ERIE INDEMNITY CO - (ERIE)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management
Our Privacy and Information Security Committee, comprised of officers and senior leaders, is responsible for overseeing the development and maintenance of information privacy and security policies and effective operation of our corporate information security and cybersecurity program in compliance with applicable state insurance regulations and other legal and regulatory requirements. This committee is sponsored by and reports directly to our Executive Council, which includes our Chief Executive Officer and executive vice presidents.

As part of our overall Enterprise Risk Management ("ERM") program, we employ a cybersecurity program of technical, administrative, and physical controls intended to reduce the risk of cyber threats and protect our information, as well as documented processes to determine and make appropriate disclosures regarding potential material threats and incidents. Our cybersecurity philosophy and approach align to the National Institute of Standards and Technology Cybersecurity Framework and its core elements to identify, protect, detect, respond, and recover from the various forms of cyber threats. Our practices include, but are not limited to, cybersecurity protocols and controls, system monitoring and detection, communication of incidents to appropriate management, third-party risk management, including assessments of emerging threats and vulnerabilities, and ongoing privacy and cybersecurity training for employees and contractors concerning cyber risk. A foundational element of our cybersecurity risk management processes is the annual Cybersecurity and Information Security Risk Assessment (CSRA), which includes an analysis of cybersecurity risks facing us and associated recommendations and action items to mitigate identified risks. We periodically utilize third parties to assess the effectiveness of our cybersecurity efforts through independent validations, verifications, and security assessments.

Our Board of Directors has a process in place to monitor management’s oversight of cybersecurity. This is done primarily through regular reports to its Risk Committee as well as the full Board of Directors. Management provides reports on our
13


cybersecurity risk management program, including our risk evaluation, the results of independent third-party security assessments, and our efforts to manage cyber related risks.

We have a core incident response team (Core Team) consisting of dedicated, skilled leadership representatives from our Information Security, Privacy and Law teams, responsible for analyzing and assessing cyber incidents and leading response efforts. Our Chief Information Security Officer (CISO), responsible for overseeing and managing information security incidents, has over 25 years of experience in information technology (IT), including over 20 years dedicated to practicing or leading cybersecurity functions. Our CISO is also a Certified Information Systems Security Professional (CISSP). Our Privacy leader, responsible for managing privacy incidents, has over 20 years of experience in IT risk management, including over 10 years in IT risk and control functions and the remaining time focused on privacy and cybersecurity related functions and holds several information privacy and risk certifications. Our Legal leader, responsible for providing guidance on legal and other regulatory obligations in the areas of privacy, cybersecurity, technology, data use and third-party risk management, holds a Juris Doctor degree, is licensed to practice law, and has over 20 years of legal experience, including 10 years focused on privacy and cybersecurity and holds several information security and privacy certifications, including the CISSP. The Core Team leaders are members of various organizations that support cybersecurity or privacy intelligence, education, information sharing and networking, including among others the Financial Services Information Sharing and Analysis Center (FS-ISAC), Domestic Security Alliance Council (DSAC), InfraGard, and International Association of Privacy Professionals (IAPP).

The Core Team members are augmented as needed by representatives from other internal groups, including subject matter experts from Information Security, Privacy, Finance and Law, as well as certain third parties that may need to participate in the incident response process. Depending on the severity and impact of the incident, third parties engaged may include outside counsel, forensics investigators, public relation firms, data breach resolution providers, and cyber insurance brokers and carriers. In conjunction with legal counsel, the Core Team evaluates notification requirements and as necessary will notify stakeholders depending on the nature and severity of the incident, including law enforcement, state attorneys general, regulators, external auditors, third party providers, and impacted individuals.

The Core Team is informed of cyber incidents from diverse sources, including for example, internal monitoring systems, information sharing organizations, employees, and other external information sources. Depending upon the levels of access to our information and/or information systems, third party service providers are contractually obligated to report cybersecurity incidents within their environments. The Core Team performs incident analysis and triage to determine scope, severity, prioritization and required response plans to address an incident in a manner that is intended to minimize the impact to us, our assets, and our operations. In accordance with applicable legal and regulatory requirements, this analysis and triage step includes an assessment of the potential for material impact to us from a cybersecurity incident or a series of individually immaterial related incidents that are material when aggregated.

To date, we are not aware of any cybersecurity breach or other incident with respect to our systems or data that would have a material impact to our business strategy, results of operations or financial condition. Additionally, we are not aware of any cybersecurity breach or other incident experienced by anyone with whom we have a third-party relationship that has had a material impact on our systems or data. However, there can be no guarantee that we will not experience any such incidents in the future. See Item 1A. "Risk Factors" for a discussion of cybersecurity risks.