HARTFORD FINANCIAL SERVICES GROUP, INC. - (HIG)
10-K Filing Date: February 23, 2024
|
Part I - Item 1C. Cybersecurity
Item 1C. |
CYBERSECURITY
The Hartford has implemented an information protection program with established governance routines for assessing and managing risks. The Hartford employs a ‘defense-in-depth’ strategy that uses multiple security measures to protect the integrity of the Company's information assets. This ‘defense-in-depth’ strategy aligns to the National Institute of Standards and Technology Cybersecurity Framework, where controls are implemented throughout our environments to achieve five categorical objectives, including identification, protection, detection, response and recovery.
Our 'defense in depth' program uses several methods to protect against intrusion by a bad actor, including such techniques as reputational filtering, anti-virus scans, intrusion prevention, multi-factor authentication, and account isolation among others. We also use numerous approaches to detect ransomware and other cyber attacks, including, among others, dark web searches, email sandboxing, endpoint detection, and intrusion detection. The Hartford continues to monitor and enhance its framework to respond to evolving cyber threats and regulations for data privacy, including the European Union General Data Protection Regulation and the California Consumer Privacy Act.
We regularly assess our programs and control environment, leveraging externally conducted cyber tests and evaluations along with internally managed cyber risk assessments and testing. Additionally, the Company collaborates with industry associations, government authorities, peers and external advisors to monitor the threat environment and to inform our security practices.
In connection with the regular assessment of third-party service providers performed by our procurement organization, our information protection team performs a third-party assessment of each vendor’s information security practices and protocols, including its readiness to protect against and respond to cybersecurity breaches. Third-party service providers are categorized in tiers depending on the significance of their operations to the Company’s business processes and risk assessments for vendors in the highest tier are completed periodically. With respect to cyber, we have procedures to verify each service provider’s information security controls, and each vendor completes a cyber questionnaire that also addresses their resiliency in the event of an intrusion to their systems. We proactively communicate with suppliers to understand mitigation steps taken when major cyber exposures are identified.
We are executing on a multi-year roadmap to, among other things, further improve our ability to defend against, respond to, and recover from ransomware and other cyber events; enhance application cybersecurity capabilities, including defenses against fraud attacks; and to ensure security capabilities are built into new cloud-based platforms that we adopt. We are also required to maintain strong cyber defense protocols in the states where we are authorized or licensed to write business. A number of states where our insurance companies are domiciled, including Connecticut, have adopted the NAIC Insurance Data Security Model Law. Our legal team monitors the status of new cybersecurity regulations, including notification requirements.
To the best knowledge of Management, no risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further discussion of the Company's risks related to cybersecurity, see Part I, Item 1A, — Risk Factors for the risk factor "Our businesses may suffer and we may incur substantial costs if we are unable to access our systems and safeguard the security of our data in the event of a disaster, cyber breach or other information security incident."
From a governance perspective, senior members of our Enterprise Risk Management, Information Protection and Internal Audit functions provide detailed, regular reports on cybersecurity matters to the Board, primarily through the Audit Committee, which oversees controls for the Company's major risk exposures and has principal responsibility for oversight of cybersecurity risk, and the Finance, Investment and Risk Management Committee ("FIRMCo"), which oversees business risk related to cyber insurance products. The topics covered by these updates include the Company's activities, policies and procedures to prevent, detect and respond to cybersecurity incidents, as well as lessons learned from cybersecurity incidents and internal and external testing of our cyber defenses.
The Audit Committee is provided with updates on technology and cybersecurity risks at least four times annually, including annual reviews of the Company's cybersecurity program and technology risks and controls, and bi-annual updates on operational risks (in spring and fall). Given its importance, the full Board is invited to attend the annual cybersecurity program and time is reserved at each Audit Committee meeting for cybersecurity technology matters that warrant discussion between the standing sessions. In addition, our Enterprise Risk Management team provides FIRMCo with an assessment of cybersecurity insurance risk once per year. The Audit Committee, FIRMCo and the full Board are apprised of developments in the external environment and business strategies that present additional potential cyber risk exposure to the Company, such as modifications to on-line platforms and expanded use of cloud-based applications, on an ongoing, as-needed basis. As a result, cybersecurity and cyber risk are typically discussed more frequently than the annual minimum requirements.
The Company has established an Executive Privacy & Security Council ("EPSC") that meets semi-annually. Formed in 2003, the EPSC consists of a cross-functional senior leaders, including the Chief Information Officer ("CIO"), the Chief Information Security Officer ("CISO"), the Chief Risk Officer ("CRO") and General Counsel among others. The EPSC receives a monthly written executive briefing on topics, and with metrics related to cybersecurity, including incident prevention, detection, mitigation and remediation. Quarterly, the IT Risk Council, made up of senior IT leaders, is also provided with an update of cybersecurity risks and preparedness. Various other meetings are held on cybersecurity topics periodically, including monthly business operating reviews, and meetings of the Enterprise Risk and Capital Committee ("ERCC") and executive leadership team.
36
|
Part I - Item 1C. Cybersecurity
Both the CIO and the CISO have expertise assessing and managing cybersecurity risks. The CIO has served in her current role since 2019 and served in similar technology leadership roles before her current role. She has eighteen years of executive leadership experience in the financial services industry and twenty-eight years of overall technology experience, during which time she has led large scale business transformation, delivered innovative technology strategies and has overseen and modernized complex technology portfolios.
The CISO has held several senior-level information technology roles in his twenty-five-year tenure with the Company and has served in his current role since 2021. In his various roles, he has been responsible for providing senior leadership in the areas of information security, IT governance risk & compliance, business continuity, and disaster recovery.