LOEWS CORP - (L)

10-K Filing Date: February 06, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

Identifying, assessing, and managing material cybersecurity risks is an important component of our overall enterprise risk management program. As with the management of risks generally, given our holding company structure, the management of cybersecurity risks involves coordination between the parent company and our subsidiaries.

The parent company and each subsidiary are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These programs have been developed based on the National Institute of Standards and Technology Cybersecurity Framework and seek to protect each entity against cybersecurity risks and foster each entity’s ability to respond to cybersecurity events. Among other things, these programs generally involve maturity evaluations and assessments by third parties, vulnerability scanning, employee testing and training, technical and business team-focused tabletop exercises, incident response plans and data security assessments of third-party service providers as a part of vendor management.

Risks from cybersecurity threats, in the future may, among other things, cause material disruptions to our or our subsidiaries’ operations, which may materially affect our results of operations and/or financial condition. For more information about these risks, see the risk factor titled “Failures or interruptions in or breaches to our or our subsidiaries’ computer systems or information technology or communication infrastructure or those of our third party vendors could materially and adversely affect our or our subsidiaries’ operations” under Item 1A.

Governance

Our Board has assigned oversight of cybersecurity risk management to the Audit Committee. The Audit Committee regularly receives reports from our and our subsidiaries’ management, including our and our subsidiaries’ senior information technology (“IT”) leadership, and third parties on cybersecurity matters. In addition, the Board receives reports addressing cybersecurity as part of our overall enterprise risk management program and to the extent cybersecurity matters are addressed in regular business updates.

Senior IT leadership (generally, chief information officers and/or chief information security officers) at the parent company and each subsidiary are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These individuals’ expertise in IT and cybersecurity generally has been gained from a combination of education, including relevant degrees and/or certifications, and prior work experience. They are informed by their respective cybersecurity teams about, and monitor, the prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above.

Information regarding cybersecurity risks may be elevated from senior IT leadership through a variety of different channels, including discussions between or among subsidiary and parent company management, reports to subsidiary and parent company risk committees and reports to subsidiary and parent company boards and board committees. As noted above, the Audit Committee regularly receives reports on cybersecurity matters from our and our subsidiaries’ senior IT leadership.