ATLANTIC AMERICAN CORP - (AAME)

10-K Filing Date: April 01, 2024
Item 1C.
Cybersecurity

Risk Management and Strategy

The Company’s operations rely on the secure processing, storage, and transmission of confidential and personal identifiable information within various technology platforms. Cybersecurity is a high priority and the Company has made significant investments in its processes and programs designed to prevent, detect, and respond to and recover from cybersecurity threats. We also have processes in place to help ensure compliance with our information security program with respect to our use of third-party service providers. Such processes and programs are a part of the Company’s overall risk management and compliance programs. The Company continues to enhance its intrusion protection and detection technology, infrastructure and application firewalls, and network monitoring. The Company has also installed advanced endpoint threat protection technology and implemented a mandatory security awareness training program for all employees. This training is reinforced through periodic simulated phishing tests to assess our employees’ responses to suspicious emails.

The Company uses a sophisticated backup and recovery methodology that supports the replication of data across multiple secure data centers. It also includes a comprehensive disaster recovery plan that is continually tested and designed to help enable us to resume business in the event of a disaster or cybersecurity incident. Through recurring internal and external audits, controls are regularly reviewed, tested, and enhanced to promote best practices. The Company has augmented our information security program through a partnership with a leading global cybersecurity service provider to review and implement additional services such as Security Event Monitoring, Advanced Endpoint Threat Detection, Incident Management Retainer Services, and Strategic Advisory Services focused on Chief Information Security Officer (CISO) duties such as counter-threat intelligence.

Our information security program also includes a cybersecurity Incident Response Plan (“IRP”) that is designed to help protect the integrity, availability and confidentiality of information, prevent loss of service, and comply with legal requirements. The IRP specifies the process for identifying and reporting an incident, initial investigation, risk classification, documentation and communication of incidents, responder procedures, incident reporting, and ongoing training. The IRP also includes processes for determining the materiality of the incident, including the assessment of relevant qualitative and quantitative factors. In the event we identify a potential cybersecurity, privacy or other data security issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, our board of directors, third-party advisors and other stakeholders.

The Company also maintains dedicated cyber liability insurance for breach event costs including: post breach event remediation costs; cybercrime coverage (including financial fraud, telecommunications fraud, and phishing attacks); and coverage for system failure, bricking loss, and physical damage. The policy also provides coverage for lost revenue due to a damaged reputation from a cyber breach.

We do not believe any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition.

Governance

Our board of directors recognizes the important role of information security and mitigating cybersecurity and other data security threats. Although our full board of directors maintains ultimate responsibility with respect to risk management oversight, our board has delegated oversight of the Company’s information security program and matters of cybersecurity to the Audit Committee of the board of directors. The Company’s senior officers, including its Chief Information Officer, are responsible for the operation of the information security program and regularly communicate with the Audit Committee on the state of the program, risks faced by the Company and the Company’s risk mitigation efforts related thereto.

13

In addition, the Company’s information technology environment is managed by an experienced team of professionals who follow an extensive set of policies and procedures related to data security. Our data security employees have backgrounds in cybersecurity and data protection, including prior relevant experience in the industry and industry standard certifications.

© 2024 Material-Incidents. All rights reserved.