KINGSTONE COMPANIES, INC. - (KINS)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY.

 

Risk Management and Strategy

 

We regularly assess risks from cybersecurity threats; monitor our information systems for potential vulnerabilities; and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.

 

KICO’s Risk Management Committee, which is comprised of representatives of its technology team, assesses risks based on probability and potential impact on key business systems and processes. Risks that are considered high are incorporated into its overall risk management program. A mitigation plan is developed for each identified high risk, with progress reported to the Risk Management Committee and tracked as part of its overall risk management program overseen by the Corporate Sustainability and Risk Management Committee of our Board of Directors.

 

 
32

 

We collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary.

 

Additionally, we require security training for all employees on a quarterly basis. The training covers a wide range of topics, including phishing, social engineering and data protection.

 

Risk Management

 

We assess and identify security risk to the organization by:

 

 

·

conducting assessments of risk, including likelihood and magnitude, from unauthorized access, use, disclosure, disruption, modification or destruction of information systems and the related information processes, stored or transmitted;

 

·

performing risk assessments and producing security assessment reports that document the results of the assessment for use and review by information technology senior leadership, including the Chief Technology Officer;

 

·

ensuring security controls are assessed for effectiveness, are implemented correctly, operating as intended and producing the desired outcome; and

 

·

continuously scanning for vulnerabilities and remedying all vulnerabilities in accordance with the associated risk.

 

We have not experienced a material cybersecurity breach in the past five years and, as a result, there have been no charges related to a breach in the past five years. Moreover, no risks from cybersecurity threats have materially affected our business strategy, results of operations, or financial condition. While we have implemented processes and procedures that we believe are tailored to address and mitigate the cybersecurity threats that we face, there can be no assurances that such an incident will not occur despite our efforts, as more fully described in Item 1A (“Risk Factors – Our business could be adversely affected by a security breach or other attack involving our computer systems or those of one or more of our vendors.”) in this Annual Report.

 

Monitoring

 

We have established a continuous monitoring strategy and program, which includes:

 

 

·

a set of defined security metrics to be monitored;

 

·

performance of security control assessments on an ongoing basis;

 

·

addressing results of analysis and reporting security status to the executive team;

 

·

monitoring information systems to detect attacks and indicators of potential attacks;

 

·

identification of unauthorized use of the information system resources; and

 

·

deployment of monitoring devices strategically within the information system environment.

 

Governance

 

Our Corporate Sustainability and Risk Management Committee of the Board of Directors has been delegated the power and authority to oversee and make recommendations to the Board with regard to our overall approach to risks relating to business operations, including with regard to information technology and cybersecurity. In an annual presentation, the committee received a presentation from our Chief Technology Officer regarding our approach to cybersecurity, which included the following topics: the confidentiality of nonpublic information and the integrity and security of our information system, the cybersecurity policies and procedures, material cybersecurity risks to us, and the overall effectiveness of our Company’s cybersecurity program.

 

 
33