HANOVER INSURANCE GROUP, INC. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

HANOVER INSURANCE GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 13:43:12 EST.

Filings

10-K filed on 2026-02-20

HANOVER INSURANCE GROUP, INC. filed a 10-K at 2026-02-20 13:43:12 EST
Accession Number: 0001193125-26-060983

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C-CYBERSECURITY Risk Management and Strategy Our business operations depend heavily on the ability of our employees, agents, brokers, claims vendors, catastrophe response partners, cloud providers, and other third parties to access internal and external systems and data needed to perform essential insurance functions. We rely on the confidentiality, integrity, and availability of large volumes of data and information, including non-public information, and on the technology systems that process and store such information. These systems are critical to underwriting, pricing, claims handling, policy servicing, reinsurance management, financial reporting, and other activities important to our ability to grow our business, operate efficiently, and generate earnings. As described in "Risk Factors" in Part I Item 1A, we and our third-party service providers have experienced, and are likely to continue to experience, cybersecurity events and data incidents. While none of these events have had a material adverse effect on our business to date, no assurance can be given that future events will not have a material adverse impact on our business, results of operations, financial condition, or relationships with business partners and customers. We maintain an enterprise-wide cybersecurity program that provides governance, structure, and executive oversight for identifying, assessing, and managing cybersecurity risks. Our cybersecurity program aligns with leading industry frameworks including the National Institute of Standards and Technology Cyber Security Framework and the Control Objectives for Information and Related Technologies framework. The program is designed to identify relevant assets and associated risks, protect against unauthorized access or misuse, detect and respond to cybersecurity events, and support the timely recovery of systems and information. The program uses a defense in depth approach supported by layered technical and administrative controls intended to protect the confidentiality, integrity, and availability of our information assets. We continually assess our cybersecurity and threat detection capabilities, including our ability to identify and respond to emerging tactics, techniques, and procedures used by threat actors. This includes monitoring the increased use of artificial intelligence by threat actors and evaluating potential impacts on our threat landscape. Our cybersecurity program incorporates ongoing risk management practices such as maintenance of a cyber risk register, threat intelligence tracking, control monitoring using key performance indicators, independent control testing performed by internal audit, annual third-party risk assessments, external penetration testing, and regular cyber incident response exercises. We also use a security capability mapping process, together with our cyber risk and enterprise risk assessments, to evaluate emerging technologies and to inform ongoing investment decisions that support the maturity of our cybersecurity program. We collaborate with industry associations, government agencies, peers, and external advisors to monitor the evolving threat environment and to incorporate industry best practices into our cybersecurity processes. These collaborations contribute to our understanding of threat actor behavior, regulatory developments, and effective approaches to cybersecurity readiness, including incident response procedures. Cybersecurity risk management activities are integrated into our enterprise risk management framework so that cyber risks are evaluated alongside other enterprise level risks to support decision making, planning, and governance. Our third-party risk management program assesses the inherent risks associated with third party service providers and helps guide our due diligence and ongoing monitoring of those parties. Through this process, information security personnel, in coordination with our vendor management operations, evaluate the information security, privacy, and business continuity practices of both prospective and existing service providers. We manage cybersecurity incidents through a documented incident response plan executed by an incident response team consisting of senior leaders and subject matter experts from information security, legal, compliance, risk management, communications, facilities, operations, marketing and distribution, finance, and human resources. The plan also provides for the engagement of external legal counsel and digital forensics resources who are familiar with our systems and incident response processes and who participate in our tabletop exercises. We maintain a formal escalation process based on incident nature and severity for notifying and engaging executive leadership, the Audit Committee and the Board of Directors. The incident response plan is integrated with our business continuity and emergency response plans. Governance Our Board of Directors oversees major risks facing the organization, including cybersecurity and operational risks, and reviews management's plans to mitigate such risks. The Board has designated the Audit Committee to have primary responsibility for oversight of cybersecurity risk management. The Audit Committee reviews management's approach to managing cybersecurity and privacy risk and receives updates regarding the programs used to monitor, detect, and respond to cybersecurity threats. These updates include information regarding emerging threats, internal and external risk assessments, key developments in cybersecurity risk management practices, security and infrastructure investments, regulatory and compliance updates, and cybersecurity incidents. Our Chief Information Security Officer ("CISO") has primary responsibility for our cybersecurity program and leads our information security department. Our CISO has 25 years of experience in information technology, including 15 years of experience in cybersecurity in the property and casualty insurance industry. Our information security team includes personnel with diverse experience and relevant certifications. The CISO reports to our Chief Information and Innovation Officer ("CIIO"), who reports directly to our Chief Operating Officer. The CISO and the CIIO regularly update executive management regarding cybersecurity risks, threats, incidents, and program developments. Members of the information security team also participate in our Enterprise Risk Management Group, which includes senior leaders who meet regularly to evaluate new and emerging risks, including cybersecurity related risks.

Company Information