XML 74 R35.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
As a multi-line insurance company, our business operations rely upon secure information technology systems for data processing, storage, and reporting. We maintain a cybersecurity risk management program based on recognized standards like the National Institute of Standards and Technology Cybersecurity Framework, other industry standards, and contractual requirements. The Chief Information Security Officer (CISO) oversees the cybersecurity program, which includes employee education, proactive threat investigation, prompt response to potential incidents, third party service providers, and other facets of a cybersecurity risk management program. Despite security and controls design, the information technology systems could become subject to cyberattacks. Unauthorized access to or unintentional dissemination of confidential, highly sensitive customer, employee, or company data through breach in our facilities, networks, or databases, or those of our agents or third-party information technology and software vendors, could result in loss or theft of assets or operational disruption. During the last fiscal year, we did not identify any material effect from actual or risks of cybersecurity events.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
As a multi-line insurance company, our business operations rely upon secure information technology systems for data processing, storage, and reporting. We maintain a cybersecurity risk management program based on recognized standards like the National Institute of Standards and Technology Cybersecurity Framework, other industry standards, and contractual requirements. The Chief Information Security Officer (CISO) oversees the cybersecurity program, which includes employee education, proactive threat investigation, prompt response to potential incidents, third party service providers, and other facets of a cybersecurity risk management program. Despite security and controls design, the information technology systems could become subject to cyberattacks. Unauthorized access to or unintentional dissemination of confidential, highly sensitive customer, employee, or company data through breach in our facilities, networks, or databases, or those of our agents or third-party information technology and software vendors, could result in loss or theft of assets or operational disruption. During the last fiscal year, we did not identify any material effect from actual or risks of cybersecurity events.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
The CISO is responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations and third-party risk assessments; identifying and keeping abreast of developing security threats; as well as overseeing and implementing regular security awareness training of all employees on cybersecurity. For example, we adjust our policies, standards, and processes based on assessment results. In leading the cybersecurity risk management program, the CISO regularly works with other divisions of the company, including legal, compliance, IT, audit, and others to address potential risk from external threats, internal actions, and relationships with third-party service providers.
Horace Mann’s CISO has more than two decades of experience in IT, including network, infrastructure, and cybersecurity. Before coming to Horace Mann, he led perimeter security at a publicly traded company, and the cybersecurity team of more than 150 members at another publicly traded company. In addition to the CISO, our internal cybersecurity team also works with third-party cybersecurity vendors to both mature the cybersecurity program and assess, monitor, and respond to cybersecurity threats.
The Board of Directors exercises risk management oversight, including cybersecurity risk, through the Audit Committee. The Audit Committee receives quarterly reports on our risk management program. These include regular reports from the CISO on the state of our cybersecurity risk management program and updates on cybersecurity matters, key cybersecurity initiatives, risk mitigation efforts, and assessments of emerging threats.
The CISO is responsible for identifying and reporting any cybersecurity incidents to the Disclosure Committee. A preliminary assessment of nature and scope of potential incidents is conducted by a cross-functional team, including information security, compliance, legal, and other participants as necessary. Using a risk-based process, incidents are escalated to the Disclosure Committee. The Disclosure Committee is composed of senior executives from across Horace Mann and has oversight over SEC disclosure controls. After notification, the Disclosure Committee or designated subgroup would review known information and develop an action plan, which would include Board outreach, expert retention, insurance notification, communication plans, and a materiality assessment.
While we and our IT providers employ appropriate security technologies to address the rapidly changing and evolving IT environment (including data encryption processes, intrusion detection systems), conduct comprehensive risk assessments, and other internal control procedures to assure the security of our and our customers' data, we acknowledge that no system can completely eliminate cyber attacks and the security technologies and program can provide only reasonable, assurance that these objectives will be met. Further, the
design of any cybersecurity risk management program or control system must reflect the fact that there are resource constraints, and the benefits must be considered relative to their costs. As a result, the possibility of material financial loss remains despite our significant and comprehensive cybersecurity efforts. An investor should carefully consider the risks, and all other information set forth in this Annual Report on Form 10-K, including disclosures in Part I - Item 1A—Risk Factors.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
The Board of Directors exercises risk management oversight, including cybersecurity risk, through the Audit Committee. The Audit Committee receives quarterly reports on our risk management program. These include regular reports from the CISO on the state of our cybersecurity risk management program and updates on cybersecurity matters, key cybersecurity initiatives, risk mitigation efforts, and assessments of emerging threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] These include regular reports from the CISO on the state of our cybersecurity risk management program and updates on cybersecurity matters, key cybersecurity initiatives, risk mitigation efforts, and assessments of emerging threats.
Cybersecurity Risk Role of Management [Text Block]
The CISO is responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations and third-party risk assessments; identifying and keeping abreast of developing security threats; as well as overseeing and implementing regular security awareness training of all employees on cybersecurity. For example, we adjust our policies, standards, and processes based on assessment results. In leading the cybersecurity risk management program, the CISO regularly works with other divisions of the company, including legal, compliance, IT, audit, and others to address potential risk from external threats, internal actions, and relationships with third-party service providers.
Horace Mann’s CISO has more than two decades of experience in IT, including network, infrastructure, and cybersecurity. Before coming to Horace Mann, he led perimeter security at a publicly traded company, and the cybersecurity team of more than 150 members at another publicly traded company. In addition to the CISO, our internal cybersecurity team also works with third-party cybersecurity vendors to both mature the cybersecurity program and assess, monitor, and respond to cybersecurity threats.
The Board of Directors exercises risk management oversight, including cybersecurity risk, through the Audit Committee. The Audit Committee receives quarterly reports on our risk management program. These include regular reports from the CISO on the state of our cybersecurity risk management program and updates on cybersecurity matters, key cybersecurity initiatives, risk mitigation efforts, and assessments of emerging threats.
The CISO is responsible for identifying and reporting any cybersecurity incidents to the Disclosure Committee. A preliminary assessment of nature and scope of potential incidents is conducted by a cross-functional team, including information security, compliance, legal, and other participants as necessary. Using a risk-based process, incidents are escalated to the Disclosure Committee. The Disclosure Committee is composed of senior executives from across Horace Mann and has oversight over SEC disclosure controls. After notification, the Disclosure Committee or designated subgroup would review known information and develop an action plan, which would include Board outreach, expert retention, insurance notification, communication plans, and a materiality assessment.
While we and our IT providers employ appropriate security technologies to address the rapidly changing and evolving IT environment (including data encryption processes, intrusion detection systems), conduct comprehensive risk assessments, and other internal control procedures to assure the security of our and our customers' data, we acknowledge that no system can completely eliminate cyber attacks and the security technologies and program can provide only reasonable, assurance that these objectives will be met. Further, the
design of any cybersecurity risk management program or control system must reflect the fact that there are resource constraints, and the benefits must be considered relative to their costs. As a result, the possibility of material financial loss remains despite our significant and comprehensive cybersecurity efforts. An investor should carefully consider the risks, and all other information set forth in this Annual Report on Form 10-K, including disclosures in Part I - Item 1A—Risk Factors.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The CISO is responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations and third-party risk assessments; identifying and keeping abreast of developing security threats; as well as overseeing and implementing regular security awareness training of all employees on cybersecurity. For example, we adjust our policies, standards, and processes based on assessment results. In leading the cybersecurity risk management program, the CISO regularly works with other divisions of the company, including legal, compliance, IT, audit, and others to address potential risk from external threats, internal actions, and relationships with third-party service providers.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Horace Mann’s CISO has more than two decades of experience in IT, including network, infrastructure, and cybersecurity. Before coming to Horace Mann, he led perimeter security at a publicly traded company, and the cybersecurity team of more than 150 members at another publicly traded company. In addition to the CISO, our internal cybersecurity team also works with third-party cybersecurity vendors to both mature the cybersecurity program and assess, monitor, and respond to cybersecurity threats.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The CISO is responsible for identifying and reporting any cybersecurity incidents to the Disclosure Committee. A preliminary assessment of nature and scope of potential incidents is conducted by a cross-functional team, including information security, compliance, legal, and other participants as necessary. Using a risk-based process, incidents are escalated to the Disclosure Committee. The Disclosure Committee is composed of senior executives from across Horace Mann and has oversight over SEC disclosure controls. After notification, the Disclosure Committee or designated subgroup would review known information and develop an action plan, which would include Board outreach, expert retention, insurance notification, communication plans, and a materiality assessment.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true