Verisk Analytics, Inc. - (VRSK)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity

 

We remain steadfast in our commitment to safeguarding the confidentiality, integrity, availability, and responsible use of data. Our rigorous approach to cybersecurity is a comprehensive framework comprising cyber risk governance, risk identification and management, risk prevention and protection, monitoring and detection, and response and recovery planning, which is an integral part of our overall enterprise risk management ("Framework").

 

Cyber risk governance is founded on direction and priorities established by our leadership, supported and overseen by the Board of Directors (Board), and deployed through our Framework. The Framework leverages proven standards such as those embedded in the National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF"), which are generally accepted by cybersecurity leaders across industries.

 

The Board oversees our management of cybersecurity, including oversight of appropriate risk mitigation strategies. The Board receives regular reports from executives about our cybersecurity risks, management review processes, overall health and readiness to respond to an incident. As of February 2024, the Board established and convened the first meeting of the Risk Committee of the Board, which in coordination with other relevant Board Committees as appropriate, oversees risk assessment and risk management, including but not limited to the policies, procedures and strategic approach to cyber, technology and information security risks. The Risk Committee of the Board also reports material cybersecurity risks to our full Board.

 

The Executive Risk Management Committee ("ERMC"), which includes the top corporate executives, is responsible for providing guidance and enforcing our Framework, including the strategies, policies, procedures, processes, and systems, established by management to identify, assess, measure, monitor, and manage risks. The ERMC also reinforces the corporate risk appetite, determines whether residual risk is acceptable, and confirms materiality of security incidents.

 

The Enterprise Risk Management ("ERM") division oversees and advises on implementation of the Framework throughout our business units. In doing so, the ERM division aggregates and assesses risk across the enterprise. Within the ERM division is the Chief Information Security Officer ("CISO"), who leads our Cybersecurity and Information Risk Management functions. The CISO’s functions partner with the business units to help ensure that cybersecurity risk management strategies are implemented and dedicated liaisons from the business units report to the CISO with meaningful cybersecurity risks, threats, incidents and vulnerabilities in accordance with the CISO’s reporting framework. The ERM division hosts training and awareness sessions, sponsors working groups across the enterprise on critical security topics and provides centralized cybersecurity incident response. Also within the ERM division is our third-party risk program, which implements processes to identify cybersecurity risk associated with our third-party providers. Management, including the CISO and our cybersecurity team, regularly update the Risk committee on our cybersecurity programs, material cybersecurity risks and mitigation strategies and provide cybersecurity reports quarterly that cover, among other topics, third-party assessments of the company's cybersecurity programs, developments in cybersecurity and updates to the company's cybersecurity programs and mitigation strategies.

 

Our business units have dedicated liaisons for risk management activities, who participate in a global security council designed to facilitate implementation of the Framework and associated policies. As custodians and/or processors of our stakeholders’ data, our business units also accept certain compliance responsibilities, including but not limited to, aspects of the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act (CCPA), the Gramm-Leach Bliley Act ("GLBA"), the Health Insurance Portability and Accountability Act ("HIPAA"), the Fair Credit Reporting Act ("FCRA"), and the Payment Card Industry ("PCI") standard, all to the extent applicable. For each of its business units, we seek to actively confirm that its risk management practices fulfill applicable compliance requirements.

 

We have adopted a defense-in-depth strategy with a wide range of measures to secure our technology infrastructure and data as per our Framework. Security measures cover the following key areas as aligned with NIST CSF: risk identification and management, risk prevention and protection, monitoring and detection, and response and recovery planning. Key control functions that comprise the security measures include but are not limited to: risk assessment, asset management, supply chain risk management, identity and access management, customer credentialing, physical security, application and infrastructure security, perimeter and network security, secure development and change management, configuration management, endpoint security, security audit logging and monitoring, security operations center, incident response, business continuity and disaster recovery.

 

Our cybersecurity strategy includes the engagement of strategic providers, consultants and independent assessors to inform us of cyber threats and assess the effectiveness of control design and implementation. Strategic providers include, but are not limited to, a Managed Security Service Provider for our security operations center, as well as service providers that supplement incident response processes related to threat intelligence and dark web monitoring. Independent assessors include, but are not limited to, our Internal Audit Department which provides reports to the Audit Committee, as well as assessors that are engaged directly to perform external audits and penetration tests. Through independent assessors, our commitment to security has earned ISO 27001:2013 Certification for our core ERM centrally provided cybersecurity services, which is an international standard for best practices associated with our Information Security Management System.

 

To date, risks from cybersecurity threats have not materially affected, and we currently do not expect that such risks are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. As discussed more fully under “Item 1A – Risk Factors,” although our processes are designed to help identify, protect, detect, respond to and mitigate potential cybersecurity incidents, cybersecurity threats are rapidly evolving and we may not be able to anticipate, prevent or detect all such attacks and there is no guarantee that a future cybersecurity incident would not materially affect our business strategy, results of operations, or financial condition.

 

24

 

© 2024 Material-Incidents. All rights reserved.