MBIA INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on July 16, 2024

MBIA INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:22:41 EST.

Filings

10-K filed on 2024-02-28

MBIA INC filed a 10-K at 2024-02-28 16:22:41 EST
Accession Number: 0000950170-24-022129

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity" section in Part I, Item 1C of this Form 10-K. Interruption in information technology and other operational systems, or a failure to maintain the security, confidentiality or privacy of sensitive data residing on such systems, whether due to actions or inactions by us or others, could delay or disrupt 21 Item 1A. Risk Factors (continued) our ability to do business, harm our reputation, subject us to regulatory sanctions and other claims, lead to a loss of revenues and/or otherwise adversely affect our business. The Company is dependent on key executives and the loss of any of these executives, or its inability to retain other key personnel, could adversely affect its business. The Company’s success substantially depends upon its human capital management including its ability to retain qualified employees and upon the ability of its senior management and other key employees to implement its business strategy. The Company believes there are only a limited number of available qualified executives in the business lines in which the Company operates. The Company relies substantially upon the services of William C. Fallon, Chief Executive Officer, and other senior executives. There is no assurance that the Company will be able to retain the services of key executives. While the Company has a succession plan for key executives and does not expect the departure of any key executives to have a material adverse effect on its operations, there can be no assurance that the loss of the services of any of these individuals or other key members of the Company’s management team would not adversely affect the implementation of its business strategy. Item 1B. Unresolv ed Staff Comments The Company from time to time receives written comments from the staff of the SEC regarding its periodic or current reports under the Securities Exchange Act of 1934, as amended. There are no comments that remain unresolved that the Company received more than 180 days before the end of the year to which this report relates. Item 1C. Cybersecurity The cybersecurity program of the Company establishes the framework for safeguarding critical information assets through an evolving, multi-tiered security approach. This program encompasses the Company’s policies and controls designed to mitigate risks from malicious and unauthorized use, as well as cybersecurity threats or attacks targeting the Company’s Information Assets (“IA”). These IA primarily include business and technology applications, networks, computing platforms, and the data stored therein. The following is a discussion of our cybersecurity risk management and strategy and our cybersecurity governance. Risk Management and Strategy Cybersecurity is a part of the Company’s overall risk management strategy. The Audit Committee oversees risks associated with cybersecurity. Refer to the following “Governance” section for additional information on the Audit Committee’s oversight of cybersecurity. The Company has developed a security architecture designed to minimize and defend against threats, with an emphasis on the capability to effectively assess and identify cyber risks to its IA. This includes regulating access to IA and protection against unauthorized access, malicious software, and hacking attempts. The Company maintains reasonable defenses to protect against known threats by systematic scanning for security vulnerabilities and utilizes more advanced technologies to protect against new threat vectors for which there is not yet a vendor-provided security solution. The Company uses tools such as firewalls, anti-malware software, multi-factor authentication, e-mail and internet security gateways, virtual private networks, and an active vulnerability management program to safeguard IA against cyberattacks. The Company also engages third-party outsourced security services to continuously monitor and provide timely remediation of security events across all information technology (“IT”) assets. This serves as a virtual extension of the internal security team. In addition, the Company engages third-party security firms to perform periodic penetration testing to validate the security of its IT infrastructure and applications. Periodic incident response exercises are also conducted as part of the Company’s overall cybersecurity program. Our processes also address threats to its IA associated with our use of third-party security providers. Third-party risks are included within our risk management strategy discussed above. Cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threats identified through such diligence. Additionally, we may require certain third-parties to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. The Company manages software using a risk-based approach that assesses software version requirements, technology obsolescence, business value and cost. Web based applications have external penetration testing performed to determine vulnerabilities and/or open exploits before deployment to production. The Company also utilizes data leakage prevention controls to further protect IA. The Company’s hardware, including computers, smartphones, and tablets, has security software installed to extend cybersecurity and general technology management controls. In addition, the Company’s IT department arranges periodic training for Company employees related to best practices to prevent, identify, and report cybersecurity 22 Item 1C. Cybersecurity (continued) incidents. All Company employees are required to participate in scheduled training and are obligated to certify the completion of each training session. Additionally, all third parties retained by the Company, including vendors, that are granted access to the Company’s IA are required to certify compliance with all relevant Company policies relating to such access and re-certify compliance as deemed necessary. This certification includes the completion of questionnaires that are reviewed by the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”). Despite the Company’s implementation and maintenance of the cybersecurity program and its components as identified above and elsewhere herein that includes a variety of best practice security measures, our information technology systems, networks, and data are subject to cyber-attacks or physical break-ins, unauthorized tampering or other security breaches. Notwithstanding these protections, attacks may result in a failure to maintain the security, confidentiality or privacy of sensitive information. To date, the Company has not had any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations, or its financial condition. There can be no assurance that a future cybersecurity incident would not result in a loss and/or have a material adverse effect on our reputation, business, results of operations, or financial condition. Governance The Company created an Enterprise Security Council (“ESC”) that is comprised of senior IT management (including the CISO and CIO), Internal Audit and Compliance leaders which meet regularly to evaluate potential security risks to the Company and its IA. The CISO is responsible for performing a thorough examination of any identified or suspected cybersecurity incidents or violations. The CISO will collaborate with the Company’s General Counsel and other relevant personnel during this formal review. Documentation detailing the event and an action plan, if required, will be generated by the CISO. Additionally, communication will be promptly established with the Cyber Incident Response Team (“CIRT”), and if deemed necessary, the Audit Committee. The Audit Committee receives quarterly or more frequent as appropriate, briefings from the Company’s senior management and CISO. The briefings concern, among other topics, the cyber threat landscape and associated risks to the Company, updates to the Company’s cybersecurity program and associated policies, its ongoing strategy to prevent, identify and react to security incidents, internal and external vulnerability assessments, penetration testing results, and Internal Audit’s periodic reviews of MBIA’s security controls, policies, and procedures. The CIRT is comprised of senior leaders from across the company, which include Legal, Compliance, Investor/Media Relations, and Information Technology.
Item 1C of this Form 10-K. Interruption in information technology and other operational systems, or a failure to maintain the security, confidentiality or privacy of sensitive data residing on such systems, whether due to actions or inactions by us or others, could delay or disrupt 21 Item 1A. Risk Factors (continued) our ability to do business, harm our reputation, subject us to regulatory sanctions and other claims, lead to a loss of revenues and/or otherwise adversely affect our business. The Company is dependent on key executives and the loss of any of these executives, or its inability to retain other key personnel, could adversely affect its business. The Company’s success substantially depends upon its human capital management including its ability to retain qualified employees and upon the ability of its senior management and other key employees to implement its business strategy. The Company believes there are only a limited number of available qualified executives in the business lines in which the Company operates. The Company relies substantially upon the services of William C. Fallon, Chief Executive Officer, and other senior executives. There is no assurance that the Company will be able to retain the services of key executives. While the Company has a succession plan for key executives and does not expect the departure of any key executives to have a material adverse effect on its operations, there can be no assurance that the loss of the services of any of these individuals or other key members of the Company’s management team would not adversely affect the implementation of its business strategy. Item 1B. Unresolv ed Staff Comments The Company from time to time receives written comments from the staff of the SEC regarding its periodic or current reports under the Securities Exchange Act of 1934, as amended. There are no comments that remain unresolved that the Company received more than 180 days before the end of the year to which this report relates. Item 1C. Cybersecurity The cybersecurity program of the Company establishes the framework for safeguarding critical information assets through an evolving, multi-tiered security approach. This program encompasses the Company’s policies and controls designed to mitigate risks from malicious and unauthorized use, as well as cybersecurity threats or attacks targeting the Company’s Information Assets (“IA”). These IA primarily include business and technology applications, networks, computing platforms, and the data stored therein. The following is a discussion of our cybersecurity risk management and strategy and our cybersecurity governance. Risk Management and Strategy Cybersecurity is a part of the Company’s overall risk management strategy. The Audit Committee oversees risks associated with cybersecurity. Refer to the following “Governance” section for additional information on the Audit Committee’s oversight of cybersecurity. The Company has developed a security architecture designed to minimize and defend against threats, with an emphasis on the capability to effectively assess and identify cyber risks to its IA. This includes regulating access to IA and protection against unauthorized access, malicious software, and hacking attempts. The Company maintains reasonable defenses to protect against known threats by systematic scanning for security vulnerabilities and utilizes more advanced technologies to protect against new threat vectors for which there is not yet a vendor-provided security solution. The Company uses tools such as firewalls, anti-malware software, multi-factor authentication, e-mail and internet security gateways, virtual private networks, and an active vulnerability management program to safeguard IA against cyberattacks. The Company also engages third-party outsourced security services to continuously monitor and provide timely remediation of security events across all information technology (“IT”) assets. This serves as a virtual extension of the internal security team. In addition, the Company engages third-party security firms to perform periodic penetration testing to validate the security of its IT infrastructure and applications. Periodic incident response exercises are also conducted as part of the Company’s overall cybersecurity program. Our processes also address threats to its IA associated with our use of third-party security providers. Third-party risks are included within our risk management strategy discussed above. Cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threats identified through such diligence. Additionally, we may require certain third-parties to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. The Company manages software using a risk-based approach that assesses software version requirements, technology obsolescence, business value and cost. Web based applications have external penetration testing performed to determine vulnerabilities and/or open exploits before deployment to production. The Company also utilizes data leakage prevention controls to further protect IA. The Company’s hardware, including computers, smartphones, and tablets, has security software installed to extend cybersecurity and general technology management controls. In addition, the Company’s IT department arranges periodic training for Company employees related to best practices to prevent, identify, and report cybersecurity 22 Item 1C. Cybersecurity (continued) incidents. All Company employees are required to participate in scheduled training and are obligated to certify the completion of each training session. Additionally, all third parties retained by the Company, including vendors, that are granted access to the Company’s IA are required to certify compliance with all relevant Company policies relating to such access and re-certify compliance as deemed necessary. This certification includes the completion of questionnaires that are reviewed by the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”). Despite the Company’s implementation and maintenance of the cybersecurity program and its components as identified above and elsewhere herein that includes a variety of best practice security measures, our information technology systems, networks, and data are subject to cyber-attacks or physical break-ins, unauthorized tampering or other security breaches. Notwithstanding these protections, attacks may result in a failure to maintain the security, confidentiality or privacy of sensitive information. To date, the Company has not had any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations, or its financial condition. There can be no assurance that a future cybersecurity incident would not result in a loss and/or have a material adverse effect on our reputation, business, results of operations, or financial condition. Governance The Company created an Enterprise Security Council (“ESC”) that is comprised of senior IT management (including the CISO and CIO), Internal Audit and Compliance leaders which meet regularly to evaluate potential security risks to the Company and its IA. The CISO is responsible for performing a thorough examination of any identified or suspected cybersecurity incidents or violations. The CISO will collaborate with the Company’s General Counsel and other relevant personnel during this formal review. Documentation detailing the event and an action plan, if required, will be generated by the CISO. Additionally, communication will be promptly established with the Cyber Incident Response Team (“CIRT”), and if deemed necessary, the Audit Committee. The Audit Committee receives quarterly or more frequent as appropriate, briefings from the Company’s senior management and CISO. The briefings concern, among other topics, the cyber threat landscape and associated risks to the Company, updates to the Company’s cybersecurity program and associated policies, its ongoing strategy to prevent, identify and react to security incidents, internal and external vulnerability assessments, penetration testing results, and Internal Audit’s periodic reviews of MBIA’s security controls, policies, and procedures. The CIRT is comprised of senior leaders from across the company, which include Legal, Compliance, Investor/Media Relations, and Information Technology.
Item 1C. Cybersecurity The cybersecurity program of the Company establishes the framework for safeguarding critical information assets through an evolving, multi-tiered security approach. This program encompasses the Company’s policies and controls designed to mitigate risks from malicious and unauthorized use, as well as cybersecurity threats or attacks targeting the Company’s Information Assets (“IA”). These IA primarily include business and technology applications, networks, computing platforms, and the data stored therein. The following is a discussion of our cybersecurity risk management and strategy and our cybersecurity governance. Risk Management and Strategy Cybersecurity is a part of the Company’s overall risk management strategy. The Audit Committee oversees risks associated with cybersecurity. Refer to the following “Governance” section for additional information on the Audit Committee’s oversight of cybersecurity. The Company has developed a security architecture designed to minimize and defend against threats, with an emphasis on the capability to effectively assess and identify cyber risks to its IA. This includes regulating access to IA and protection against unauthorized access, malicious software, and hacking attempts. The Company maintains reasonable defenses to protect against known threats by systematic scanning for security vulnerabilities and utilizes more advanced technologies to protect against new threat vectors for which there is not yet a vendor-provided security solution. The Company uses tools such as firewalls, anti-malware software, multi-factor authentication, e-mail and internet security gateways, virtual private networks, and an active vulnerability management program to safeguard IA against cyberattacks. The Company also engages third-party outsourced security services to continuously monitor and provide timely remediation of security events across all information technology (“IT”) assets. This serves as a virtual extension of the internal security team. In addition, the Company engages third-party security firms to perform periodic penetration testing to validate the security of its IT infrastructure and applications. Periodic incident response exercises are also conducted as part of the Company’s overall cybersecurity program. Our processes also address threats to its IA associated with our use of third-party security providers. Third-party risks are included within our risk management strategy discussed above. Cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threats identified through such diligence. Additionally, we may require certain third-parties to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. The Company manages software using a risk-based approach that assesses software version requirements, technology obsolescence, business value and cost. Web based applications have external penetration testing performed to determine vulnerabilities and/or open exploits before deployment to production. The Company also utilizes data leakage prevention controls to further protect IA. The Company’s hardware, including computers, smartphones, and tablets, has security software installed to extend cybersecurity and general technology management controls. In addition, the Company’s IT department arranges periodic training for Company employees related to best practices to prevent, identify, and report cybersecurity 22 Item 1C. Cybersecurity (continued) incidents. All Company employees are required to participate in scheduled training and are obligated to certify the completion of each training session. Additionally, all third parties retained by the Company, including vendors, that are granted access to the Company’s IA are required to certify compliance with all relevant Company policies relating to such access and re-certify compliance as deemed necessary. This certification includes the completion of questionnaires that are reviewed by the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”). Despite the Company’s implementation and maintenance of the cybersecurity program and its components as identified above and elsewhere herein that includes a variety of best practice security measures, our information technology systems, networks, and data are subject to cyber-attacks or physical break-ins, unauthorized tampering or other security breaches. Notwithstanding these protections, attacks may result in a failure to maintain the security, confidentiality or privacy of sensitive information. To date, the Company has not had any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations, or its financial condition. There can be no assurance that a future cybersecurity incident would not result in a loss and/or have a material adverse effect on our reputation, business, results of operations, or financial condition. Governance The Company created an Enterprise Security Council (“ESC”) that is comprised of senior IT management (including the CISO and CIO), Internal Audit and Compliance leaders which meet regularly to evaluate potential security risks to the Company and its IA. The CISO is responsible for performing a thorough examination of any identified or suspected cybersecurity incidents or violations. The CISO will collaborate with the Company’s General Counsel and other relevant personnel during this formal review. Documentation detailing the event and an action plan, if required, will be generated by the CISO. Additionally, communication will be promptly established with the Cyber Incident Response Team (“CIRT”), and if deemed necessary, the Audit Committee. The Audit Committee receives quarterly or more frequent as appropriate, briefings from the Company’s senior management and CISO. The briefings concern, among other topics, the cyber threat landscape and associated risks to the Company, updates to the Company’s cybersecurity program and associated policies, its ongoing strategy to prevent, identify and react to security incidents, internal and external vulnerability assessments, penetration testing results, and Internal Audit’s periodic reviews of MBIA’s security controls, policies, and procedures. The CIRT is comprised of senior leaders from across the company, which include Legal, Compliance, Investor/Media Relations, and Information Technology.
Item 1C. Cybersecurity (continued) incidents. All Company employees are required to participate in scheduled training and are obligated to certify the completion of each training session. Additionally, all third parties retained by the Company, including vendors, that are granted access to the Company’s IA are required to certify compliance with all relevant Company policies relating to such access and re-certify compliance as deemed necessary. This certification includes the completion of questionnaires that are reviewed by the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”). Despite the Company’s implementation and maintenance of the cybersecurity program and its components as identified above and elsewhere herein that includes a variety of best practice security measures, our information technology systems, networks, and data are subject to cyber-attacks or physical break-ins, unauthorized tampering or other security breaches. Notwithstanding these protections, attacks may result in a failure to maintain the security, confidentiality or privacy of sensitive information. To date, the Company has not had any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations, or its financial condition. There can be no assurance that a future cybersecurity incident would not result in a loss and/or have a material adverse effect on our reputation, business, results of operations, or financial condition. Governance The Company created an Enterprise Security Council (“ESC”) that is comprised of senior IT management (including the CISO and CIO), Internal Audit and Compliance leaders which meet regularly to evaluate potential security risks to the Company and its IA. The CISO is responsible for performing a thorough examination of any identified or suspected cybersecurity incidents or violations. The CISO will collaborate with the Company’s General Counsel and other relevant personnel during this formal review. Documentation detailing the event and an action plan, if required, will be generated by the CISO. Additionally, communication will be promptly established with the Cyber Incident Response Team (“CIRT”), and if deemed necessary, the Audit Committee. The Audit Committee receives quarterly or more frequent as appropriate, briefings from the Company’s senior management and CISO. The briefings concern, among other topics, the cyber threat landscape and associated risks to the Company, updates to the Company’s cybersecurity program and associated policies, its ongoing strategy to prevent, identify and react to security incidents, internal and external vulnerability assessments, penetration testing results, and Internal Audit’s periodic reviews of MBIA’s security controls, policies, and procedures. The CIRT is comprised of senior leaders from across the company, which include Legal, Compliance, Investor/Media Relations, and Information Technology.


Company Information

NameMBIA INC
CIK0000814585
SIC DescriptionSurety Insurance
TickerMBI - NYSE
Website
CategoryAccelerated filer
Fiscal Year EndDecember 30