ASSURANT, INC. - (AIZ)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
We face a multitude of cybersecurity threats from a range of adversaries. Our vendors, clients, distributors and other third parties with whom we work face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our business, operations, financial condition and results of operations.
The Board has ultimate oversight of cybersecurity risk. The Board reviews management’s assessment of our key enterprise risks and its strategy with respect to each risk, including cybersecurity risks, and receives a corresponding risk management update annually. The Information Technology Committee reviews the effectiveness of our cybersecurity controls and procedures, including procedures to identify and assess internal and external risks from cybersecurity threats; controls to prevent and protect from cyberattacks, unauthorized access or other malicious acts and risks; procedures to detect, respond to, mitigate negative effects from and remediate cybersecurity attacks; and controls and procedures for fulfilling applicable regulatory reporting and disclosure obligations of the risks and costs of cybersecurity incidents. Our Chief Information Security Officer (“CISO”) briefs or provides a report to the Information Technology Committee on our cybersecurity and information security posture and program at least quarterly, including penetration test results and related remediation and significant cybersecurity incidents, and also provides an annual cybersecurity update to the full Board.
Cybersecurity risk is integrated into our Global Risk Management process. Cybersecurity risk continues to be identified as one of our key enterprise risks. Risk owners from the Management Committee, senior leadership and the Global Risk Management function have been assigned to develop risk mitigation plans, which are tracked and reported at least quarterly to the Finance and Risk Committee of the Board and annually to the Board. See “Item 1 – Business – Global Risk Management” for more information on the Global Risk Management function.
Our CISO, who reports to our Global Technology Officer on the Management Committee, has over 20 years of information technology and security program management experience, holds a Certified Information Security Manager certification and has led our information security team, including information technology compliance and risk management, since 2009. Our Global Technology Officer joined the Company in 2016 and has over 30 years of information technology experience, including leading global digital, security, infrastructure, cloud services and application teams. Prior to joining the Company in 2016, our Global Technology Officer was chief information officer at a large, publicly-traded energy company.
Our CISO has implemented a management-level governance structure and process to assess, identify, manage and report cybersecurity risks, and manage our overall information security program. The Information Security Board, led by our CISO and comprised of leaders from all of our lines of business and key functional areas such as Global Risk Management, Privacy and Compliance, as well as members of our information security team, meets quarterly, and is responsible for overseeing our information security program, including our information security strategy and related policies and standards. The information security team manages cybersecurity risks and controls, and continually enhances a global security control framework with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously minimizing the business impact should an incident occur.
We have implemented cybersecurity policies and standards based on leading industry frameworks, including the ISO 27001 standard and the National Institute of Standards and Technology Cybersecurity Framework, and regularly assess our policies and practices, including tabletop exercises, aimed at mitigating cybersecurity risks. In the event of a cybersecurity incident, we follow our Enterprise Information Security Incident Response Plan (the “IRP”), which outlines steps from incident detection to assessment, response, mitigation, recovery and notification, including to key functional areas such as Global Risk
41


Management, Corporate Law, Privacy and Compliance, senior leadership and the Board, as appropriate. The IRP includes quantitative and qualitative incident assessment guidance and promotes engagement with multidisciplinary teams across the enterprise to facilitate real-time information sharing during a cybersecurity incident.
Employees outside of our information security team as well as third-party cybersecurity experts have an important role in our cybersecurity defenses. We require employees to participate in annual cybersecurity training and provide them with additional optional training and awareness materials, and regularly engage our employees in phishing exercises, reporting results to the Information Technology Committee. In addition, we regularly engage assessors, consultants, auditors and other third parties in our management of cybersecurity risk. For example, third parties are engaged to conduct evaluations of the maturity and effectiveness of our security program, including testing the design and operational effectiveness of security controls, penetration testing, engaging in independent audits, reviewing our policies and standards, and consulting on best practices to address new challenges. We also receive threat intelligence from government agencies, information sharing and analysis centers, and cybersecurity associations.
We rely on our vendors and other third parties, including the continued availability of their products and services, to conduct business and provide services to our clients. A cybersecurity incident at a vendor or other third party could materially adversely impact us. We assess third-party cybersecurity controls through a cybersecurity questionnaire and a review of independent cybersecurity rating assessments. Our contracts with third parties generally include security and privacy addendums where applicable and require counterparties to meet a specific standard of data security and report cybersecurity incidents to us.
While we have not experienced a cybersecurity incident that resulted in a material adverse effect on our business, operations, financial condition or results of operations, there can be no guarantee that we will not experience such an incident in the future. Although we maintain cybersecurity insurance, the costs and expenses related to cybersecurity incidents may not be fully insured. See “Item 1A – Risk Factors – Technology, Cybersecurity and Privacy Risks – The failure to effectively maintain and modernize our technology systems and infrastructure and integrate those of acquired businesses could adversely affect our business”, “ – Technology, Cybersecurity and Privacy Risks – We could incur significant liability if our technology systems or those of third parties are breached or we or third parties otherwise fail to protect the security of data residing on our respective systems, which could adversely affect our business and results of operations” and “ – Business Strategic and Operational Risks – Our inability to successfully recover should we experience a business continuity event could have a material adverse effect on our business, financial condition and results of operations” for more information.