KEMPER Corp - (KMPR)

10-K Filing Date: February 07, 2024
Item 1C. Cybersecurity.
The Company has developed an information security program to assess, identify, and monitor cybersecurity risks. Each year, the Company assesses cybersecurity risks arising from the operating environment. In developing the assessment process, the Company reviews guidance from national standards organizations such as the NIST and the Center for Internet Security. In evaluating the risks identified as a part of this assessment, the Company’s information security team considers the likelihood and severity of the risk and the possible impact of the risk on the Company, its customers, and its employees. These risks are then monitored by the Company’s information security team.
The Company conducts periodic testing of software, hardware, defensive capabilities, and other information security systems. Tests are conducted by both internal security teams and third-party consultants. In developing the testing procedures, the Company considers its individual risks and industry standards. Testing procedures are supplemented by executive cyber threat exercises and employee training. Executive exercises such as “tabletops” are used to develop and refine the Company’s incident response plans. Employees undergo security awareness training annually and upon hire.
As a part of its information security program, the Company addresses cyber risks posed by its relationships with third-party service and application providers. The Company assesses third parties as a part of the procurement process, including through pre-acquisition diligence. Contractual provisions based on regulatory requirements and industry standards are used in the
25




contracting process, and the Company conducts on-going performance monitoring of key vendors. Security audits are also performed on certain vendors to review compliance with contractual requirements and industry standards.
The Company maintains an incident response plan that includes procedures for evaluating and addressing a cybersecurity event. The initial impact of each cybersecurity event is evaluated by a designated team using pre-established risk criteria. If an event meets certain parameters, it is escalated to a cross-functional core team of executives, including the Company’s Chief Information Security Officer (“CISO”) and designated internal legal counsel. The Company has a cyber incident disclosure committee that evaluates and considers whether public disclosure of an event is required. The incident response plan identifies certain third-party advisors, consultants and legal counsel who have been designated to assist if necessary. The plan contains procedures for escalating cybersecurity incidents to the Board of Directors.
The Company’s CISO is primarily responsible for management of the Company’s information security program. The Company’s current CISO has significant experience in information security, as do members of the information security team. The Company participates in certain industry cybersecurity intelligence and risk sharing organizations, such as FS-ISAC and the Domestic Security Alliance Council.
Kemper’s information security program is an element of the Company’s broader Enterprise Risk Management (ERM) framework. This framework employs a management committee structure to review technology, compliance, and operational risks. The Company’s Enterprise Risk Committee (“ERC”), composed of the Chief Executive Officer, the Chief Risk Officer, all executive vice presidents and the head of internal audit, meets at least quarterly to oversee the Company’s ERM framework. This committee monitors the implementation of the ERM framework and makes modifications to the program from time to time as it believes appropriate. The ERC has several subcommittees that oversee particular risks, including cyber and information security.
Through its role in providing oversight for the Company’s ERM framework, the Risk Committee of the Kemper Board of Directors (the “Risk Committee”) provides oversight of the Company’s information security program. On a quarterly basis, management discusses Kemper’s information security program, cybersecurity risks, and related developments with the Risk Committee. The Risk Committee periodically reviews and evaluates information security and cybersecurity risks and provides oversight of events that have been escalated as a part of the incident response plan.