ALLSTATE CORP - (ALL)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Governance
The Allstate Corporation Board of Directors (“Allstate Board”) has overall responsibility for oversight of enterprise risk.
The Audit Committee of the Allstate Board oversees the effectiveness of the cybersecurity program. The Audit Committee retains an external cybersecurity advisor to consult on cybersecurity matters and perform assessments of the Allstate Information Security Program.
The Chief Information Security Officer (“CISO”) regularly updates the Audit Committee and Allstate Board on Information Security Program status, cybersecurity risk management, the control environment, emerging threat intelligence and key risk and performance measurements. In addition, the CISO provides updates to senior leadership, the Audit Committee and the Allstate Board, as appropriate.
Jeffrey Wright is senior vice president and CISO for Allstate. He is responsible for the development and execution of the security strategy which protects Allstate’s information from external and internal cybersecurity threats. Mr. Wright has more than 20 years of information security leadership experience.
Risk Management and Strategy
The Enterprise Risk and Return Council has delegated the power and authority to manage cybersecurity risks to the Information Security Council (“ISC”). The CISO chairs the ISC, with senior management representation from across the Company including representatives from Privacy, Legal and Technology. The ISC monitors, makes mitigating decisions about, and escalates information security risks that are outside the Company’s established risk tolerance. Additionally, it provides executive sponsorship of information security controls and oversees the development and review of the information security policy and enterprise security standards.
Allstate evaluates candidates for information security positions based on experience and qualifications. Senior leadership, team leads and subject matter experts conduct interviews to identify top candidates who represent the technical and behavioral acumen required of cybersecurity professionals at Allstate. Allstate provides cybersecurity employees with continuing education associated with their roles and responsibilities.
Information Security Program Allstate has implemented a robust Information Security Program to manage material risks from cybersecurity threats. The Company’s Program uses a risk-based, defense-in-depth approach to identify, assess and manage cybersecurity risks to the Company’s information assets and systems, enabling the business to achieve its objectives. The Information Security Program is aligned with industry best practices and standards including the ISO 27001/27002 standards, the Control Objectives for Information and Related Technologies
The Allstate Corporation 31

2023 Form 10-K Part I - Item 1A. Risk Factors and Other Disclosures

Framework and the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”).
Allstate conducts risk and control assessments to proactively identify and assess the likelihood and impact of specific information security risks using the NIST CSF. The Company conducts these risk assessments at multiple levels of scope, including applications, business processes, business units, and enterprise. Allstate documents the identified risks, tracking them based on potential impact and the likelihood that harm might occur. The Company manages the risks in accordance with its Information Security Program.
Allstate’s Information Security Program outlines the responsibilities and expectations for the security of Allstate information systems. The Program includes standards, policies and procedures requiring the implementation of technical, administrative and physical controls to manage the risk to Allstate information and systems. These standards, policies and procedures cover industry-standard information security domains, including risk assessment, third-party supplier risk management, vulnerability management, identity and access management, application security, network security, cybersecurity awareness training, encryption and incident management.
Allstate conducts periodic assessments, designed to evaluate effectiveness of implemented controls. The Company performs vulnerability scans and penetration tests to assess controls and proactively identify vulnerabilities for prioritization and remediation. Findings are managed and tracked in accordance with Allstate’s governance, risk and compliance standards.
Dedicated personnel support information security operations 24 hours per day, seven days per week. Allstate’s incident response program is designed to detect, respond and recover from a range of cybersecurity-related incidents.