AMERICAN FINANCIAL GROUP INC - (AFG)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
AFG recognizes the importance of assessing, identifying and managing material risks associated with cybersecurity threats as defined by the Securities and Exchange Commission. Like all businesses, AFG is a target for “cyberattacks,” “ransomware,” “phishing,” “hacking” and similar illegal or unauthorized intrusions into computer systems and networks. Such events can result in significant disruptions to information technology systems, the theft of information and financial assets and reputational harm. AFG could also incur significant expenses associated with investigating and remediating any such event.
As discussed below, AFG’s enterprise risk management (“ERM”) process considers cybersecurity threat risks alongside other company risks as part of the overall risk assessment process.
AFG has adopted the National Institute of Standards and Technology (“NIST”) framework which provides a comprehensive method for developing a flexible, repeatable, performance-based and cost-effective approach to identifying and managing cybersecurity risks. The Company uses the framework to assess and improve its security posture.
AFG utilizes a variety of techniques to provide for the availability of critical data and systems, maintain regulatory compliance, manage its material risks from cybersecurity threats and to protect against, detect, and respond to cybersecurity incidents including, but not limited to, the following:
•Conducts regular phishing testing of all employees and all members of the Board of Directors;
•Utilizes full-desk encryption on all Company laptops and desktops;
•Maintains a defense in depth security control strategy that is tested against high risk threats such as ransomware and other trending attack vectors;
•Performs annual security awareness training and other routinely scheduled educational programming for employees;
•Validates compliance with internal data security controls through the use of security monitoring utilities and internal and external audits;
•Performs self-assessments measured against industry-leading cybersecurity frameworks for standards, guidelines and best practices, including the NIST cybersecurity framework;
•Regularly scans external websites and internal applications;
26
•Engages an external third-party to conduct an annual penetration test consisting of advanced adversarial attacks against company systems and from which findings are investigated, ranked by risk level and tracked through appropriate mediation levels;
•Utilizes user protections including stringent password requirements, two-factor authentication, and timed logoffs;
•Conducts regular network and endpoint monitoring;
•Performs regular tabletop exercises, utilizing a third-party data security firm as a facilitator, to simulate a response to a cybersecurity incident where the Company uses the findings to improve its processes and technologies; and
•Purchases information security risk insurance from a third-party insurer that provides protection against the potential losses arising from a cybersecurity incident.
AFG continues to integrate assessing cybersecurity threat risks associated with its use of third-party service providers, generally at the initial engagement or renewal of the relationship. When conducting these assessments, AFG’s Enterprise Information Security Group (“EISG”) considers the risk profile of the vendor or supplier assesses security controls with the third parties and engages in contractual review to ensure appropriate security controls are in place.
AFG describes whether and how risks from identified cybersecurity threats are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition in its risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference in this Item 1C.
Like others in the insurance industry, AFG experiences cyber-attacks and other attempts to gain unauthorized access to its systems on a regular basis and anticipates continuing to be subject to such attempts. Over the last three years, AFG has not experienced any material adverse events and has not paid any penalties or settlements related to an information security breach.
Governance
AFG’s Audit Committee is responsible for the oversight of risks from cybersecurity threats. At least annually, the full Board of Directors receives and at least quarterly, the Audit Committee receives an overview from the Chief Information Security Officer (“CISO”) or another senior member of the EISG of the Company’s cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, incident response planning and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, materials including a cybersecurity scorecard and other information indicating current and emerging material cybersecurity threat risks and describing the Company’s ability to mitigate those risks are provided. Members of the Board also regularly receive educational materials and engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to AFG’s cybersecurity risk management and strategy programs.
AFG has designed its ERM program to reinforce the way the Company operates its business and reflects its culture, organizational structure and risks. The AFG Enterprise Risk Committee (“ERC”), consisting of AFG’s Chief Administrative Officer and Chief Human Resources Officer, AFG’s Chief Financial Officer, AFG’s General Counsel and Great American Insurance Company’s President, oversees the ERM process including risk identification, risk impact and mitigation strategies. Each member of the ERC directly reports to AFG’s Co-CEOs. On a day-to-day basis, the Company’s ERM process is overseen by an AFG Enterprise Risk Officer, who regularly meets with senior leaders, including the CISO, representing key areas throughout the organization. Cybersecurity risk has been identified as a significant risk monitored under the ERM program. In addition, Ms. Murray, one of AFG’s independent Directors, completed the National Association of Corporate Directors’ Cyber-Risk Oversight Program and received the CERT Certificate in Cybersecurity Oversight issued by the Software Engineering Institute at Carnegie Mellon University.
AFG has also adopted a Security Incident Response Plan (“SIRP”) that is designed to provide a management framework across Company functions for a coordinated assessment and response to potential security incidents. The AFG CISO leads and facilitates the SIRP team, which also includes AFG’s Chief Administrative Officer and Chief Human Resources Officer, AFG’s Chief Financial Officer, AFG’s Chief Information Officer, AFG’s General Counsel and Great American Insurance Group’s President and its General Counsel.
The SIRP provides for the interaction and coordination of executive, strategic and tactical teams, depending on the severity level of the incident, aimed at facilitating coordination across multiple units and departments of the Company. The incident response plan is reviewed, updated and tested at least annually. The SIRP covers the major phases of incident response process, including preparation; detection and analysis; containment and investigation; where required, notification to federal or state regulators; eradication and recovery; and incident closure and post-incident analysis.
AFG’s cybersecurity program is directed by its EISG leadership team that is headed by the AFG CISO and three divisional vice presidents that report to the CISO. This leadership group has collectively over 70 years of cybersecurity work
27
experience, over 90 years of Information Technology (“IT”) experience and over 20 years of IT audit experience. This experience involved various roles related to managing information security; developing cybersecurity strategy; implementing and monitoring effective cybersecurity controls and penetration testing. These individuals hold many industry-standard certifications including but not limited to Certified Information Systems Security Professional, Information Systems Security Management Professional, G2700 certification, GIAC Security Leadership Certification, Certified in Risk and Information Systems Control®, Certified Information Security Manager, ITL certification and others. The CISO also holds a master’s degree in information security. All members of this leadership team are active in their local cybersecurity communities and national conferences. They speak at local universities, local conferences, national conferences, and have conducted training sessions at international conferences like Black Hat, an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Their work has also been used in various best practice case studies by industry leading consulting and research firms.