ALLSTATE CORP 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

ALLSTATE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 12:23:27 EST.

Filings

10-K filed on 2025-02-24

ALLSTATE CORP filed a 10-K at 2025-02-24 12:23:27 EST
Accession Number: 0000899051-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Governance The Allstate Corporation Board of Directors (“Allstate Board”) has overall responsibility for oversight of enterprise risk. The Audit Committee of the Allstate Board oversees the effectiveness of the cybersecurity program. The Audit Committee retains an external cybersecurity advisor to consult on cybersecurity matters and perform assessments of the Allstate Information Security Program (the “Program”). The Chief Information Security Officer (“CISO”) regularly updates the Audit Committee and Allstate Board on Information Security Program status, cybersecurity risk management, the control environment, emerging threat intelligence and key risk and performance measurements. Our CISO is responsible for the development and execution of the security strategy which protects Allstate’s information from external and internal cybersecurity threats. He has more than 20 years of information security leadership experience. Risk management and strategy The Enterprise Risk and Return Council has delegated the power and authority to manage cybersecurity risks to the Information Security Council (“ISC”). The CISO chairs the ISC, with senior management representation from across the Company including representatives from Privacy, Legal and Technology. The ISC monitors, makes mitigating decisions about, and escalates information security risks that are outside the Company’s established risk tolerance. Additionally, it provides executive sponsorship of information security controls and oversees the development and review of the information security policy and enterprise security standards. Information Security Program Allstate has implemented a robust Information Security Program to manage material risks from cybersecurity threats. The Company’s Program uses a risk-based, defense-in-depth approach to identify, assess and manage cybersecurity risks to the Company’s information assets and systems, enabling the business to achieve its objectives. The Information Security Program is aligned with industry best practices and standards including the ISO 27001/27002 standards, the Control Objectives for Information and Related Technologies Framework and the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). Allstate’s Information Security Program outlines the responsibilities and expectations for the security of Allstate information systems. The Program includes standards, policies and procedures requiring the implementation of technical, administrative and physical controls to manage the risk to Allstate information and systems. These standards, policies and procedures cover industry-standard information security domains, including risk assessment, third-party supplier risk management, vulnerability management, identity and access management, application security, network security, cybersecurity awareness training, encryption and incident management. Dedicated personnel support information security operations 24 hours per day, seven days per week. Allstate’s incident response program is designed to detect, respond and recover from a range of cybersecurity-related incidents. Allstate conducts risk and control assessments to proactively identify cybersecurity threats impacting the organization’s business processes. The Company conducts enterprise threat-based risk assessments for multiple aspects of the business, including applications, infrastructure, environments and business processes. Allstate documents the identified risks, tracking them based on potential impact and the likelihood of them occurring. Allstate performs control effectiveness tests, vulnerability scans and penetration tests to assess controls and proactively identify vulnerabilities for prioritization and remediation. Findings are managed and tracked in accordance with Allstate’s governance, risk and compliance standards. We also have a cybersecurity resiliency strategy that will enhance our ability to anticipate, withstand and recover from cybersecurity attacks and maintain the availability of our critical business operations. Cybersecurity resiliency plans improve our recovery speed to protect Allstate and its customers against adverse impacts due to ransomware and other cybersecurity events.

Company Information