As a multi-line insurance company, the products we write and the environments in which we operate expose us to many risks. Since certain risks can be correlated, an event or a series of events could impact multiple areas of our business simultaneously and have a material effect on our results of operations, financial position and liquidity. These exposures require an entity-wide view of risk and an understanding of the potential impact on all aspects of our operations. It also requires us to manage our risk taking so that we remain within our appetite in a prudent and balanced effort to create and preserve value for all our stakeholders.
Our Enterprise Risk Management (ERM) activities involve:
- Identification and assessment of a broad range of risks
- Execution of coordinated strategies to effectively manage risks
- Evaluation of our risk capital needs
At Horace Mann, all risk owners across all functions, all corporate leaders and the Board are engaged in ERM. However, the ERM Committee, which is composed of senior executives from across Horace Mann, has ultimate oversight over the risk management process, with each leader having ownership and accountability over certain identified key risks. As well, the ERM Committee annually discusses ESG risk. Members of the ERM Committee are responsible for updates to the Board and various Board committees on key risks and emerging risk topics.
Our Chief Risk Officer (CRO), in conjunction with the ERM Committee, is responsible for working with the business leaders to ensure that they are actively monitoring and managing their key risks. The CRO is also responsible for identifying and monitoring key corporate level risks that encompass more than one business/division.
A portion of every Board meeting is dedicated to reviewing and discussing specific risks in greater detail. Given the growth and potential ramifications of cybersecurity risks, the Chief Information Security Officer regularly briefs the board and its relevant committees about cybersecurity risks, monitoring, detection and mitigation. The Audit Committee dedicates a portion of its meetings to reviewing and discussing Horace Mann’s cybersecurity program.
The interaction of all the various individuals, committees, reports, and processes results in an ongoing process, which we believe puts us in the best position to effectively and efficiently manage our risk exposure.
Protecting Against Data Privacy Risks
In addition to our comprehensive risk management processes, we also manage for and protect against data privacy risks by upholding our enterprise-wide Privacy Policy. This policy outlines our commitment to protect and limit the use of and access to personal information that is shared with us. While we need to gather personal information to issue and service customers’ policies and offer them other insurance or financial solutions, we strongly protect that information. We do not sell customers’ personal or medical information to anyone.
Additionally, we continually monitor data security and privacy trends and threats. We use this information to enhance our enterprise information security program, security operations center and vendor management program, which assesses third-party information security controls. Our responsible security practices are overseen by our Chief Information Security Officer and Information Security Council, who are responsible for information asset and technology protection, directing critical incident response planning and testing, and advising on information security initiatives, projects and policies. Key executives throughout the organization participate in cybersecurity incident response planning exercises at least annually to test corporate processes and protocols. This ensures management understands how a high-severity cybersecurity incident unfolds and can identify corporate strengths and opportunities for improvement in real-time.
We routinely test our industry-compliant procedures for customer identification authentication and how to help contain or prevent data loss if a breach were to occur. Every year, our Internal Audit team evaluates the effectiveness of our cybersecurity controls in adherence to the Institute of Internal Auditors’ Mandatory Guidance, which includes the International Standards for the Professional Practice of Internal Auditing, Core Principles for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing — as promulgated by the Institute of Internal Auditors. Our data security and privacy practices also undergo an external independent audit annually. In addition, our information security risk assessment processes are aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework, combined with fundamentals and concepts from the Factor Analysis of Information Risk (FAIR) methodology.
Employees are trained on information security policies, standards and the appropriate handling of customer data when hired as well as quarterly. Company contractors receive this information upon hire. Beginning in 2023, contractors will receive quarterly training as well. Employees in high-risk roles receive additional advanced training.