Enterprise Risk Management
As a multiline insurance company, the products we write and the environments in which we operate expose us to many risks. Since certain risks can be correlated, an event or a series of events could impact multiple areas of our business simultaneously and have a material effect on our results, operations, financial position and liquidity. Managing risk effectively requires a company-wide approach that evaluates potential impacts across all functions while ensuring we remain within our risk appetite in a prudent and balanced manner to create and preserve value.
Our Enterprise Risk Management (ERM) activities involve:
- Identification and assessment of a broad range of risks
- Execution of coordinated strategies to effectively manage risks
- Evaluation of our risk capital needs
At Horace Mann, all risk owners across all functions, all corporate leaders and the Board are engaged in ERM.
The ERM Committee, composed of senior executives from across Horace Mann, provides ultimate oversight over the risk management process. Each leader is accountable for specific key risks, and the committee also conducts an annual review of sustainability-related risks. Members of the ERM Committee update the Board and its various committees on key exposures and emerging risks.
Chief Risk Officer & Board Oversight
Our Chief Risk Officer (CRO), in conjunction with the ERM Committee, is responsible for working with the business leaders to ensure that they are actively monitoring and managing their key risks. The CRO is also responsible for identifying and monitoring key corporate level risks that encompass more than one business/division.
A portion of every Board meeting is dedicated to reviewing and discussing specific risks in greater detail. Given the growth and potential ramifications of cybersecurity risks, the Chief Information Security Officer regularly briefs the Board and its relevant committees about cybersecurity risks, monitoring, detection and mitigation. The Audit Committee dedicates a portion of each meeting to review and discuss Horace Mann’s cybersecurity program.
Our integrated approach to risk management ensures that individuals, committees and processes result in an ongoing process, which we believe puts us in the best position to effectively and efficiently manage our risk exposure.
Protecting Against Data Privacy Risks
In addition to our comprehensive risk management processes, we also manage for and protect against data privacy risks by upholding our enterprise-wide Privacy Policy.
This policy ensures:
- Limited use and access to personal information
- Secure data handling for customer policies and financial solutions
- Customer rights to request data deletion
- A firm commitment not to sell customer personal or medical information
We continuously monitor cybersecurity and data privacy threats. We maintain a cybersecurity risk management program based on recognized standards like the National Institute of Standards and Technology Cybersecurity Framework, other industry standards and contractual requirements.
Cybersecurity Risk Management Program
The Chief Information Security Officer (CISO) oversees the cybersecurity program. The program includes:
- Employee education on security best practices
- Proactive threat monitoring and risk assessment
- Rapid incident response protocols
- Third-party service provider risk management
Despite our robust security infrastructure, cyberattacks remain a potential risk. Unauthorized access to sensitive customer, employee, or company data—whether through breaches of our systems, vendor networks or third-party software—could result in operational disruptions or financial loss. However, during the last fiscal year, no material effects were identified from actual or potential cybersecurity events.
CISO Responsibilities & Security Training
The CISO is responsible for developing, maintaining and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations and third-party risk assessments; identifying and keeping abreast of developing security threats; as well as overseeing and implementing regular security awareness training of all employees on cybersecurity.
For example, we adjust our policies, standards, and processes based on assessment results. In leading the cybersecurity risk management program, the CISO regularly works with other divisions of the company, including legal, compliance, IT, audit and others to address potential risk from external threats, internal actions and relationships with third-party service providers.
Board Oversight of Cybersecurity & Risk Management
The Board of Directors exercises risk management oversight, including cybersecurity risk, through the Audit Committee. The Audit Committee receives quarterly reports on our risk management program.
These regular reports include:
- Cybersecurity updates from the CISO
- Key risk mitigation strategies
- Emerging cyber threats and company response plans
To further strengthen our security framework, our data security and privacy practices undergo an external independent audit annually with a firm that specializes in cybersecurity controls and best practices. These audits ensure work performed is in adherence to ISACA’s core principles identified in their Control Objectives for Information Technology (COBIT) framework, which is a guiding authority for cybersecurity control environments.
Employee Cybersecurity Training
Employees and company contractors are trained on information security policies, standards and the appropriate handling of customer data when hired as well as quarterly. Employees in high-risk roles receive additional advanced training. These efforts reinforce secure handling of customer data and support our ongoing commitment to protecting sensitive information.