PROGRESSIVE CORP/OH/ - (PGR)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
Our business requires that we develop and maintain large and complex technology systems, and that we rely on third-party systems and applications, to run our operations and to store the significant volume of data that we acquire, including the personal information of our customers and employees and our intellectual property, trade secrets, and other sensitive business and financial information.
Our overall efforts to safeguard the information systems and confidential information critical to our operations include preventative and detective internal processes, technological defenses, and other controls designed to provide multiple layers of security protection. Our information security efforts are designed to evolve with the changing security threat environment through ongoing assessment and measurement. In our efforts to keep our data and technology systems secure, we leverage both the International Organization for Standardization (ISO) 27002 Security Framework for the body of security control requirements and the National Institute of Standards and Technology Cybersecurity Framework to assess the strength of our processes and defenses. This integrated approach to protect data and information systems is also built into our project management, development, and operations. To assess the effectiveness of our cybersecurity program and compliance with applicable rules, regulations, and laws, we employ internal resources and, regularly, external resources, to evaluate our environment, information systems, and processes.
Through appropriate risk evaluation, security assessments, and financial due diligence, we seek to protect the security and confidentiality of information provided to our vendors under service provider cloud computing or other arrangements. We also employ contractual nondisclosure requirements and use limitations consistent with our published Privacy Policy, and typically reserve the right to review third-party compliance against the required standards, where we deem appropriate.
Our response to cybersecurity threats is triggered through various means. Through annual user awareness training, we teach our employees to identify and appropriately respond to such threats. Our incident response program is designed to mitigate and recover from suspected and actual cybersecurity incidents and provide all required consumer and regulatory notices regarding cybersecurity threats in a timely manner.
Our Chief Security Officer (CSO) is ultimately responsible for cybersecurity at Progressive, with management oversight of the prevention, detection, mitigation, and remediation of cybersecurity incidents. The CSO reports directly to the Chief Financial Officer and provides regular cybersecurity updates to the Chief Executive Officer, other members of the executive team, and the Board of Directors’ Technology Committee. Our CSO has served in this capacity at Progressive for more than 11 years and, prior to joining us, had over 10 years of cybersecurity experience in the banking industry. Our CSO is also a member of our Management Risk Committee, which leads our Enterprise Risk Management program, and as a member ensures that cybersecurity risks remain a focus of the overall risk management process.
The Technology Committee of the Board of Directors oversees our use of technology in business strategy as well as the major risks arising from our technology, digital and data strategies, legacy information systems, technology investments, data privacy, operational performance, cybersecurity programs, and technology-related business continuity and disaster recovery programs. The Technology Committee, which includes directors with technology and cybersecurity experience, also oversees management’s effort to mitigate these risks. Technology Committee meetings typically occur five times a year. Generally, at these meetings, our CSO briefs the committee on cybersecurity-related matters.
Our systems are being threatened by cybersecurity incidents on a regular basis and our efforts may be insufficient to prevent or defend against incidents or an attack. We, and certain of our third-party vendors, have experienced attacks and incidents in the past, and there can be no assurance that we, or any vendor, will be successful in preventing future attacks or incidents or detecting and stopping them once they have begun. Through the date hereof, risks from cybersecurity threats, including prior incidents and attacks, have not materially affected, and we do not believe are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. However, we cannot guarantee that we will not be materially affected in the future. Cybersecurity risks rapidly evolve and are complex, so we must continually adapt and enhance our processes and defenses. As we do this, we must make judgments about where to invest resources to most effectively protect ourselves from cybersecurity risks. These are inherently challenging processes, and we can provide no assurance that processes and defenses that we implement will be effective. See Item 1A, Risk Factors – III. Operating Risks above for more information.


- 27 -