LOEWS CORP 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

LOEWS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 12:05:33 EST.

Filings

10-K filed on 2025-02-11

LOEWS CORP filed a 10-K at 2025-02-11 12:05:33 EST
Accession Number: 0000060086-25-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. If we and our subsidiaries and our and their third party vendors do not allocate and effectively manage the resources necessary to continue to build and maintain our and their information technology security infrastructure, or if we or our subsidiaries or our or our subsidiaries’ vendors fail to timely identify or appropriately respond to cyber attacks or other cyber incidents, then this may, in addition to other consequences, disrupt our and our subsidiaries’ operations, cause significant damage to our or their assets and surrounding areas, cause loss of life or serious bodily injury, impact our or their data framework or cause a failure to protect personal information of customers, employees or others. The foregoing risks relating to disruption of service, interruption of operations and data loss could impact our and our subsidiaries’ ability to timely perform critical business functions, resulting in disruption or deterioration in our and our subsidiaries’ operations and business and expose us and our subsidiaries to significant financial losses and monetary and reputational damages. In addition, potential exposures include substantially increased compliance costs and required computer system upgrades and security related investments. The breach of confidential information also could give rise to legal liability and regulatory action under data protection and privacy laws and regulations, both in the U.S. and foreign jurisdictions. From time to time we and our subsidiaries may be subject to litigation, for which we and they may be unable to accurately assess the level of exposure and which if adversely determined, may have a significant adverse effect on our or their financial condition or results of operations. We and our subsidiaries are or may become parties to legal proceedings and disputes. These matters may include, among others, contract disputes, claims and coverage disputes, reinsurance disputes, personal injury and wrongful death claims, environmental claims or proceedings, asbestos and other toxic tort claims, intellectual property disputes, disputes related to employment, antitrust matters, tax matters and other litigation incidental to our or their businesses. For instance, we and certain of our Boardwalk Pipelines-related subsidiaries are defendants in a class action litigation in the State of Delaware related to our 2018 acquisition of the Boardwalk Pipelines limited partnership units not already owned by our affiliates. In addition, Loews Hotels & Co is a defendant in litigation alleging that it and certain other hotel chains engaged in a conspiracy to fix higher prices for hotel rooms in violation of antitrust laws. For additional information regarding these matters, see Note 18 of the Notes to Consolidated Financial Statements included under Item 8. Litigation is inherently subject to great uncertainty and it is difficult to predict the outcome or effect of any litigation matters. The outcome of any pending or future litigation could have a significant adverse impact on our or our subsidiaries’ financial condition or results of operations. Acts of terrorism could harm us and our subsidiaries. Terrorist attacks and the continued threat of terrorism in the United States or abroad, the continuation or escalation of armed hostilities or the outbreak of additional hostilities, including military and other action by the United States, its allies or other nations, could have a significant impact on us and the assets and businesses of our subsidiaries. CNA issues coverages that are exposed to risk of loss from an act of terrorism. Terrorist acts or the threat of terrorism could also result in increased political, economic and financial market instability, a decline in energy consumption and volatility in the price of oil and gas, which could affect the market for Boardwalk Pipelines’ transportation and storage services. In addition, terrorist attacks could lead to reductions in business travel and tourism which could harm Loews Hotels & Co. While our subsidiaries take steps that they believe are appropriate to secure their assets, there is no assurance that they can completely secure them against a terrorist attack or obtain adequate insurance coverage for terrorist acts at reasonable rates. Our subsidiaries face significant risks related to compliance with environmental laws. Our subsidiaries have extensive obligations and financial exposure related to compliance with federal, state, local, foreign and international environmental laws, including those relating to the discharge of substances into the environment, the disposal, removal or cleanup of hazardous wastes and other activities relating to the protection of the environment. Many of such laws have become increasingly stringent in recent years and may in some cases impose strict liability, which could be substantial, rendering a person liable for environmental damage without regard to negligence or fault on the part of that person. For example, Boardwalk Pipelines is subject to extensive federal, state and local laws and regulations relating to protection of the environment. Such laws and regulations impose, among other things, restrictions, liabilities and obligations in connection with the generation, handling, use, storage, transportation, treatment and disposal of various substances, including hazardous substances and waste and in connection with spills, releases, discharges and emissions of various substances into the environment. In addition, Altium Packaging may be adversely affected by laws or regulations concerning environmental matters that increase the cost of producing, or otherwise adversely affect the demand for, plastic products. Further, existing environmental laws or the interpretation or enforcement thereof may be amended and new laws may be adopted in the future. Loss of key vendor relationships or issues relating to the transitioning of vendor relationships could result in a materially adverse effect on our and our subsidiaries’ operations. We and our subsidiaries rely on products, equipment and services provided by many third-party suppliers, manufacturers and service providers in the United States and abroad, which exposes us and them to volatility in the quality, price and availability of such items. These include, for example, vendors of computer hardware, software and services, as well as other critical materials and services (including, in the case of CNA, claims administrators performing significant claims administration and adjudication functions). Certain products, equipment and services may be available from a limited number of sources. If one or more key vendors becomes unable to continue to provide products, equipment or services at the requisite level for any reason, or fails to protect our proprietary information, including in some cases personal information of employees, customers, hotel guests or others, we and our subsidiaries may experience a material adverse effect on our or their business, operations and reputation. We could incur impairment charges related to the carrying value of the long-lived assets and goodwill of our subsidiaries and our equity method investments. We and our subsidiaries regularly evaluate our and their long-lived assets and goodwill for impairment whenever events or changes in circumstances indicate the carrying value of these assets may not be recoverable. Most notably, we could incur impairment charges related to the carrying value of pipeline and storage assets at Boardwalk Pipelines, our equity method investment in Altium Packaging and hotel investments owned by Loews Hotels & Co. We and our subsidiaries also test goodwill for impairment on an annual basis or when events or changes in circumstances indicate that a potential impairment exists. Asset impairment evaluations by us and our subsidiaries with respect to both long-lived assets and goodwill are, by nature, highly subjective. The use of different estimates and assumptions could result in materially different carrying values of our assets which could impact the need to record an impairment charge and the amount of any charge taken. Pandemics or other outbreaks of contagious diseases and efforts to mitigate their spread have had, and could in the future have, widespread impacts on the way we and our subsidiaries operate. The spread of COVID-19 and mitigating measures caused unprecedented disruptions to the global economy and normal business operations across sectors and countries, including the sectors and countries in which we and our subsidiaries operate. Future pandemics or other outbreaks of contagious diseases, and efforts to mitigate their spread, may result in similar or worse economic implications and disruptions, including on our and our subsidiaries’ businesses. We are a holding company and derive substantially all of our income and cash flow from our subsidiaries. We rely upon our invested cash balances and distributions from our subsidiaries to generate the funds necessary to meet our obligations and to declare and pay any dividends to holders of our common stock. Our subsidiaries are separate and independent legal entities and have no obligation, contingent or otherwise, to make funds available to us, whether in the form of loans, dividends or otherwise. The ability of our subsidiaries to pay dividends is subject to, among other things, the availability of sufficient earnings and funds in such subsidiaries, applicable state laws, including in the case of the insurance subsidiaries of CNA, laws and rules governing the payment of dividends by regulated insurance companies, and their compliance with covenants in their respective loan agreements. Claims of creditors of our subsidiaries will generally have priority as to the assets of such subsidiaries over our claims and those of our creditors and shareholders. We and our subsidiaries face competition for senior executives and qualified specialized talent. We and our subsidiaries depend on the services of our key personnel, who possess skills critical to the operation of our and their businesses. Our and our subsidiaries’ executive management teams are highly experienced and possess extensive skills in their relevant industries. The ability to retain senior executives and to attract and retain highly skilled professionals and personnel with specialized industry and technical experience is important to our and our subsidiaries’ success and future growth. Competition for this talent can be intense, and we and our subsidiaries may not be successful in our efforts. The unexpected loss of the services of these individuals could have a detrimental effect on us and our subsidiaries and could hinder our and their ability to effectively compete in the various industries in which we and they operate. Increasing scrutiny and changing expectations from stakeholders with respect to ESG practices may impose additional costs on us and our subsidiaries or expose us and our subsidiaries to new or additional risks. Companies across all industries are facing increasing scrutiny from stakeholders related to their ESG practices. Certain influential investors in recent years have been focused on ESG practices and have placed increasing importance on the implications and social cost of their investments. In addition, organizations that provide information on corporate governance and related matters have developed rating processes for evaluating companies on their approach to ESG matters, and many of these ratings processes are inconsistent with each other. Such ratings are used by some investors to inform their investment and voting decisions. Regardless of the industry, investors’ increased focus and activism related to ESG and similar matters may hinder access to, or increase the cost of, capital, as investors may decide to reallocate capital or to not commit capital as a result of their assessment of a company’s ESG practices. In addition, other stakeholders, including customers, employees, suppliers, regulators and ratings agencies, have also been focused on ESG matters. Companies have also increasingly been requested by stakeholders to create and publish disclosures regarding their ESG practices. While we and our subsidiaries may make such disclosures from time to time, many of the statements in those disclosures may not be material and may be based on expectations and assumptions that may not be representative of actual risks or events or forecasts of expected risks or events. Such expectations and assumptions are necessarily uncertain and may be prone to error or subject to misinterpretation given the long timelines involved and the lack of an established single approach to identifying, measuring and reporting on many ESG matters. As a holding company, our stakeholders generally focus on the ESG practices across our enterprise, including those at our subsidiaries. As our subsidiaries operate in different industries, the particular ESG issues that stakeholders tend to focus on differ from subsidiary to subsidiary. For instance, as a property and casualty insurer, CNA’s stakeholders may focus on the ESG practices of companies in which CNA invests, while Boardwalk Pipelines’ stakeholders may focus on climate change and emissions from Boardwalk Pipelines’ operations and Loews Hotels & Co’s stakeholders may focus on the carbon footprint of its properties. Companies that do not adapt to or comply with investor or other stakeholder expectations and standards, which are evolving, or that are perceived to have not responded appropriately to the growing concern regarding ESG issues, regardless of whether there is a legal requirement to do so, may suffer from reputational damage and other adverse consequences. Additionally, to the extent ESG matters negatively impact our reputation, we may not be able to compete as effectively to recruit or retain employees, which may adversely affect our operations. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Risk Management and Strategy Identifying, assessing, and managing material cybersecurity risks is an important component of our overall enterprise risk management program. As with the management of risks generally, given our holding company structure, the management of cybersecurity risks involves coordination between the parent company and our subsidiaries. The parent company and each subsidiary are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These programs have been developed based on the National Institute of Standards and Technology Cybersecurity Framework and seek to protect each entity against cybersecurity risks and foster each entity’s ability to respond to cybersecurity events. Among other things, these programs generally involve maturity evaluations and assessments by third parties , vulnerability scanning, employee testing and training, technical and business team-focused tabletop exercises, incident response plans and data security assessments of third-party service providers as a part of vendor management. Risks from cybersecurity threats, in the future may, among other things, cause material disruptions to our or our subsidiaries’ operations, which may materially affect our and/or their business, results of operations, cash flows, financial condition and/or equity. For more information about these risks, see the risk factor titled " Failures or interruptions in or breaches to our or our subsidiaries’ computer systems or information technology or communication infrastructure or those of our third party vendors could materially and adversely affect our or our subsidiaries’ operations " under Item 1A. Governance Our Board has assigned oversight of cybersecurity risk management to the Audit Committee . The Audit Committee regularly receives reports from our and our subsidiaries’ management, including our and our subsidiaries’ senior information technology (“IT”) leadership, and third parties on cybersecurity matters. In addition, the Board receives reports addressing cybersecurity as part of our overall enterprise risk management program and to the extent cybersecurity matters are addressed in regular business updates. Senior IT leadership (generally, chief information officers and/or chief information security officers ) at the parent company and each subsidiary are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These individuals’ expertise in IT and cybersecurity generally has been gained from a combination of education, including relevant degrees and/or certifications, and prior work experience. They are informed by their respective cybersecurity teams about, and monitor, the prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above. Information regarding cybersecurity risks may be elevated from senior IT leadership through a variety of different channels, including discussions between or among subsidiary and parent company management, reports to subsidiary and parent company risk committees and reports to subsidiary and parent company boards and board committees. As noted above, the Audit Committee regularly receives reports on cybersecurity matters from our and our subsidiaries’ senior IT leadership.
Item 1C. Cybersecurity. Risk Management and Strategy Identifying, assessing, and managing material cybersecurity risks is an important component of our overall enterprise risk management program. As with the management of risks generally, given our holding company structure, the management of cybersecurity risks involves coordination between the parent company and our subsidiaries. The parent company and each subsidiary are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These programs have been developed based on the National Institute of Standards and Technology Cybersecurity Framework and seek to protect each entity against cybersecurity risks and foster each entity’s ability to respond to cybersecurity events. Among other things, these programs generally involve maturity evaluations and assessments by third parties , vulnerability scanning, employee testing and training, technical and business team-focused tabletop exercises, incident response plans and data security assessments of third-party service providers as a part of vendor management. Risks from cybersecurity threats, in the future may, among other things, cause material disruptions to our or our subsidiaries’ operations, which may materially affect our and/or their business, results of operations, cash flows, financial condition and/or equity. For more information about these risks, see the risk factor titled " Failures or interruptions in or breaches to our or our subsidiaries’ computer systems or information technology or communication infrastructure or those of our third party vendors could materially and adversely affect our or our subsidiaries’ operations " under Item 1A. Governance Our Board has assigned oversight of cybersecurity risk management to the Audit Committee . The Audit Committee regularly receives reports from our and our subsidiaries’ management, including our and our subsidiaries’ senior information technology (“IT”) leadership, and third parties on cybersecurity matters. In addition, the Board receives reports addressing cybersecurity as part of our overall enterprise risk management program and to the extent cybersecurity matters are addressed in regular business updates. Senior IT leadership (generally, chief information officers and/or chief information security officers ) at the parent company and each subsidiary are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These individuals’ expertise in IT and cybersecurity generally has been gained from a combination of education, including relevant degrees and/or certifications, and prior work experience. They are informed by their respective cybersecurity teams about, and monitor, the prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above. Information regarding cybersecurity risks may be elevated from senior IT leadership through a variety of different channels, including discussions between or among subsidiary and parent company management, reports to subsidiary and parent company risk committees and reports to subsidiary and parent company boards and board committees. As noted above, the Audit Committee regularly receives reports on cybersecurity matters from our and our subsidiaries’ senior IT leadership.

Company Information