Cigna Group 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Cigna Group reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 13:38:15 EST.

Filings

10-K filed on 2025-02-27

Cigna Group filed a 10-K at 2025-02-27 13:38:15 EST
Accession Number: 0001739940-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Strategy and Risk Management Our comprehensive cybersecurity program is supported by policies and procedures designed to protect our systems and operations as well as the sensitive personal information and data of our clients and customers from foreseeable cybersecurity threats. This program is an integral component of our enterprise risk management program . Core to our security model is our defense-in-depth framework, comprising multiple layers of processes and technologies that help prevent, detect and respond to threats. Our approach to safeguarding against external threats incorporates a suite of preventive technologies, including malicious email blocking, defenses against automated attacks and multifactor authentication. Event monitoring technologies run continuously, detecting suspected intrusion attempts and alerting our Cybersecurity Incident Response Team. We undertake a number of critical security processes to mitigate and protect against cybersecurity risks, which include but are not limited to (i) identity and access management; (ii) security awareness and training; (iii) security operations and monitoring; (iv) change 33 management; (v) disaster recovery/business continuity; (vi) intelligence feeds; (vii) physical security; (viii) third-party vendor security reviews; (ix) vulnerability management/patching; and (x) cybersecurity incident reporting. We routinely manage cybersecurity risks through a defined framework that includes activities aimed at the identification, assessment, treatment and monitoring of risks. Cybersecurity risk assessment results are used by senior management to make informed decisions about where to allocate resources to reduce cybersecurity risks and improve overall security posture. We examine our entire program annually with third parties and measure the program against generally accepted industry standards and frameworks, such as an internationally recognized security control framework established by the NIST and used by companies to assess and improve their ability to prevent, detect and respond to cyberattacks. Our cybersecurity policies and standards are reviewed annually and are mainly guided by the NIST 800-53 Cybersecurity Framework. In addition to the NIST framework, we leverage the International Organization for Standardization 27001 and 27002 standards. Our information protection policies and standards are informed by NIST 800-53b, moderate-level security control baseline requirements. To enhance our preparedness and practice our collective cybersecurity response capabilities, we conduct tabletop exercises with leaders, stakeholders, subject matter experts and certain executives that are developed in partnership with external security experts. These events are designed to exercise and engage some of the most critical areas of cybersecurity incident response and preparedness through an interactive/evolving, simulated scenario. In addition to these internal measures, the effectiveness of components of our overall cybersecurity program is frequently evaluated by external third parties, which includes work performed over various levels of control assessments for specific business lines and core processes. These include Health Information Trust Alliance for health care data security, PCI DSS for payment security and System Organization Controls 2 for information security and related controls for specific business lines and core processes. We also perform an annual maturity assessment and benchmark our security controls to identify opportunities to strengthen our cybersecurity program. As part of our Global Threat Management Program, a dedicated Incident Handling Team, comprising both technical and management personnel, determines the severity of a validated cybersecurity event across the enterprise and is responsible for the development and ongoing maintenance of our comprehensive Global Incident Response Plan (“GIRP”). The GIRP is reviewed quarterly at a minimum but may be updated as needed based on lessons learned, changes in key teams or processes or other circumstances as warranted, and the procedures therein are tested annually. The GIRP’s incident handling procedures dictate our actions during each phase of an incident, including the assembly of a broad, cross-functional Computer Security Incident Response Team, the formulation of a response, and post-incident reviews and corrective actions. Our information protection department maintains a risk register that is used to manage cybersecurity risks associated with its business activities, technology assets and its interaction with business, information technology and security parties, internal and external. Cybersecurity risks are also periodically reviewed by Enterprise Risk Management to ensure appropriate oversight of cybersecurity risk management activities. Suppliers that have access to, host or transmit our data are contractually required to comply with our Security Policies and Standards. Additionally, suppliers may be subject to periodic security audits or risk assessments, which include security questionnaires, security capabilities and maturity assessments, controls evidence reviews, application vulnerability assessments, public internet presence monitoring, and alignment reviews with service-specific industry standards. Follow-up activities are performed as needed. Contracts with suppliers also include critical security requirements, such as right to audit, technology requirements and hiring practices, including background checks for those who have access to our network. To further ensure supplier resilience and continuity, we regularly evaluate and assess our critical supplier relationships and business continuity plans, enabling us to quickly adapt and maintain operations in the event of prolonged disruption. As of the date of this report, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. That said, as discussed more fully under Part I, Item 1A “Risk Factors - Strategic and Operational Risks - As a large global health company, we and our vendors are subject to cyberattacks or other privacy or data security incidents. If we are unable to prevent or contain the effects of any such attacks, or fail to ensure vendors do the same, we may suffer exposure to substantial liability, reputational harm, loss of revenue or other damages,” the sophistication of cybersecurity threats continues to increase, and the preventive actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may become insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all attacks of these types, and we may not be able to implement effective preventive measures against such security breaches in a timely manner. 34 Cybersecurity Governance Our Board has ultimate oversight over our privacy and cybersecurity programs and strategy and is responsible for ensuring that we have risk management policies and processes in place to meet and mitigate evolving risks and threats. Certain members of the Board have cybersecurity certifications. The Board executes this oversight directly and through both the Audit Committee, for cybersecurity purposes, and the Compliance Committee, for privacy purposes. In these capacities, these committees are regularly briefed by the Global Chief Information Security Officer (“GCISO”) and Chief Privacy Officer on cybersecurity and privacy matters . These briefings are designed to provide visibility about the identification, assessment and management of critical risks, audit findings, and management’s risk mitigation strategies. Additionally, these briefings include information about current trends in the environment, incident preparedness, artificial intelligence and various components of our cybersecurity and privacy programs. On an annual basis, the Board reviews our cybersecurity program, including the threat landscape and related controls, and periodically conducts cybersecurity tabletop exercises. Our dedicated cybersecurity team is led by our GCISO. Our current GCISO joined the Company in October 2023 and works closely with senior management to develop and innovate the cybersecurity strategy and risk management. Prior to joining the team, our GCISO held senior information security roles at other global organizations where this individual defined information security strategies, built global information security programs, implemented cybersecurity capabilities that protect consumers, wholesale partners and brands, and oversaw the security of a global payment network, a corporate network and digital assets.

Company Information