RADIAN GROUP INC - (RDN)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Cybersecurity Governance and Risk Management
Information security is a significant operational risk for financial institutions such as Radian and includes the risk of loss resulting from cyberattacks.
To help mitigate this risk, Radian has designed and maintains an Information Security Program that is intended to protect our corporate data as well as data entrusted to us by our customers and partners. The Information Security Program is built on a risk-based approach that identifies and prioritizes cyber threats based on their potential impact on our strategy, operations, and assets. This program extends across all business lines and encompasses written policies on cybersecurity.
The Company has assigned executive ownership of and accountability for the Information Security Program to the Chief Information Security Officer, who leads a dedicated team of trained staff to protect the confidentiality, integrity and availability of information assets. Our Chief Information Security Officer has over 20 years of diverse industry experience, including serving in similar roles overseeing cybersecurity programs, as well as serving in numerous board and advisory capacities. Several members of the Information Security team hold advanced degrees as well as industry-recognized certifications in cybersecurity and related disciplines. The Information Security Program also utilizes third-party managed security services where appropriate.
Our Information Security Program utilizes multiple layers of security controls that are intended to protect information assets and operations. As a guideline to manage our cybersecurity-related risk, we use the National Institute of Standards and Technology Cybersecurity Framework, which outlines information security measures and controls over five functions: Identify, Protect, Detect, Respond and Recover. This does not imply that we meet any particular technical standards, specifications, or requirements. Our risk management process is designed for the purpose of identifying, assessing and mitigating potential threats and uncertainties that may impact the achievement of our business objectives. This process involves engaging relevant stakeholders, conducting regular risk assessments, and staying informed about industry-specific risks and market trends. Identified risks are evaluated based on their potential impact and likelihood of occurrence.
As a Company, we have developed key security services, including data governance, encryption, vulnerability management, systems and network monitoring, access controls, application security, threat detection, incident response, employee awareness training, and assessment of our third-party service providers. We regularly test our incident response readiness and reporting through tabletop exercises, external and internal penetration testing and internal security testing so that identified risks and incidents are escalated and communicated for appropriate remediation activities that are intended to reduce risks to an acceptable level.
Our board of directors has ultimate oversight of cybersecurity risk, which it manages in coordination with our Risk Committee as part of our enterprise risk management program. The Risk Committee regularly reviews the Company’s enterprise risk management program and Information Security Program with management and reports to the board of directors.
To maintain governance and oversight over the Information Security Program, we have established an Information Security Council and Executive Information Security Committee composed of our Chief Information Security Officer and colleagues with experience, education and ongoing training in information security, cybersecurity risk and information governance. We also utilize both internal and external auditors to provide independent assessments of our Information Security Program. Cybersecurity incidents are reviewed at least quarterly by management, the appropriate executive committees and the board of directors or its committees. The Chief Information Security Officer reports directly to our General Counsel and presents at least annually to the Company’s full board of directors about the overall effectiveness of the Information Security Program, as well as quarterly to the Risk Committee of the Company’s board of directors. Radian’s board of directors approves the written Information Security Policy and Information Security Program documents annually. Collectively, these documents describe the structure, scope, organization and requirements of the Information Security Program, as well as the responsibility and authority of the Chief Information Security Officer.
During the reporting period, we were not impacted by any cybersecurity incidents that we believe are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
While the Information Security Program is reasonably designed to mitigate the risk of cybersecurity events, we cannot provide assurance that we will not be subject to a cybersecurity event. In “Item 1A. Risk Factors,” see “We could incur significant liability or reputational harm if the security of our information technology systems, or of our third-party vendors or service providers, is breached, including as result of a cyberattack, or we otherwise fail to protect confidential information, including personally identifiable information that we maintain.”
62