UTG INC - (UTGN)
10-K Filing Date: March 30, 2024
Item 1C. Cybersecurity
Overall Process
Cybersecurity risk management is an important and continuously evolving focus for the Company. The Company monitors its information systems to proactively assess, identify, and manage risks from vulnerabilities and assess cybersecurity threats. The Company’s process for identifying and assessing material risks from cybersecurity threats operates alongside the Company’s broader overall risk assessment process. The policies and procedures are managed by internal and external resources and are believed to be reasonably designed to prevent, detect, and respond to cybersecurity risks and incidents.
The Company’s processes and procedures include regular network, endpoint, and cloud monitoring, vulnerability assessments, and penetration testing. Periodically, the Company engages external partners to conduct periodic audits of our systems, test our systems infrastructure, and suggest improvements. Through these channels and others, we work to proactively identify potential vulnerabilities in our information security system. The assessments, external penetration testing and internal vulnerability analysis follow the standards of the National Institute of Standards and Technology (“NIST”) – Guidelines on Network Security Testing.
The Company provides mandatory initial and annual training thereafter for personnel regarding security awareness as a means to equip the Company’s personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Company’s information security policies, standards, processes and practices. Training is supplemented by various testing initiatives, including social engineering testing.
Third-Party Access
The Company continues to make investments and partner with qualified third parties to enhance its cyber defense capabilities to monitor the evolving spectrum of cybersecurity risks in the operating environment, enhance defenses and improve resiliency against cybersecurity threats. The Company recognizes that we are exposed to cybersecurity threats associated with our use of third-party service providers. To minimize the risk and vulnerabilities to our own systems stemming from such use, we contract with a third-party consulting firm to assist us in identifying known cybersecurity threats and incidents of third-party service providers on a regular basis. In addition, we strive to minimize cybersecurity risks when we first select or renew a vendor by including cybersecurity risk as part of our overall vendor evaluation and due diligence process. A vendor management policy is in place. The vendor management policy calls for the evaluation of risk for each vendor based upon an assessment of the degree to which their relationship could expose the Company to risk in relation to the Company’s reliance on the vendor’s promise to perform and to protect customer privacy and based on the vendor’s fiscal strength.
Third parties that have access to our systems or customer data must have appropriate technical and organizational security measures and security control principles based on commercially acceptable security standards, and we require third parties in this class to agree by contract to manage their cybersecurity risks.
Enterprise Risk Management Process Integration
The Company leverages the expertise of independent consultants and audit firms to evaluate the effectiveness of our risk management systems and address potential cybersecurity incidents efficiently.
The Company utilizes a combination of third-party information security assessments, key technologies, and ongoing internal and external evaluations to provide a level of protection of non-public personal information, to continually monitor and attempt to safeguard information on its operating systems, in cloud-based solutions, and those of third-party service providers, and to prevent, quickly detect and respond to attacks. The Company also utilizes firewall technology, multi-factor authentication, complex password construction, and a combination of software and third-party monitoring to detect and prevent intrusion, and cybersecurity threats, guard against unauthorized access, and continuously identify and prevent computer viruses on the Company’s information solutions.
Material Incidents
We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Although we have a robust cybersecurity program that is designed to assess, identify, and manage material risks from cybersecurity threats, we cannot provide absolute surety that we have properly identified or mitigated all vulnerabilities or risks of incidents. We, and the third parties that we engage, are subject to constant and evolving threats of attack and cybersecurity incidents may be more difficult to detect for periods of time. A cybersecurity incident could harm our business strategy, results of operations, financial condition, reputation, and/or subject us to regulatory actions or litigation which may result in fines, judgments or indictments.
Cybersecurity Governance
Cybersecurity risk management processes are an integral part of the Company’s enterprise risk management. The Company’s management team, with assistance from a third-party advisor, is responsible for the day-to-day management of cybersecurity risks faced by the Company. The Board of Directors oversees the risk management policies of the Company and is responsible for the periodic review and approval of the risk management policies.
As part of its oversight of cybersecurity and informational security risk, the Board of Directors periodically receives updates on the results of third-party testing of the systems, processes, and procedures. The Board of Directors also receives periodic updates on cybersecurity and information security risks, industry trends, and best practices. The Company has established written policies and procedures to ensure that significant cybersecurity incidents are immediately investigated, addressed through the coordination of various internal departments, and publicly reported (to the extent required by applicable rules and regulations).