MGIC INVESTMENT CORP - (MTG)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
MGIC’s Information Security Program includes information security policies, annual risk assessments and analyses, threat monitoring and alerting, vulnerability management, incident response, and data loss prevention controls. With this program, MGIC seeks to prevent, detect, and respond to unauthorized access, use, or disclosure of confidential information.
MGIC’s Information Risk Management (IRM) team is responsible for safeguarding the organization's information assets, data, and technology infrastructure from security threats and vulnerabilities. The IRM team’s primary focus is the protection of the confidentiality, integrity, and availability of sensitive information and compliance with relevant laws, regulations, and industry standards.
Various aspects of the Information Security Program are subject to periodic audit by the Company’s Internal Audit department or third-party professionals engaged by the Internal Audit department. Such audits vary from year-to-year but are generally focused on compliance with stated control activities, standards, and internal policies, as well as maintaining the integrity and independence of the audit process. Cybersecurity risk reviews such as SOC2, SOX controls, Penetration Tests, and regulatory controls are conducted by independent third parties.
The Information Security Program also incorporates a vendor due diligence process that is designed to evaluate whether a vendor or third-party service provider that receives confidential data meets MGIC’s information security governance, risk, and compliance requirements. The process includes assessing and managing the cyber risks associated with engaging third-party vendors and reviewing their information security practices.
In the event of a suspected or threatened cybersecurity incident, the Company’s Chief Information Security Officer (“CISO”) determines whether to activate the Company’s Cyber Incident Response Team (“CIRT”), composed of different subject matter experts from applicable domains such as network, infrastructure, and application areas in order to evaluate the technical issues relative to the incident. The CIRT is overseen by the CISO. If necessary, the CIRT may engage third-party cybersecurity experts to evaluate and/or remediate the incident. In the event that the CIRT confirms that the incident relates to a cybersecurity incident or compromise of MGIC’s computer systems, the CISO will notify the General Counsel, who will advise the Chief Executive Officer ("CEO"), who is a member of the Board of Directors. In addition to advising the CEO, the General Counsel will also convene an established committee whose members include the General Counsel, Chief Financial Officer, Senior Vice President of Investor Relations, and Chief Accounting Officer in order to determine if the event is a material cybersecurity incident so as to trigger an Item 1.05 filing on Form 8-K. If a determination is made that the event is material, or if the CEO or General Counsel otherwise determines it advisable, the CEO or General Counsel, or a delegate thereof, shall notify the Chairman of the Board, Lead Independent Director, and Chairpersons of the Board’s Business Technology and Transformation Committee (the “BTTC”) and Audit Committee.
To our knowledge, there have been no cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company.
If a cybersecurity incident were to occur, it could affect our operations, results of operations, or financial condition as described in our Risk Factors titled “Information technology system failures or interruptions may materially impact our operations and/or adversely affect our financial results” and “We could be materially adversely affected by a cybersecurity breach or failure of information security controls."
The CISO partners with the Company’s Risk Department to promote alignment of cybersecurity risk management strategy with the broader risk management strategy for the organization. The integration of information security into the overall enterprise risk management framework enables collaboration on the identification, assessment, mitigation and monitoring of cybersecurity risks that have the potential to materially impact the operation of the Company.
The Risk Management Committee of the Board coordinates with the Board and other Board committees regarding the assignment to the Board and Committees of oversight responsibilities for all identified key risks to the Company. Risks related to cybersecurity are overseen by the BTTC. The BTTC monitors cybersecurity risks associated with both internal and external actors, including third-party vendors and service providers. Additional information about the BTTC’s role in overseeing risks related to cybersecurity and information technology generally can be found in the Committee’s Charter at mtg.mgic.com/corporate-governance/highlights.
The CISO provides quarterly updates about the Company’s cybersecurity program to the BTTC. Updates may include topics such as management’s efforts to identify and monitor risks, investments to improve the Company’s detection and response systems, the results of risk assessments, compliance with controls, vendor oversight, strategic technology planning, and if necessary, the status of any new, ongoing, or prior cybersecurity incident. The CISO also periodically attends the BTTC meetings.
MGIC Investment Corporation 2023 Form 10-K | 40
MGIC Investment Corporation and Subsidiaries
The Company’s current CISO, Jennifer Westphal, is responsible for assessing and managing the material risks posed by cybersecurity threats. Ms. Westphal has over 25 years of experience in information technology, with 18 of those years focused on cybersecurity. Ms. Westphal has been with the Company for more than ten years and was promoted to the position of CISO in January 2021. Prior to 2021, Ms. Westphal served as the Deputy CISO and before that, as the Director of Information Risk Management.