CNA FINANCIAL CORP - (CNA)
10-K Filing Date: February 06, 2024
ITEM 1C. CYBERSECURITY
CNA’s information security and data privacy programs are designed to protect the confidentiality of nonpublic, sensitive personal and business information and the integrity and security of our information systems. These programs include processes that provide guidance for information security decision-making and risk management, and include standards to promote understanding and compliance with applicable laws and regulations. Administrative and technical safeguards that seek to mitigate cybersecurity threats and secure the Company’s information assets are also addressed on a risk-based basis. We have designed our enterprise-wide information security programs consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework. These programs include processes implemented within our third-party risk management unit designed to identify, mitigate and monitor cybersecurity risk relating to vendors, suppliers and external partners who have access to our confidential information or our information systems. CNA engages both internal auditors and third-party information security experts in connection with reviewing such foregoing processes.
CNA monitors information security metrics globally. To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.
At the senior management level, our Chief Information Security Officer (CISO) oversees CNA’s information security and data privacy programs and is responsible for establishing and implementing the security strategy alongside the Chief Information Officer (CIO), to whom the CISO reports directly. The CIO serves on the Enterprise Risk Committee, which is chaired by the CRRO.
The CISO leads the Information Security group within Information Technology, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. This group includes a cybersecurity operations team that is responsible for information technology security monitoring and incident response activities, the latter covering the response coordination to cyber-attacks under the leadership and pursuant to the direction of the CISO. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CISO and CIO together lead efforts to design, implement and operate controls deemed necessary, commensurate with the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the organization. Our current CISO has a bachelor’s degree in Computer Information Systems and a master’s degree in Cybersecurity, and has over 20 years of experience building and executing information and cybersecurity strategies. Prior to joining CNA, our CIO served in a variety of roles at another major U.S. insurance company, both in business and technology, and has over 20 years of experience working with major U.S. Property & Casualty insurers.
Threats of security incidents and the impact of actual security incidents are initially assessed and managed by the CISO and CIO as described above. CNA has further implemented response plans that provide the basis for appropriate response to an unauthorized occurrence from a technical perspective, as well as from disclosure and regulatory perspectives.
These response plans also set forth the processes for internal reporting of a substantive unauthorized occurrence. The CISO reports such matters to the CIO and CCO, who is responsible for convening a team of cross-enterprise leaders to ensure comprehensive responsiveness to an occurrence. This group also analyzes unauthorized occurrences affecting CNA's or third parties’ IT systems or sensitive information, and directs the activities of CNA in responding to such incidents.
17
In addition, the group, under the leadership of the CCO, undertakes the appropriate internal notifications of any such occurrence, and responsive activities, to the General Counsel, Chief Executive Officer, Chief Financial Officer and Board of Directors.
To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. Please refer to “Any significant interruption in the operation of our business functions, facilities and systems or our vendors' facilities and systems could result in a materially adverse effect on our operations“ and “Any significant breach in our data security infrastructure or our vendors’ facilities and systems could disrupt business, cause financial losses and damage our reputation, and insurance coverage may not be available for claims related to a breach” under Item 1A Risk Factors.