CINCINNATI FINANCIAL CORP - (CINF)
10-K Filing Date: February 26, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
As discussed further in Item 1, Regulation, Enterprise Risk Management, we manage cybersecurity as part of our overall enterprise risk programs.
As part of this program to keep our systems and data secure and to assist in understanding, assessing, identifying and managing material risks from cybersecurity threats, we take various measures through internal risk management efforts and testing by third-party experts. Those measures assess our cybersecurity program structure and capabilities and include blocking attempted cyber intrusions, defending against service disruptions, performing frequent vulnerability assessments and maintaining procedures to ensure timely notification of critical cybersecurity incidents and performance of related disclosure controls. We also have developed procedures and reporting processes when we identify an attempted cyber intrusion to the systems of one of our independent agents.
Additionally, the company uses third-party service providers, or vendors, in the course of conducting its operations. As such, the company has measures in place to help identify material risks from cybersecurity threats associated with the use of those vendors. When work with a vendor is evaluated, we consider, among other items, the availability of system and organization controls reports, interactions with our systems, the data involved and its level of sensitivity, the amount of data the vendor will process, where the data will be stored, what they will do with the data and destruction of data. Once a vendor is approved by the appropriate personnel, expectations regarding incident reporting are established and followed.
We are not aware of having experienced a material cybersecurity incident and we take commercially reasonable measures, described above and below, to monitor and respond to threats to keep our systems and data secure. However, we acknowledge that administrative, technical and internal accounting controls as well as other preventative actions may be insufficient to prevent security breaches to our systems or those of third parties with whom we do business due to, among other factors, changing technologies as well as criminal and state-sponsored cybercrime and cyber threats. Further, a material breach of our security or the security of a vendor that results in unauthorized access to our data could expose us to a disruption or challenges relating to our daily operations as well as to data loss, litigation, damages, fines and penalties, significant increases in compliance costs and reputational damage and could affect the company's strategy, results of operations or financial condition. See Item 1A, Risk Factors, for additional details.
Governance
Cybersecurity matters are an important part of reporting to our board of directors, executive management team, risk committee and disclosure committee. From a board perspective, the audit committee oversees the company's cybersecurity efforts along with additional oversight from the entire board. Several members of the audit committee have obtained certifications in cybersecurity oversight. Each quarter, the chief information officer and chief information security officer report to the audit committee on cybersecurity risks and controls. Also occurring each quarter, the entire board, and our senior executive team, as appropriate, receives a comprehensive report from the chief risk officer on the status and management of risk and other metrics relative to identified tolerances and limits, risk assessments and risk plans. Additionally, the chief risk officer has direct access to all members of the board of directors and presents in person at board meetings twice each year.
At the executive management and management levels, the chief information security officer leads the process of assessing and managing material risks from cybersecurity threats. Our chief information security officer has over 25 years of experience as a technology professional with in-depth knowledge of IT management processes and holds multiple degrees and professional designations, including as a certified information systems security professional (CISSP). The chief information security officer also works in collaboration with our chief information officer and chief risk officer and is supported by a cross-functional group of qualified and experienced professionals across various committees and functions. On a quarterly basis, the chief information officer provides a cybersecurity update to the disclosure committee and, on a monthly basis, the information security office team delivers a cybersecurity report to the senior executive team. Also refer to Item 10, Directors, Executive Officers and Corporate Governance, for additional qualification, experience and responsibility details.
Cincinnati Financial Corporation - 2023 10-K - Page 43
Associates involved in this area stay informed of industry trends and evolving threats using various resources including government authorities, peers, continuous education, industry publications, news outlets and other external parties that provide pertinent information. We take administrative, technical and internal accounting control measures to protect against cybersecurity incidents, including actions to monitor for, prevent, detect, mitigate and remediate any incidents that occur. These measures and actions include endpoint controls, multi-factor authentication and general cybersecurity education directed at our workforce and independent agents.
From a monitoring perspective, generally speaking, our information security office associates monitor the environment for threats, events and potential incidents. Depending on the potential severity of any identified incident, the company's incident response process, modeled after National Institute for Standards and Technology (NIST) frameworks, is initiated. As part of this process, each incident is evaluated and inventoried by our incident response team and reported to our legal compliance subcommittee for further action. Depending on severity, certain other internal and external parties may participate in the incident response process from a compliance and financial reporting perspective.
Incidents, regardless of severity, are evaluated and documented and are shared with the audit committee. In 2023, the audit committee received four updates on matters related to cybersecurity. The process of evaluating and documenting individual incidents, even when not deemed material, assists in determining how previous incidents have or may reasonably likely have a material effect on the company in the future.