Unum Group - (UNM)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
We take our responsibility for the privacy and security of the information our customers share with us seriously. Through our cybersecurity program, we constantly watch for threats to our systems and make real-time adjustments to our defenses to protect customer data and minimize service disruptions.
We identify and assess cybersecurity risks on an ongoing basis by maintaining a cybersecurity program that involves a defense-in-depth approach with multiple layers of security controls to protect our environment. We have invested in and deployed a security operating model involving people, processes, and technology that is designed to protect against potential and known cybersecurity risks and threats. Our cybersecurity program involves collaboration with partners, including financial industry groups, to understand and incorporate best practices and engage in cybersecurity threat intelligence sharing. Our security operations team includes internal threat hunters, such as cybersecurity engineers and analysts, who are working directly with third parties to monitor the threat landscape. Alerts from monitoring are analyzed by our security teams for preemptive engagement to avoid or minimize the impact of potential cyber threats. Additional cybersecurity tools are used to detect and block malicious attacks, as well as to govern identity and access management, in each case to avoid or minimize risks of unauthorized access to systems and data.
We utilize an internal global incident management team, comprised of executive and senior management-level personnel, that is responsible for oversight of our business resiliency and cybersecurity incident response programs. Within our information security organization, our cybersecurity incident response team works closely with the business resiliency team across business continuity, disaster recovery, and crisis management functions to plan, prepare, and practice response to simulated cybersecurity incident scenarios for response readiness. In the event of a cybersecurity incident, our incident response team would assess whether to engage the support of law enforcement or other third parties. In addition to our cybersecurity incident response team, we have retainers with leading incident response organizations to augment response activities, if needed. We also conduct one or more annual cybersecurity incident response tabletop exercises with senior management and third-party experts to test our incident response plan and enhance our readiness for a potential cybersecurity incident.
Additionally, we engage an external firm to conduct an annual System and Organization Controls 2 Type 2 examination of certain cybersecurity controls, and additional third parties are engaged, as needed, to perform risk assessments, penetration testing, and other services related to cybersecurity. We rely on third-party cybersecurity software tools and services to enhance many of our cybersecurity functions, such as incident logging, network monitoring, security operations, and data loss prevention, among others. Additionally, we carry cybersecurity insurance to help reduce financial risk posed by cybersecurity incidents.
Cybersecurity risks associated with third-party service providers are managed in accordance with our Third-Party Risk Management (TPRM) program. Components of this program include cybersecurity due diligence and review of contractual terms with third parties that access our network or sensitive information. The TPRM program works to conduct appropriate
34
review of all new third parties and performs ongoing monitoring of our existing relationships based on the risk presented by the third party.
As part of our cybersecurity program, we perform an annual cybersecurity risk assessment to evaluate our cybersecurity program and related controls. The cybersecurity risk assessment follows the guidelines published by the National Institute of Standards and Technology, which are aimed at identifying and determining the potential impact of threats and vulnerabilities and assessing the controls in place to mitigate those threats and vulnerabilities. Risks from cybersecurity threats have not materially affected, and are not reasonably likely to materially affect, our business strategy, operations, or financial condition.
Management’s role in assessing and managing cybersecurity risks is led by our Chief Information Security Officer (CISO), who is a senior vice president and officer of the Company. As of the date of this report, our CISO has over twenty years of experience in information security leadership, including leading threat and vulnerability management, cybersecurity operations and cybersecurity defense, cybersecurity incident response, and technology risk management. He holds a bachelor’s degree in computer science and several professional qualifications, including Certified Information Systems Security Professional and Information Systems Security Management Professional. The responsibilities of prevention, detection, mitigation, and remediation of cybersecurity incidents are allocated across the CISO's organization, and each organizational unit reports risks and incidents to the CISO, who in turn informs other senior management of cybersecurity incidents that may be material to the company.
Our cybersecurity program is overseen by the Information Security Committee (ISC), a cross-functional management committee whose membership include the CISO, Chief Risk Officer (CRO), Chief Technology Officer, Chief Compliance Officer, and others. Members of the ISC possess substantial experience in risk management, finance, and information security. The ISC is responsible for ensuring that the cybersecurity strategy and program align with our overall risk strategy. Our TPRM program is overseen by the Corporate Operational Risk Committee (CORC), a cross-functional management team whose membership includes leaders from our third-party risk management, corporate services, compliance, sourcing, information technology, and business resiliency teams. The CORC is responsible for ensuring risks to our non-insurance operational functions, including those related to third-party vendors, are identified and managed within our risk appetite, and that our TPRM program and strategy align with our overall business objectives.
The CORC and the ISC both report risks to our Executive Risk Management Committee (ERMC), which is comprised of senior management from our corporate functions and business segments and is responsible for overseeing our enterprise-wide risk management program. The ERMC is chaired by the CRO, who maintains a direct line of communication with the Risk and Finance Committee (RFC) of our board of directors.
The RFC is the board committee that oversees our cybersecurity risk management. Our CISO makes quarterly reports to the RFC about material cybersecurity risks, updates to the cybersecurity program, metrics that evaluate the effectiveness of the cybersecurity program, material cybersecurity incidents and remediation plans. The RFC also receives timely reports from the CISO when there are significant cybersecurity incidents or updates to the cybersecurity risk assessment. The board of directors also takes an active role in overseeing cybersecurity risk, including receiving an annual report from the CISO that provides an overview of the status and effectiveness of our cybersecurity risk management program and participating in cybersecurity incident response tabletop exercises.
See "Quantitative and Qualitative Disclosures About Market Risk" contained herein in Item 7A for further information. Also see "Risk Factors" included in Item 1A for additional information regarding cybersecurity risk.