As a multi-line insurance company, the products we write and the environments in which we operate expose us to many risks. Since certain risks can be correlated, an event or a series of events could impact multiple areas of our business simultaneously and have a material effect on our results of operations, financial position and liquidity. These exposures require an entity-wide view of risk and an understanding of the potential impact on all aspects of our operations. It also requires us to manage our risk taking so that we remain within our appetite in a prudent and balanced effort to create and preserve value for all our stakeholders.
Our Enterprise Risk Management (ERM) activities involve:
- Identification and assessment of a broad range of risks
- Execution of coordinated strategies to effectively manage risks
- Evaluation of our risk capital needs
At Horace Mann, all risk owners across all functions, all corporate leaders and the Board are engaged in ERM. However, the ERM Committee, which is composed of senior executives from across Horace Mann, has ultimate oversight over the risk management process, with each leader having ownership and accountability over certain identified key risks. As well, the ERM Committee annually discusses ESG risk. Members of the ERM Committee are responsible for updates to the Board and various Board committees on key risks and emerging risk topics.
Our Chief Risk Officer (CRO), in conjunction with the ERM Committee, is responsible for working with the business leaders to ensure that they are actively monitoring and managing their key risks. The CRO is also responsible for identifying and monitoring key corporate level risks that encompass more than one business/division.
A portion of every Board meeting is dedicated to reviewing and discussing specific risks in greater detail. Given the growth and potential ramifications of cybersecurity risks, the Chief Information Security Officer regularly briefs the board and its relevant committees about cybersecurity risks, monitoring, detection and mitigation. The Audit Committee dedicates a portion of its meetings to reviewing and discussing Horace Mann’s cybersecurity program.
The interaction of all the various individuals, committees, reports, and processes results in an ongoing process, which we believe puts us in the best position to effectively and efficiently manage our risk exposure.
Protecting Against Data Privacy Risks
In addition to our comprehensive risk management processes, we also manage for and protect against data privacy risks by upholding our enterprise-wide Privacy Policy. This policy outlines our commitment to protect and limit the use of and access to personal information that is shared with us. While we need to gather personal information to issue and service customers’ policies and offer them other insurance or financial solutions, we strongly protect that information. We do not sell customers’ personal or medical information to anyone.
Additionally, we continually monitor data security and privacy trends and threats. We use this information to enhance our enterprise information security program, security operations center and vendor management program, which assesses third-party information security controls. Our responsible security practices are overseen by our Chief Information Security Officer and Information Security Council, who are responsible for information asset and technology protection, directing critical incident response planning and testing, and advising on information security initiatives, projects and policies. Key executives throughout the organization, as well as the Board of Directors, participate in cybersecurity incident response planning exercises at least annually to test corporate processes and protocols. This ensures management and Board members understand how a high-severity cybersecurity incident unfolds and can identify corporate strengths and opportunities for improvement in real-time.
We routinely test our industry-compliant procedures for customer identification authentication and how to help contain or prevent data loss if a breach were to occur. Our information security risk assessment processes are aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework, combined with fundamentals and concepts from the Factor Analysis of Information Risk (FAIR) methodology. Our Internal Audit department tests the design and effectiveness of IT General Controls (ITGCs) on a quarterly and annual basis. Our data security and privacy practices undergo an external independent audit annually with a firm that specializes in cybersecurity controls and best practices, ensuring that work performed is in adherence to ISACA’s core principles identified in their Control Objectives for Information Technology (COBIT) framework, which is a guiding authority for cybersecurity control environments.
Employees and company contractors are trained on information security policies, standards and the appropriate handling of customer data when hired as well as quarterly. Employees in high-risk roles receive additional advanced training.