Employers Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Employers Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:29:03 EST.

Filings

10-K filed on 2025-02-28

Employers Holdings, Inc. filed a 10-K at 2025-02-28 16:29:03 EST
Accession Number: 0001379041-25-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our operations rely on the secure processing, storage, and transmission of personal, confidential, and other information. Our business, including our ability to adequately price products and services, establish reserves, provide an effective and secure service to our customers and report our financial results in a timely and accurate manner, depends significantly on the integrity, availability, and timeliness of the data we maintain, as well as the data held by our third party service providers. We manage cybersecurity risk via expectations set by our information security and related policies, real-time monitoring of threats, and recovery where needed through incident response plans. We leverage ISO 27005, an international standard for identifying, measuring, and assessing cybersecurity risks, as a model for measuring our cybersecurity risk. The ISO 27005 model is periodically refreshed as new cybersecurity risks are identified. Our Chief Information Security Officer (CISO) leverages vulnerability detection techniques to identify new cybersecurity risks. Our information security program is subject to periodic assessments using the ISO 27001 standard for managing cybersecurity. External security firms conduct penetration tests of our technology surface area internally and externally. Our information security program is also subject to internal and independent external audits. We are not aware of any cybersecurity risks, including as a result of any cybersecurity incidents during 2024, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Third parties with access to sensitive data or systems are subject to due diligence and ongoing monitoring. Potential new vendors and existing vendors that are known to have access to sensitive data or our systems are subject to a risk assessment process including the periodic review of independent security audits where available. Existing vendors are monitored via an automated service that rates companies’ publicly facing cybersecurity posture and identifies known vulnerabilities. Governance Our cybersecurity risks and strategies are overseen by both management, including our CISO, Chief Information Officer (CIO), VP, Enterprise Risk Management, Executive Risk Committee (ERC), and the Board and relevant Board committees, including the Risk Management, Technology & Innovation Committee (RMTIC). This structure reinforces that our most critical risks are effectively monitored and communicated to the Board, and management, including for the purposes of making any required disclosures in a timely manner. Cybersecurity risk assessments, subsequent findings, and response plans, including risks arising in connection with our use of vendors and third parties, are integrated within our Enterprise Risk Management framework. Members of our senior management team have specific and relevant cybersecurity expertise and experience, including the following: - Our CISO has more than 30 years of experience in technology and cybersecurity, he also holds multiple professional certifications in security, privacy, governance, audit, and technology. - Our CIO has more than 17 years of experience in technology, she has directly managed global privacy, compliance, ethics, and records retention technology, has been responsible for addressing global cybersecurity risks, and has also attended multiple training programs in cybersecurity, privacy, governance, and technology. - Our VP, Enterprise Risk Management holds a Certificate in Risk and Information Systems Controls certification and has more than 25 years of experience in managing technology delivery, vendor management, privacy, and governance. Cybersecurity is one of several key risk categories that are evaluated and rated by the ERC on a quarterly basis. Each of our CISO, CIO, and VP, Enterprise Risk Management is a member of the ERC. The ERC reports periodically on its activities, findings, and areas of concern to the RMTIC. The RMTIC in turn reports to the Board on its oversight of cybersecurity risk.

Company Information