CNO Financial Group, Inc. - (CNO)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY.

Risk Management and Strategy

The Company’s cybersecurity approach comprises a holistic strategy that includes comprehensive security policies and standards, a robust security awareness and education program, and the implementation of advanced and layered defenses. Our cybersecurity program is aligned with generally accepted principles and practices for securing information systems and data. The program is designed to comply with all applicable laws and regulations and uses guidance from many best practices. Our cybersecurity program, policies and controls align to those of the National Institute of Standards and Technology’s Cybersecurity Framework.

We have established and continue to enhance our procedures for identifying cybersecurity risks and implementing defenses to mitigate these risks. We devote significant resources to maintaining and regularly updating our systems and processes to protect the security of our computer systems, software, networks and other technology assets against unauthorized parties attempting to access confidential information, destroy data, disrupt or degrade service, sabotage systems, or cause other damage. Our cyber incident response plan provides procedures and controls for timely and accurate reporting of any material cybersecurity incident, and each associate is educated, trained and tested on cybersecurity to help be our first line of defense.

We have a dedicated Cybersecurity Services team ("CST") devoted to information security which is led by the chief information security officer ("CISO"). In addition, our Security Operations Center provides near-real-time monitoring of network traffic going in and out of the enterprise to identify any abnormalities or indications of malicious behavior. We use managed security services providers to provide monitoring, threat hunting and response services through network and security log monitoring and a hosted security information and event management solution.

We conduct regular enterprise-wide internal and external cyber risk assessments. These efforts include audits, internal and external regulatory compliance assessments, and periodic self-assessments. Vulnerability assessments are performed frequently for systems, and internal and external penetration tests are performed annually. We periodically engage vendors to review and benchmark our cybersecurity processes. In addition, members of the CST perform regular security control assurance testing.

Our internal audit department also reviews our cybersecurity program, processes, policies and controls at least annually. The program also is regularly reviewed in annual external audits and regulatory assessments. Lessons learned from those efforts are used to drive improvements to continually strengthen the cybersecurity program, including controls for data security.

The CST works closely with the sourcing and vendor management team when contracting for third-party information technology services. Our information technology architecture review board, which includes cybersecurity leadership, reviews all potential vendors. We have comprehensive cybersecurity assessment processes and procedures in place, including security risk questionnaires, standard documentation requests, and utilization of a third-party risk evaluation tool to provide insight on potential third-party vendors. We utilize private connections (including private VPN) and extensive use of virtual desktops to secure access to our data and systems. Our legal team ensures that specific protections are included in contracts, including confidentiality language, nondisclosure obligations and security provisions.

Critical vendors are monitored by our sourcing and vendor management team. Resources contracted through a third-party that will have access to corporate systems must complete CNO's associate training or their company’s security awareness training that has been approved by CNO. We also perform periodic risk assessments throughout the term of the engagements, including those third parties located outside the United States that have access to our Company and customer information.

To date, no cybersecurity threat, including from a cybersecurity incident, has materially affected our business strategy, results of operations, or financial condition.


43

Governance

We recognize that security is an enterprise concern and requires stakeholders from across the enterprise to understand and manage this risk. Our security management structure reflects a centralized security program that coordinates security functions across the enterprise. The CISO, who oversees the CST, reports directly to our chief information officer and is responsible for the overall strategy and function of the cybersecurity program. We also have a cybersecurity steering committee that takes an active role in setting strategic direction for cybersecurity initiatives and provides oversight and guidance for overall information security risk management. The CISO provides regular reports on our cybersecurity program and potential risks to the Audit and Enterprise Risk Committee ("AERC") of the Board of Directors. The AERC regularly briefs the full Board on these matters. One AERC member holds the CERT Certification in Cybersecurity Oversight from Carnegie Mellon University, and a second has significant work experience related to technology and data security.

Our CISO is well-qualified in the area of cybersecurity and data protection. These qualifications include: (i) 23 years of experience in cybersecurity, security risk management and IT auditing; (ii) the designation of Certified Information Systems Security Professional ("CISSP"); and (iii) a Bachelor's degree in Computer Information Systems. Our CISO also previously held the Certified Information Systems Auditor ("CISA") and Certified in Risk and Information Systems Controls ("CRISC") certifications.

Failure to maintain a reasonable and effective cybersecurity program, or any compromise of the security, confidentiality, integrity, or availability of our information systems and the sensitive, proprietary, and confidential data on such systems could lead to additional costs and liabilities, as well as damage our reputation or deter people from purchasing our products. There can be no assurance that a future breach will not occur or, if any does occur, that it can be promptly detected and sufficiently remediated without materially impacting our business or our operations. While we maintain insurance coverage that, subject to policy terms and conditions, is designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise in the event of a material cyber risk incident.