 1A—Risk Factors.