UNITED FIRE GROUP INC 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

UNITED FIRE GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 15:57:51 EST.

Filings

10-K filed on 2025-02-26

UNITED FIRE GROUP INC filed a 10-K at 2025-02-26 15:57:51 EST
Accession Number: 0000101199-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Overview We recognize the importance of assessing, identifying, and managing risks associated with cybersecurity threats. Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. Oversight Cybersecurity risk oversight is a focus area of our Risk Management Committee and the full Board of Directors. The Risk Management Committee’s charter requires it to assist the Board of Directors in identifying and evaluating risks inherent in our business and to oversee and review the significant policies, procedures, and practices employed to manage risks. The Risk Management Committee receives a quarterly cybersecurity update from the Chief Administrative Officer (CAO), which is shared with the full Board of Directors. The Board of Directors discusses cybersecurity matters and risks on a quarterly basis or more frequently, as needed, at the recommendation of the Risk Management Committee. The Company’s enterprise risk management committee (the “ERM Committee”) is tasked with, among other responsibilities, identifying and evaluating operational risks, which includes risks associated with information technology and cybersecurity. The ERM Committee includes senior leaders across business functions, including the Chief Executive Officer (CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Legal Officer, Chief Risk Officer (CRO) and CAO. The ERM Committee, as part of its comprehensive risk management duties, discusses Company strategies to prevent cyber-attacks and the Company’s response and remediation of threats. The CAO provides a quarterly report to the Risk Management Committee that summarizes cybersecurity risks, relevant events and other items of note identified by management or the ERM Committee. The ERM Committee meets independently of the Risk Management Committee, with a representative from the Risk Management Committee in attendance. Certain members of the ERM Committee are invited to attend and participate in meetings of the Risk Management Committee. In addition, we maintain internal “risk evaluation teams” dedicated to assessing and managing the entity-level risks facing the Company. There are two risk evaluation teams that relate to cybersecurity risk: Cyber-Attack Prevention and Cyber-Attack Recovery. The CAO and Vice President of Technology Operations participate in both risk evaluation teams. The CAO likewise serves on the Business Continuity Team as the business continuity technology lead, a role in which she comprehensively evaluates IT system readiness and preparedness should a business continuity event involving cybersecurity or technology interruption occur. The lead management team member responsible for cybersecurity matters is the CAO , who has 20 years of experience in information technology and a B.A. in Management Information Systems. She is assisted by the Vice President of Technology Operations, the Information Security Manager and Corporate Counsel, Privacy. The CAO regularly reviews the lines of accountability and responsibility to ensure alignment with the ERM Committee. Cybersecurity Program We have adopted a Written Information Security Program (WISP) designed to align with the guidelines recommended by the National Institute of Standards and Technology (NIST). We make ongoing continuous improvements to our information security program; specifically in the implementation of secure remote access solutions with multifactor authentication, next-generation endpoint detection and remediation, cloud-based security controls, automated scanning and outside validation of security controls. Additionally, we require all employees to complete cybersecurity training at least annually, with additional training targeted for employees with greater data access. When a specific cyber threat is identified, we may create additional trainings with targeted content for our employees. As part of our efforts to manage our cybersecurity risks, we have engaged an independent firm to assist with conducting penetration tests and provide advice on our information security program. We also carry insurance to mitigate losses from cyber events. We have processes in place to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. All proposed third parties are subject to a preliminary assessment to identify those that may handle or have access to company information and scope appropriate due diligence activities relating to the engagement. Third-parties that may handle or have access to company information are subject to enhanced due diligence procedures prior to onboarding and security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by third-parties and information obtained through other channels. In addition, we require our providers to adhere to appropriate security requirements and controls, and we investigate security incidents that have impacted our third-party service providers, as appropriate. We have established comprehensive incident response and recovery plans and intend to test and refine the effectiveness of those plans under the leadership of the Chief Human Resources Officer, who is accountable for the overall business continuity program at UFG. Our incident response and recovery plans address and guide our employees, management, and the Board of Directors on our response to a cybersecurity incident, including the requirements of notification, classification, analysis and communication of cybersecurity incidents based on the identified severity level. The ERM Committee is accountable for regularly reviewing and evaluating the corporate incident response plan and business continuity plan. We have a process to appropriately identify and escalate incidents that would be considered “material” in nature and require disclosure under the SEC’s reporting requirements. Our identification and escalation process requires any potentially material incidents to be escalated to the CAO, who would promptly meet with the ERM Committee to determine if the incident is considered material and trigger a reporting obligation through a Current Report on Form 8-K. We did not experience any material cyber incidents since the beginning of our last fiscal year. Cybersecurity Threats To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have, or are likely to, materially affect us, our business strategy, results of operation or financial condition. Refer to “Item 1A. Risk Factors” in this Annual Report on Form 10-K, for additional discussion about cybersecurity-related risks.

Company Information