HORACE MANN EDUCATORS CORP /DE/ 10-K Cybersecurity GRC - 2025-02-27

Page last updated on March 3, 2025

HORACE MANN EDUCATORS CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 19:11:07 EST.

Filings

10-K filed on 2025-02-27

HORACE MANN EDUCATORS CORP /DE/ filed a 10-K at 2025-02-27 19:11:07 EST
Accession Number: 0001628280-25-008838

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. I Cybersecurity As a multi-line insurance company, our business operations rely upon secure information technology systems for data processing, storage, and reporting. We maintain a cybersecurity risk management program based on recognized standards like the National Institute of Standards and Technology Cybersecurity Framework, other industry standards, and contractual requirements. The Chief Information Security Officer (CISO) oversees the cybersecurity program, which includes employee education, proactive threat investigation, prompt response to potential incidents, third party service providers, and other facets of a cybersecurity risk management program. Despite security and controls design, the information technology systems could become subject to cyberattacks. Unauthorized access to or unintentional dissemination of confidential, highly sensitive customer, employee, or company data through breach in our facilities, networks, or databases, or those of our agents or third-party information technology and software vendors, could result in loss or theft of assets or operational disruption. During the last fiscal year, we did not identify any material effect from actual or risks of cybersecurity events. The CISO is responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations and third-party risk assessments; identifying and keeping abreast of developing security threats; as well as overseeing and implementing regular security awareness training of all employees on cybersecurity. For example, we adjust our policies, standards, and processes based on assessment results. In leading the cybersecurity risk management program, the CISO regularly works with other divisions of the company, including legal, compliance, IT, audit, and others to address potential risk from external threats, internal actions, and relationships with third-party service providers. Horace Mann’s CISO has more than two decades of experience in IT, including network, infrastructure, and cybersecurity. Before coming to Horace Mann, he led perimeter security at a publicly traded company, and the cybersecurity team of more than 150 members at another publicly traded company. In addition to the CISO, our internal cybersecurity team also works with third-party cybersecurity vendors to both mature the cybersecurity program and assess, monitor, and respond to cybersecurity threats. The Board of Directors exercises risk management oversight, including cybersecurity risk, through the Audit Committee . The Audit Committee receives quarterly reports on our risk management program. These include regular reports from the CISO on the state of our cybersecurity risk management program and updates on cybersecurity matters, key cybersecurity initiatives, risk mitigation efforts, and assessments of emerging threats. The CISO is responsible for identifying and reporting any cybersecurity incidents to the Disclosure Committee. A preliminary assessment of nature and scope of potential incidents is conducted by a cross-functional team, including information security, compliance, legal, and other participants as necessary. Using a risk-based process, incidents are escalated to the Disclosure Committee. The Disclosure Committee is composed of senior executives from across Horace Mann and has oversight over SEC disclosure controls. After notification, the Disclosure Committee or designated subgroup would review known information and develop an action plan, which would include Board outreach, expert retention, insurance notification, communication plans, and a materiality assessment. While we and our IT providers employ appropriate security technologies to address the rapidly changing and evolving IT environment (including data encryption processes, intrusion detection systems), conduct comprehensive risk assessments, and other internal control procedures to assure the security of our and our customers’ data, we acknowledge that no system can completely eliminate cyber attacks and the security technologies and program can provide only reasonable, assurance that these objectives will be met. Further, the Horace Mann Educators Corporation Annual Report on Form 10-K 37 design of any cybersecurity risk management program or control system must reflect the fact that there are resource constraints, and the benefits must be considered relative to their costs. As a result, the possibility of material financial loss remains despite our significant and comprehensive cybersecurity efforts. An investor should carefully consider the risks, and all other information set forth in this Annual Report on Form 10-K, including disclosures in Part I - Item 1A-Risk Factors.

Company Information