Operations and Financial Risk Management

Operations and Financial Risk Management

We operate our business with integrity and manage financial risk.

To learn more, download our Corporate Social Responsibility (CSR) Report.

Code of Ethics

We will operate with integrity and trust. These qualities aren't merely desirable in our industry - they're critical to maintaining the stability and longevity that our customers and stakeholders expect. We value our reputation as an ethical company and work to ensure that people at all levels of AFG understand their role in upholding it.


Enterprise Risk Management

  • We maintain a rigorous Enterprise Risk Management process with input from senior leaders across operations, finance, accounting, human resources, information technology and other areas.
  • 100% - Employees of AFG and its insurance subsidiaries who are required to participate in annual conflict-of-interest and information security training.
  • 100% - Employees who receive education on security awareness strategies through the year to help keep them safe both at work and home.

Board Oversight Function of Enterprise Risk

  • AFG’s Board of Directors and the Audit Committee receive reports from the Chief Information Security Officer regarding cybersecurity risks and the steps management has taken to monitor and control such risks.
  • The Audit Committee reviews and discusses AFG’s cybersecurity program at least on a quarterly basis.
  • AFG undergoes an SSAE 18 SOC 2 (Statement on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination conducted by an independent external firm annually.
  • We validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits.
  • In addition, we proactively perform self-assessments against industry-leading cybersecurity frameworks for standards, guidelines, and best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity framework.
  • Over the last three years, however, AFG has not experienced any material adverse events and has not paid any penalties or settlements related to an information security breach. The Company maintains a comprehensive cybersecurity risk insurance policy from an unaffiliated third-party insurer.

Ongoing Commitment to Risk Management

  • Use processes and technology designed to conform with the National Institute of Standards and Technology (NIST) Cybersecurity framework.
  • SSL (TLS) encryption, providing the top tier of security.
  • Information technology controls governed by Sarbanes-Oxley, subject to regular compliance audits.
  • Company laptops and desktops that utilize full-disk encryption.
  • Annual security awareness training and routinely scheduled educational programming.
  • Regular phishing testing of all employees and Board members, as well as additional cybersecurity training for those who fall victim to the tests.
  • A dedicated team of cybersecurity professionals who are regularly trained on best practices for combatting advanced cyber threats.
  • A comprehensive incident response team involving the AFG Information Technology Group and key business departments, in addition to a dedicated team of cybersecurity professionals.

Protect Us. Protect You. Program

  • Protecting the Company from cybercrime is part of our culture.
  • Through this Program, we emphasize education and awareness.
  • All employees receive education about security awareness strategies throughout the year to help keep them safe both at work and at home.
  • Employees also participate in cybersecurity awareness training annually.