MERCURY GENERAL CORP - (MCY)

10-K Filing Date: February 13, 2024
Item 1C.Cybersecurity
Risk Management and Strategy
A.Processes for Assessing, Identifying, and Managing Material Risks from Cybersecurity Threats
The Company has developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of its critical systems and information. The Company's cybersecurity risk management is integrated into and embedded in its overall enterprise risk management framework, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
The Enterprise Risk Management Committee oversees cybersecurity risks Company-wide while the Company’s Chief Technology Officer (“CTO”), a member of the Enterprise Risk Management Committee, oversees the Information Security business unit's cybersecurity management programs and activities. The Company’s cybersecurity risk management program includes the following key elements:
formal cybersecurity risk assessment designed to help identify material cybersecurity risks to the Company’s critical systems, information, services, and its broader enterprise information technology environment led by the Company's Information Security business unit and reported to its Enterprise Risk Management Committee;
a team comprised of information security, information technology, infrastructure, and compliance personnel responsible for directing the Company’s cybersecurity risk assessment and security processes and its cybersecurity incident response;
third-party cybersecurity service provider, as needed, to conduct independent review and testing of the Company's cybersecurity risks and report to the Company;
systems for protecting information technology systems and monitoring for suspicious events, such as threat protection, firewall and anti-virus software;
cybersecurity awareness and prevention training for all employees;
a Security Incident Response Plan designed to respond to cybersecurity incidents, which is regularly tested;
a Vendor Risk Management Process for vetting third party service providers with access to the Company’s information technology systems.
The Information Security business unit regularly evaluates the Company's cybersecurity risk profile and reports to the Board of Directors (the “Board”). In the event that a significant cybersecurity incident is identified, the Company engages a third-party cybersecurity incident response consultant, as needed, to provide an independent evaluation of the incident.
27


B.Oversight of Cybersecurity Risks Associated with Third Party Service Providers
The Company oversees and identifies material risks from cybersecurity threats related to its use of third-party service providers in accordance with its Vendor Risk Management Process. The contracts with service providers are reviewed during the onboarding process, renewal periods, and as necessary. The contracts require service providers to report cybersecurity incidents that impact the Company's data or information systems or that can otherwise disrupt its operations to the Company on a timely basis.
C.Impact of Cybersecurity Threats on Business Strategy and Results of Operations
The Company has experienced cybersecurity incidents in the past, and has been impacted by cybersecurity incidents experienced by its service providers, but none has materially affected the Company's operations. The Company has not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected the Company, including its operations, business strategy, results of operations, or financial condition. The Company faces certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect the Company, including its operations, business strategy, results of operations, or financial condition. See "Risks Related to Technology and Cybersecurity" in "Part I – Item 1A. Risk Factors" for additional information.

Governance
A.Board of Directors' Oversight of Risks from Cybersecurity Threats
The Company’s Board considers cybersecurity risk as critical to the enterprise. The full Board oversees the Company’s Enterprise Risk Management program which incorporates cybersecurity risks together with other top operational, reporting and compliance risks the Company manages. The full Board is kept apprised by Management of the Company’s cybersecurity risk assessment results, and an escalation process exists to inform the Board of high-severity cybersecurity incidents that may occur. In addition, the Board periodically engages independent third-party technology experts to test the Company’s information technology systems, including cybersecurity.
The Company's Enterprise Risk Management Committee provides the Board with an overview of cybersecurity risks regularly. Additionally, the Company's Chief Executive Officer (“CEO”) provides the Board with an Information Security Incident Report for Board meetings, which summarizes new incidents that did not require "off-cycle" escalation to the Board, and status updates on previously reported high severity incidents, as well as a cybersecurity incident analysis report issued by a third-party cybersecurity service provider.
B.Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats
The Company's Information Security business unit primarily manages the day-to-day operations of monitoring cybersecurity risks to the Company's information systems, takes prevention, detection, and remediation measures for cybersecurity incidents, makes initial assessment of reported cybersecurity incidents, and reports such incidents to the Company's CEO, Chief Operating Officer (“COO”), CTO, Board and Enterprise Risk Management Committee as well as certain regulatory bodies, as needed. The following five management personnel are primarily responsible for assessing and managing the Company's material risks from cybersecurity threats:
Gabriel Tirador, Chief Executive Officer: The Company’s CEO, along with its COO, oversees the Technology team who monitors the Company’s information technology systems for suspicious events. The Company’s CEO reports to the Board regarding cybersecurity incidents and issues. The Company’s CEO, COO and CTO oversee the use of third-party cybersecurity consultants by the Information Security business unit to engage in periodic evaluations. Mr. Tirador has over 30 years' experience in the property and casualty insurance industry and in the Company and is an inactive Certified Public Accountant. As CEO of the Company, he has overseen its Technology business unit for over 20 years, among other business units.
Victor Joseph, President and Chief Operating Officer: The Company’s President and COO oversees the technology team who monitors the Company’s information technology systems for suspicious events. Mr. Joseph has overseen the technology team since 2022. Mr. Joseph has been employed by the Company in various capacities since 2009, and was appointed Executive Vice President and COO in January 2022 and President and COO in January 2024.
Theodore R. Stalick, Senior Vice President and Chief Financial Officer: The Company’s CFO oversees its enterprise risk management program which, among others, includes oversight of cybersecurity risk management and serves as Chairperson of the Company's Enterprise Risk Management Committee. Mr. Stalick has been the Company's CFO since 2001. Mr. Stalick is a Certified Public Accountant and has a Bachelors Degree in Business Administration, Accounting and Finance concentration, and an MBA, Business Analytics concentration.
Wilson Pang, Vice President and Chief Technology Officer: The Company’s CTO regularly provides the
28


Board with updates on cybersecurity risk management or significant reported cybersecurity incidents. The Company’s CTO works with the Company’s CEO, COO and Head of Information Security to determine the severity of cybersecurity incidents. The Company’s CTO also works with its Head of Information Security to direct action in the event of a severe cybersecurity incident. Mr. Pang has over 20 years’ experience in the technology industry. He has served in Chief Technology Officer and Chief Data Officer roles in several public companies and has deep expertise in technology, data, and artificial intelligence. He has a Master’s and a Bachelor’s Degree in electrical engineering.
Dustin Howard, Head of Information Security: The Company’s Head of Information Security supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment. The Company’s Head of Information Security also oversees the creation of remediation action plans with the affected business units. Mr. Howard has over 30 years’ experience managing various aspects of information technology, and has extensive expertise in information security, compliance, and information technology infrastructure and service delivery. He has served in Head of Information Security, Chief Information Officer and Vice President roles in several public companies and has maintained Certified Information Systems Security Professional (“CISSP”) certification since 2001. He has a Bachelor’s Degree in Business Administration and a Master’s Degree in Information Systems.
The five management personnel above also serve in the Company's Enterprise Risk Management Committee and are informed about and discuss updates to the cybersecurity risk management programs and cybersecurity incidents, including any prevention and detection measures as well as mitigation and remediation measures for any reported cybersecurity incidents. The Enterprise Risk Management Committee oversees the Company's overall risk management processes that include oversight of material risks from cybersecurity threats. The CEO and CFO are also members of the Company's Disclosure Committee. The CTO and Head of Information Security participate in Disclosure Committee meetings, as needed, to facilitate discussion and provide information on cybersecurity incidents reported. The CEO, CTO and Head of Information Security provide the Board with information and updates on cybersecurity risks and incidents as in-house technology and cybersecurity experts during Board meetings or as needed.
Depending on the nature and severity of the reported cybersecurity incidents, the Enterprise Risk Management Committee may recommend activation of the Crisis Management Plan under the Company's Business Continuity Management Program. The Disclosure Committee is informed by the CEO of significant cybersecurity incidents for purposes of determining materiality.