Employers Holdings, Inc. - (EIG)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our operations rely on the secure processing, storage, and transmission of personal, confidential, and other information. Our business, including our ability to adequately price products and services, establish reserves, provide an effective and secure service to our customers and report our financial results in a timely and accurate manner, depends significantly on the integrity, availability, and timeliness of the data we maintain, as well as the data held by third party service providers. The Company
26
manages cybersecurity risk via expectations set by its Information Security and related policies, real-time monitoring of threats, and recovery where needed through incident response plans.
The Company leverages ISO 27005, an international standard for identifying, measuring, and assessing cybersecurity risks, as a model for measuring its cybersecurity risk. An annual baseline is established to guide development of the information security program. The ISO 27005 model is refreshed as new cybersecurity risks are identified.
The Company’s Chief Information Security Officer (CISO) leverages a model of continuous vulnerability detection to identify new cybersecurity risk as soon as practicable. The information security program is subject to a bi-annual assessment using the ISO 27001 standard for managing cybersecurity. Annually, external security firms conduct penetration tests of the Company’s technology surface area internally and externally. The Company’s information security program is subject to internal and independent external audits.
The Company is not aware of any cybersecurity risks, including as a result of any cybersecurity incidents during 2023, that have materially affected or are reasonably likely to materially affect it, including its business strategy, results of operations, or financial condition.
Third parties with access to sensitive data or systems are subject to due diligence and ongoing monitoring.
Potential new vendors and existing vendors (which are reviewed periodically) that are known to have access to sensitive data or Company systems are subject to a risk assessment process including the review of independent security audits where available. Continuous monitoring of existing vendors occurs via an automated service that rates companies’ publicly facing cybersecurity posture and identifies known vulnerabilities.
Governance
The Company’s cybersecurity risks and strategies are overseen by both management, including our CISO, Chief Information Officer (CIO), VP, Enterprise Risk Management, and Executive Risk Committee (ERC), and the Company’s Board and relevant Board committees, including the Risk Management, Technology & Innovation Committee (RMTIC). This structure reinforces that the Company's most critical risks are effectively monitored and communicated to the Board, and management, including for purposes of making any required disclosures in a timely manner. Cybersecurity risk assessments, subsequent findings, and response plans, including risks arising in connection with the Company's use of vendors and third parties, are integrated within the Company’s Enterprise Risk Management framework.
Members of our senior management have specific and relevant cybersecurity expertise and experience, including the following:
•The Company’s CISO holds a B.S. degree in Computer Science, an M.S. degree in Administration, an M.S. degree in Electrical Engineering, and a Graduate Certificate in Cybersecurity. In addition to the CISO’s more than 30 years of experience in technology and cybersecurity, he also holds multiple professional certifications in security, privacy, governance, audit, and technology.
•The Company’s CIO holds a Master of Liberal Arts (ALM) degree in Information Technology Management and a Graduate Certificate in Project Management. In addition to the CIO’s more than 16 years of experience in technology, she has directly managed global privacy, compliance, ethics, and records retention technology, been responsible for addressing global cybersecurity risks, and has also attended multiple training programs in cybersecurity, privacy, governance, and technology.
•The Company’s VP, Enterprise Risk Management holds a Certificate in Risk and Information Systems Controls (CRISC) certification along with 25 years of experience in managing technology delivery, vendor management, privacy, and governance.
Cybersecurity is one of several key risk categories that are evaluated and rated by the ERC on a quarterly basis. Each of our CISO, CIO, and VP, Enterprise Risk Management is a member of the ERC. The ERC reports periodically on its activities, findings, and areas of concern to the RMTIC. The RMTIC in turn reports to the Board on its oversight of cybersecurity risk.