SELECTIVE INSURANCE GROUP INC - (SIGI)
10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Our business heavily relies on various IT and application systems that contain proprietary and confidential information about our operations, employees, agents, claimants, customers, and their employees and property, including personally identifiable information. These systems are connected to and/or accessed from the Internet, making them susceptible to cyber-attacks. A cyber-attack on our systems, distribution partners and their key operating systems, or any other third-party partners or vendors and their key operating systems may materially affect us. Potential impacts include prolonged interruption of our business operations, reputational harm, or substantial monetary damages. For a detailed description of the risks related to cybersecurity, refer to the "Risks Related to our General Operations" section in Item 1A. "Risk Factors." of this Form 10-K.
We have a dedicated unit, led by the Senior Vice President ("SVP") of Enterprise Strategy and Execution, to implement cybersecurity controls, assess and report on cybersecurity risks, and consult with our ERM unit, which is responsible for identifying, measuring, monitoring, and reporting on key enterprise-wide risks, including cybersecurity risks.
We work with industry-leading security consulting and technology partners and employ a "defense-in-depth" approach that uses multiple security measures to protect the integrity of our proprietary and confidential information. This approach aligns with the National Institute of Standards and Technology Cyber Security Framework and provides preventative, detective, and responsive measures to identify and manage risks. We periodically review our strategy and modify its implementation based on threat trends, program maturity, the results of assessments, and the advice of third-party security consultants. We have documented policies, procedures, and guidelines related to information security, known as our "Written Information Security Program." Our program (i) balances responsiveness to rapidly changing threats with ensuring our IT security environment's sustainability and overall effectiveness and (ii) is reasonably likely to defend against risks of cybersecurity threats that would have a material impact on our business strategy, results of operations, or financial condition. This program focuses on the following six key areas used to monitor various IT performance and security metrics:
•Proactive cybersecurity processes, including vulnerability scanning, penetration testing, and periodic program assessments by outside security consultants and assessors;
•Reactive cybersecurity processes that we regularly evaluate using incident response and disaster recovery exercises based on realistic scenarios;
34
•Endpoint technology that includes encryption, threat management, monitoring, investigation support, and backups;
•Identity and access management controls that often include multi-factor authentication and additional safeguards for staff granted elevated privileges;
•Employee cyber risk awareness and training that covers cybersecurity threats and actions to prevent or report attacks; and
•Third-party risk management and security standards, including due diligence, continuous monitoring, cyber risk scoring, and contractual obligations. We review third-party control environments when possible and practical, aligning the risk exposure with our business requirements and risk tolerances.
Board Governance and Management
The Executive Vice President ("EVP") & Chief Information Officer ("CIO") and the SVP of Enterprise Strategy and Execution provide quarterly written and in-person updates on the strength of our cyber risk control environment, emerging cyber threat issues, and the results of external assessments by outside security consultants and assessors to the Board’s Audit Committee, which was responsible for the oversight of our ERM process in 2023. Effective January 1, 2024, the Board created a Risk Committee responsible for oversight of our ERM framework and practices, and to assist the Board in overseeing our operational activities and identifying and reviewing related risks, including our cyber risks and strategy.
In addition, the cybersecurity team, managed by the SVP of Enterprise Strategy and Execution, receives oversight and executive support through engagement with our ERC. The ERC is responsible for the holistic evaluation, management, and supervision of our aggregate risk profile. Similarly, the team works with our ERM function on business alignment and procuring cybersecurity insurance.
The following describes the expertise of key members of management and our committees who are responsible for assessing, managing, and presenting quarterly updates to the Board’s Risk Committee about our cybersecurity risks:
•John Bresney, EVP & CIO, reports directly to our Chief Executive Officer and is responsible for all of our IT operations, including oversight of the SVP of Enterprise Strategy and Execution’s implementation of our cybersecurity program and enforcement of our cybersecurity policies. We have employed him for approximately 30 years, and he has held various technology and information security roles of increasing responsibility. He has a bachelor’s degree in information systems and business, a Master’s Certificate in Project Management, and a Columbia University CIO Program Certificate.
•Robert McKenna, SVP of Enterprise Strategy and Execution, reports to our CIO and leads the implementation of our cybersecurity program, enforcement of our cybersecurity policies, technology planning, projects driving IT strategy, and enterprise IT risk management. He also oversees cybersecurity incidents under our Security Incident Response Plan ("IRP"). We have employed him for approximately 21 years in related positions of increasing responsibility. He has over 27 years of technology and information security experience. He has a master’s degree in business administration, a Certificate in Project Management, and is a Certified Insurance Counselor.
•Christopher Cunniff, SVP and CRO, reports formally to the Chief Financial Officer and on an interim-basis to our Chief Executive Officer, leads our Reinsurance and ERM teams, and chairs the ERC and the Emerging Risk Committee. We have employed him for approximately six years, and he previously was our SVP of Actuarial Reserving. He has over 32 years of insurance industry experience, serving in various key leadership positions. He has a bachelor’s degree in mathematics, is a fellow of the Casualty Actuarial Society, and is a member of the American Academy of Actuaries.
Our IRP describes the circumstances that require internal and external notifications of cybersecurity incidents that (i) relate to any of our computer systems or networks and compromise the confidentiality, integrity, or availability of the systems or networks, (ii) compromise the confidentiality, integrity, or availability of any sensitive data that belongs to us or a third party and is in our care or custody, or (iii) involve one or more third parties with whom we share sensitive data. It describes the (i) involvement of the SVP of Enterprise Strategy and Execution, (ii) escalation process of such incidents to senior management, including the General Counsel, CIO, Chief Financial Officer, CRO, and Chief Executive Officer, (iii) reporting process to the Risk Committee and Board, and (iv) the notification and disclosure process to customers, distribution partners, regulators, and
35
the SEC. The IRP also provides guidance on how to evaluate potential cyber events and suspicious cyber occurrences. We engage outside legal counsel and technical experts to regularly review the IRP and use internal teams and outside advisors with specialized skills to support the response and recovery efforts of proprietary and confidential information.
For additional information on our overall corporate governance structure and internal process of assessing our other significant risks, see the "Corporate Governance, Sustainability and Social Responsibility" section in Item 1. "Business." of this Form 10-K.