HORACE MANN EDUCATORS CORP /DE/ 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

HORACE MANN EDUCATORS CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 13:09:03 EST.

Filings

10-K filed on 2026-02-27

HORACE MANN EDUCATORS CORP /DE/ filed a 10-K at 2026-02-27 13:09:03 EST
Accession Number: 0000850141-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. I Cybersecurity As a multi-line insurance company, our business operations rely upon secure information technology systems for data processing, storage, and reporting. We maintain a cybersecurity risk management program based on recognized standards such as the National Institute of Standards and Technology Cybersecurity Framework, other industry standards, and contractual requirements. The Chief Information Security Officer (CISO) oversees the cybersecurity program, which includes employee education, proactive threat monitoring and investigation, incident response, oversight of third-party service providers, and other elements of our cybersecurity risk management program. Despite the design of our security measures and controls, our information technology systems may become subject to cyberattacks. Unauthorized access to or unintentional dissemination of confidential, highly sensitive customer, employee, or company data through a breach of our facilities, networks, or databases, or those of our agents or third-party information technology and software vendors, could result in loss or theft of assets or operational disruption, regulatory actions, litigation, remediation costs, and reputational harm. During the last fiscal year, we did not identify any cybersecurity events that had a material effect on the Company. As of the date of this Annual Report on Form 10-K, we have not identified any risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, the Company's business strategy, results of operations, or financial condition. The CISO is responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; helping to ensure the Company and its subsidiaries satisfy applicable regulatory requirements and third-party risk assessment expectations; identifying and keeping abreast of security threats; as well as overseeing and implementing regular security awareness training for all employees. We adjust our policies, standards, and processes based on assessment results. In leading the cybersecurity risk management program, the CISO regularly works with other divisions of the company, including legal, compliance, information technology, internal audit, and others to address potential risk from external threats, internal actions, and relationships with third-party service providers. Horace Mann's CISO has more than two decades of experience in IT, including network, infrastructure, and cybersecurity leadership. Before coming to Horace Mann, he led perimeter security at a publicly traded company, and the cybersecurity team of more than 150 members at another publicly traded company. In addition to the CISO, our internal cybersecurity team also works with third-party cybersecurity vendors to enhance the cybersecurity program and to assess, monitor, and respond to cybersecurity threats. The Board of Directors exercises risk management oversight, including cybersecurity risk, through the Audit Committee . The Audit Committee receives quarterly reports regarding our risk management program. These include regular reports from the CISO on the state of our cybersecurity risk management program and updates on cybersecurity matters, key cybersecurity initiatives, risk mitigation efforts, and assessments of emerging threats. The CISO is responsible for identifying and reporting cybersecurity incidents to the Disclosure Committee. A preliminary assessment of the nature and scope of potential incidents is conducted by a cross-functional team, including information security, compliance, legal, and other participants as necessary. Using a risk-based process, incidents are escalated to the Disclosure Committee. The Disclosure Committee is composed of senior executives from across Horace Mann and has oversight over SEC disclosure controls. After notification, the Disclosure Committee (or a designated subgroup) would review known information and develop an action plan, 36 Annual Report on Form 10-K Horace Mann Educators Corporation which may include Board outreach, expert retention, insurance notification, communication plans, and a materiality assessment. While we and our IT providers employ security technologies and controls designed to address a rapidly changing and evolving IT environment (including data encryption processes and intrusion detection systems), conduct risk assessments, and maintain other internal control procedures intended to protect our and our customers' data, we acknowledge that no system can completely eliminate cyber attacks and accordingly provide only reasonable assurance that these objectives will be met. Further, the design of any cybersecurity risk management program or control system must reflect the fact that there are resource constraints, and the benefits must be considered relative to their costs. As a result, the possibility of material financial loss remains despite our cybersecurity efforts. An investor should carefully consider the risks, and all other information set forth in this Annual Report on Form 10-K, including disclosures in Part I - Item 1A-Risk Factors.

Company Information