Conifer Holdings, Inc. - (CNFR)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY

Identifying, assessing and managing cybersecurity risks is an important component of Conifer’s overall enterprise risk management program. As with the management of risks generally, given our holding company structure, the management of cybersecurity risks involves coordination between the Company and its consolidated subsidiaries.

The Company and each of its consolidated subsidiaries are responsible for developing a cybersecurity program appropriate for their respective businesses. The design of these cybersecurity programs is informed by the Center for Internet Security Critical Security Controls framework (“CISCSC”). This does not imply that these programs meet all specifications of CISCSC, but rather that we use them as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. The cybersecurity programs developed by the Company and its consolidated subsidiaries include, among other things, (i) advanced threat protection and detection systems; (ii) vulnerability scanning and testing of network defenses; (iii) user authentication, role-based access, and privileged access management; (iv) data encryption, loss prevention, backup and recovery mechanisms; (v) employee training; (vi) disaster recovery testing and (vii) security assessments of third-party service providers.

Our cybersecurity risk management program is part of our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents in the past three fiscal years, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program.

Our management team, including our Chief Information Officer, is responsible for assessing and managing our material risks from cybersecurity threats.