Goosehead Insurance, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Goosehead Insurance, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 20:37:13 EST.

Filings

10-K filed on 2024-02-21

Goosehead Insurance, Inc. filed an 10-K at 2024-02-21 20:37:13 EST
Accession Number: 0001726978-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management At Goosehead, cybersecurity risk management is an integral part of our overall enterprise risk management system. Our cybersecurity risk management program is modeled after recognized data protection principles, such as the National Institute of Standards and Technology s Cybersecurity Framework (NIST CSF) and the National Association of Insurance Commissioners (NAIC) Data Security Model Law. These and other industry best practices provide the framework for identifying, monitoring, assessing and managing cybersecurity threats and incidents, including threats and incidents associated with the use of applications developed, and services provided, by third-party vendors and service providers, and facilitating coordination across different departments of the Company. Our cybersecurity team, led by our Managing Director, IT Security & Compliance, is responsible for assessing and maintaining our cybersecurity risk management program. We also have two cybersecurity committees, which 43 consist of cross-functional teams comprised of key business leaders and key technical leaders in the Company as well as the heads of our legal, governance, risk and compliance functions. The cybersecurity team identifies and assesses material cybersecurity risk by performing internal audits against cybersecurity controls and through regular consultations with, deliberation by, and recommendations from, our cybersecurity committees. Our cybersecurity team and cybersecurity committees utilize various tools and services to identify, monitor, assess and manage actual cybersecurity risk, including risks from cybersecurity threats associated with the use of third-party vendors and service providers. The cybersecurity team manages and maintains a risk register, incorporates risk mitigation items within our cybersecurity plans, conducts periodic reviews (primarily through our cybersecurity committees) of our mitigation and progress, and utilizes a third-party security risk management program both to screen third-party vendors and service providers prior to onboarding and to periodically re-evaluate existing third-party vendors and service providers based on risk classification. Our cybersecurity program includes steps for assessing the severity of a cybersecurity threat or incident, identifying the source of a cybersecurity threat or incident (including whether such cybersecurity threat or incident is associated with a third-party vendor or service provider), implementing cybersecurity countermeasures and mitigation strategies, and informing management and our board of directors of material cybersecurity threats and incidents. The cybersecurity team also conducts regular vulnerability assessments, and our cybersecurity and risk management teams perform annual risk assessments. We utilize a third party to conduct regular risk assessments of our new and existing third-party services and providers and a separate vendor performs penetration testing annually. All users of our information systems receive regular cybersecurity awareness training, and our cybersecurity team provides annual training to all employees. Cybersecurity Governance Management is responsible for identifying, monitoring, assessing and managing material cybersecurity risks on an ongoing basis by establishing processes designed to ensure that potential cybersecurity risks are monitored, putting in place appropriate mitigation and remediation measures, and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Managing Director, IT Security & Compliance, who directs our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our Managing Director, IT Security & Compliance, is a Certified Information Systems Security Professional (CISSP) with a Master’s in Cybersecurity and Information Assurance (MS-CIA) from WGU, and additional certifications are in cybersecurity, networking, and other IT-related topics, and over 16 years of experience in cybersecurity. As discussed above, we also have two cybersecurity committees which consist of cross-functional teams comprised of key business leaders and key technical leaders in the Company as well as the heads of our governance, risk and compliance functions. Each of our cybersecurity committees meets monthly to address cybersecurity risks. Management, including our Managing Director, IT Security & Compliance and our cybersecurity committees, updates our General Counsel on the Company s cybersecurity programs, material cybersecurity risks and mitigation strategies on a monthly basis. Our General Counsel provides quarterly cybersecurity reports to the board of directors that cover, among other topics, third-party assessments of the Company s cybersecurity programs and any updates to the Company s cybersecurity programs and mitigation strategies, and other cybersecurity developments. Our General Counsel will also provide updates on cybersecurity threats and incidents to the board of directors as part of our incident response processes, based on management s assessment of risk. Our board of directors has ultimate oversight responsibility for our overall enterprise risk management and is responsible for ensuring that management has processes in place designed to identify, monitor and evaluate cybersecurity risks to which the Company is exposed and to implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. Our General Counsel meets with the board of directors on at least a quarterly basis to review and discuss our cybersecurity and other information technology strategies and policies. In 2023, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Risk Factors Risks relating to intellectual property, data privacy and cybersecurity in this annual report on Form 10-K. 44

Company Information