HANOVER INSURANCE GROUP, INC. - (THG)
10-K Filing Date: February 22, 2024
Risk Management and Strategy
Our business operations and strategy are highly dependent on our ability, and the ability of certain third parties, to access internal and external systems and data to perform necessary business functions. We are heavily reliant on data and information, including non-public information, as well as technology systems that process and store such data and information, the integrity and functionality of which are critical to our ability to grow our business, operate efficiently, and generate earnings. As discussed in further detail in “Risk Factors” in Part I – Item 1A, and like others in the financial services industry, we have from time to time experienced, and are likely to continue to experience, security events and data intrusions, and while none of these events to date have had a material adverse effect on our business, no assurances can be made that such attacks or security events will not have a material adverse impact on our business, results of operations or financial condition in the future, due to impairments in our ability to conduct our business or harm to our relationships with our business partners and customers.
We have established an enterprise-wide cybersecurity program that provides overall governance, direction and executive support for assessing, identifying and managing cybersecurity risks. Our cybersecurity program is based upon leading industry frameworks including the National Institute of Standards and Technology Cyber Security Framework, International Organization for Standardization, and Control Objectives for Information and Related Technologies. Our cybersecurity program is designed to identify relevant assets and associated risks, protect against, detect, respond to and recover from cybersecurity events, and employs a “defense in depth” strategy that uses multiple security measures to protect the confidentiality, integrity, and availability of our systems and information assets. We continually assess our cybersecurity and threat detection capabilities, including our proficiency in identifying emerging tactics, techniques, and procedures of threat actors, and to enhance our ability to focus resources appropriately.
Our cybersecurity program incorporates ongoing risk management practices such as risk identification and the maintenance of a cyber risk register, threat intelligence tracking, identification and monitoring of key controls using key performance indicators, the performance of independent control effectiveness testing by internal audit, annual third-party risk assessments, external penetration testing, and cyber incident response exercises. Our cybersecurity program also incorporates processes intended to help anticipate emerging technology innovation, utilizing a security capability map as a resource in combination with our cyber risk and enterprise risk assessment processes, to inform and prioritize investment decision-making in connection with the cybersecurity program. Additionally, we collaborate with industry associations, government authorities, peers and external advisors to monitor the threat environment and to inform our security practices, including for industry best practices for cybersecurity programs and capabilities, incident response processes, legal and regulatory developments, and experiential guidance. Our cybersecurity risk management activities are integrated in our overall enterprise risk management processes, so that cyber risks are assessed in the context of other risks relevant to our overall enterprise risk profile, to inform the organization’s decision-making and planning.
We have implemented a third-party risk management process that assesses the inherent risks of third-party service providers and informs our engagement, contracting with, and oversight of such parties. Through this process, our information security personnel, in collaboration with our vendor management operations, evaluate the information security and business continuity capabilities, risks and vulnerabilities, of prospective and existing service providers.
We manage information security incidents pursuant to a documented incident response plan executed by an incident response team consisting of senior leaders and their team members who are integral to effective incident response management, including but not limited to representatives from information security, legal, compliance, risk management, communications, facilities, operations, marketing and distribution, finance, and human resources, as well as external, nationally recognized legal and forensics resources who are familiar with our operations and incident response team, and who routinely participate in our tabletop training. We employ a formal incident escalation process based on the nature of the incident and its risk severity, for alerting and engaging with executive leadership and members of our Audit Committee and Board of Directors. The incident response plan includes processes integrated with our business continuity and emergency response plans.
34
Governance
Our Board of Directors monitors the major risks we face, including cybersecurity and operational risks, and reviews management’s plans for mitigating or remediating such risks. The Board has designated the Audit Committee, which oversees controls for our major risk exposures, to have principal responsibility for monitoring management’s cybersecurity risk management program and associated risks. The Audit Committee reviews management’s overall approach to managing and mitigating our exposure to data security and privacy risks, and reviews information technology’s program to monitor and assess data security and the related efforts associated with cybersecurity, considering, among other things, emerging cybersecurity developments and threats. Our Chief Information Security Officer (“CISO”) and Chief Information and Innovation Officer (“CIIO”) provide regular reports and update briefings on cybersecurity matters to the Audit Committee. The topics covered by these briefings routinely include a review of top cybersecurity threats and exploits, a review of the recurring internal risk assessments and annual cyber risk assessment performed by third parties, key updates to the cyber risk management program, cybersecurity risk-mitigating controls, strategic planning considerations, security and infrastructure investments, regulatory and compliance updates, and cybersecurity incident updates, among other topics.
Our CISO is a certified information security manager, and has primary responsibility for our cybersecurity program, and the management and oversight of our information security department. Our CISO has more than 20 years of experience in information technology, including 13 years of cybersecurity experience, all of which has been in the property and casualty insurance industry. We have a diverse information security team with varying backgrounds, years of experience and levels of information security certification. Our CISO reports directly to our CIIO, who reports directly to our Chief Executive Officer (“CEO”). The CISO and CIIO routinely inform and advise executive management of salient aspects of our cybersecurity program, and developments related to key risks, threats and data incidents, addressing in further detail the matters noted above that are reported to the Audit Committee. Members of the information security team participate in our Enterprise Risk Management Group consisting of senior leaders who meet regularly to assess new and emerging risks to the organization, including cybersecurity risks.