AMERISAFE INC - (AMSF)

10-K Filing Date: February 23, 2024
Item 1C.Cybersecurity

We have established and implemented security measures, controls and procedures in an effort to safeguard our information technology systems and to prevent unauthorized access to these systems and any data processed and/or stored in these systems. We evaluate the adequacy of our third-party service providers’ cybersecurity measures through periodic due diligence and contractual obligations.

We analyze the probability and impact of cybersecurity risks using recognized cybersecurity standards and frameworks for our industry and have identified certain material risks from cybersecurity threats. As part of this analysis, we also work to determine whether these material risks would be a threat to our business continuity. To help minimize our risks related to cybersecurity threats and incidents, we maintain physical controls, including a centralized electronic card access control system, uninterruptable power supply units, and environmental controls; and technical controls, including firewalls, signature and behavior-based monitoring, intrusion detection systems, encryption and backups, and mobile application management. We engage third parties in connection with our processes for assessing, identifying, and managing material risks from cybersecurity threats.

No known risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our company, our business strategy, results of our operations, or our financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats. For more information about these risks, please see “Risk Factors – General Risk Factors” in this annual report on Form 10-K.

As part of our overall risk management system, we assess, identify and provide oversight over cybersecurity risks to our information technology systems and our business continuity. We have identified key risk drivers and characteristics, and have incorporated these into our risk assessment matrix, which we use for day-to-day risk mitigation. Our risk assessment matrix provides us with a means to assess the probability and impact of material risks from cybersecurity threats. As a result of this process, we have identified and implemented controls and mitigation methods to manage these risks.

The Risk Committee of our Board of Directors meets with management to review and provide oversight of certain operational areas where we have identified key risks to our business, including our cybersecurity practices. The Risk Committee reviews our strategies, governing and management framework, security principles, and training and evaluations for cybersecurity threats. As part of this review, each quarter the Chief Risk Officer presents key cybersecurity metrics and analysis to the Risk Committee.

The Chief Risk Officer manages a team that assesses day-to-day cybersecurity. We actively maintain an Incident Response Plan, and in the event of a cybersecurity breach or incident, the Chief Risk Officer leads our response and initial risk assessment to mitigate impact and initiate any recovery process. Following identification of a cybersecurity breach or incident, incidents of medium or high severity level are elevated to an Incident Response Team. In addition to leading the response to such incidents, the Incident Response Team evaluates whether an incident is material and the associated public reporting implications. Incidents that are reviewed by the Incident Response Team are promptly elevated to the Risk Committee.

The Chief Risk Officer stays informed through multiple sources: technology and cybersecurity news, bulletins from the federal Cybersecurity and Infrastructure Security Agency, Information Sharing and Analysis Center feeds, and threat intelligence feeds from multiple sources. We also utilize a security operations center that acts as a centralized hub dedicated to monitoring, detecting, and responding to cybersecurity threats.

The Chief Risk Officer holds the Certified Risk Manager designation, and has more than 30 years of technology experience, including 15 years overseeing cybersecurity processes, risk assessment and risk management.

 

33