PROASSURANCE CORP 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

PROASSURANCE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:21:38 EST.

Filings

10-K filed on 2024-02-27

PROASSURANCE CORP filed an 10-K at 2024-02-27 16:21:38 EST
Accession Number: 0001875246-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C “Cybersecurity”). Despite the Company’s efforts to ensure the integrity of its systems and those of certain third parties, ProAssurance is increasingly exposed to the risk that its technology infrastructure and that of certain third parties could be subject to cyber-attacks and unauthorized access, such as physical and electronic break-ins or unauthorized tampering. Furthermore, it is impossible to defend against every risk being posed by changing technologies. There is no guarantee that measures taken to date will completely prevent possible disruption, damage or destruction by intentional or unintentional acts or events such as cyber-attacks, viruses, sabotage, human error, system failure or the occurrence of numerous other human or natural events. A breach of IT systems operated by a vendor, customer, or other third-party with whom we conduct business could result in a breach of the Company’s data belonging to a third-party for which the Company is responsible, or financial harm in the form of misdirection of payments for valid invoices or other obligations. Disruption, damage or destruction of any of the Company’s systems or data could cause its normal operations to be disrupted, or unauthorized internal or external knowledge or misuse of confidential Company data could occur, all of which could be harmful to the Company from a financial, legal and reputational perspective. Further, delays or difficulties in implementing or integrating new systems or enhancing current systems could cause our normal operations to be disrupted. In addition, we have migrated certain technology processes and infrastructure to the cloud and, as such, are dependent on cloud-based technology provided by third-parties for certain key aspects of our business and operations. Any disruption of or interference with our use of cloud-based technology could have a material adverse impact on our business and operations. The development and use of artificial intelligence presents risks and challenges that can impact our business including, but not limited to, posing security risks to our confidential information, proprietary information, and personal data and could damage our reputation or otherwise materially harm our business. We develop and incorporate artificial intelligence technology in certain of our services and plan to develop and incorporate additional artificial intelligence technology in future services. Issues in the development and use of artificial intelligence, including machine learning, generative artificial intelligence tools and large language models may result in reputational harm, liability or other adverse consequences to our business operations as well as to certain of our insureds. Our vendors may incorporate generative artificial intelligence tools into their offerings without disclosing this use to us, and the providers of these generative artificial intelligence tools may not meet existing or rapidly evolving regulatory or industry standards with respect to privacy and data protection and may inhibit our vendors ability to maintain an adequate level of service and experience. If we, our vendors, or our third-party partners experience an actual or perceived breach of privacy or security incident because of the use of artificial intelligence, we may lose valuable intellectual property and confidential information and our reputation and the public perception of the effectiveness of our security measures could be harmed. Further, bad actors around the world use increasingly sophisticated methods, including the use of artificial intelligence, to engage in illegal activities involving the theft and misuse of personal information, confidential information and intellectual property. ITEM 1B. UNRESOLVED STAFF COMMENTS. None. 33 Table of Contents ITEM 1C. CYBERSECURITY Risk Management & Strategy As previously discussed under the section titled “Enterprise Risk Management”, through our ERM program we have a risk management framework that recognizes the risks inherent in our operating segments as well as the risks associated with the operations of our holding company. This process includes assessing, identifying and managing material risks related to cybersecurity. ProAssurance’s Information Systems Security department, with assistance from third-party security vendors, regularly monitors the Company’s systems for indicators of attack or compromise to mitigate the risk of cyberattacks. The Company continually enhances its cyber and information security in order to identify and neutralize emerging threats and improve its ability to prevent, detect and respond to attempts to gain unauthorized access to the Company’s data and systems. ProAssurance regularly adds additional security measures to its computer systems and network infrastructure to mitigate the possibility of cybersecurity breaches, including firewalls and penetration testing. The Company encrypts sensitive information and data and utilizes stringent access controls. Team members are required to complete quarterly security training which encompasses a wide range of cybersecurity topics. This training informs all team members of the processes and procedures to follow in the case they encounter a possible cybersecurity threat. This training is reinforced through periodic simulated phishing tests. The Company also evaluates the integrity and security of the technology infrastructure of certain third parties that access, process or store data that the Company considers to be sensitive, significant, or legally protected. ProAssurance reviews and assesses its third-party providers’ cybersecurity controls, as appropriate, and makes changes to the Company’s business processes to manage these risks. Governance While our Board is responsible for ensuring that our entire ERM process is in place and functioning, our Audit Committee has the primary oversight responsibility for risks relating to cybersecurity. Our Vice President of Information Security regularly attends and presents to our Audit Committee on material cybersecurity risks and mitigating procedures. Our Vice President of Information Security oversees ProAssurance’s information security and data privacy programs and is responsible for establishing and implementing our security strategy alongside our General Counsel, to whom the Vice President of Information Security reports directly. Our Vice President of Information Security has been with ProAssurance since 1998 and has over 25 years of IT and cybersecurity experience. The Company has a formal process in place for identifying, handling and disclosing of material cybersecurity incidents. The Company’s Security Oversight Committee (“SOC”) includes our Chief Financial Officer, General Counsel, Vice President of Information Security, and representatives from our Internal Audit, Legal, Compliance and Information Systems departments. The purpose of the SOC is to develop and review the Information Security policies, standards and guidelines for the Company that manage Cyber Risk. Furthermore, the Company’s Code of Ethics and Conduct explicitly prohibits officers, directors, team members, or other insiders who are subject to the Code from transacting in the Company’s stock during a time when such individuals have knowledge of any material undisclosed cybersecurity incident or breach. Effective July 26, 2023, the SEC finalized rules requiring registrants to disclose material cybersecurity incidents. Per the ruling, any cybersecurity incident deemed to be material shall be disclosed within four business days of materiality determination. The determination of materiality related to cybersecurity incidents is subjective, however, the Company has implemented materiality consideration in its formal process. All possible cybersecurity incidents are reported to our General Counsel for consideration of materiality. Our General Counsel escalates consideration of materiality to our Chief Executive Officer, Chief Financial Officer and other corporate officers as appropriate. The Company does not utilize any third-party service providers for consideration of materiality for cybersecurity incidents. Upon determination that the Company has experienced a material cybersecurity incident, the Company will disclose the incident within four business days as required by regulation. Our Board is also notified of any material cybersecurity incidents immediately upon determination of materiality. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. Please refer to Item 1A, Risk Factors under the heading “Technology, Data Security and Privacy” for additional information on our cybersecurity threats. 34 Table of Contents

Company Information