Palomar Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Palomar Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:45:12 EST.

Filings

10-K filed on 2024-02-23

Palomar Holdings, Inc. filed an 10-K at 2024-02-23 16:45:12 EST
Accession Number: 0001437749-24-005385

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity We recognize that our business operations depend on the reliable and secure processing, storage, and transmission of confidential and other data and information in our computer systems and networks. We also recognize the importance of protecting customer’s data and digital assets in our care. Therefore, identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. We have created a layered security posture leveraging people, process, and technology to protect our information systems and our customer s data and digital assets. We maintain a suite of information security, privacy, and data protection related policies, standards, and procedures leveraging the National Institute of Standards and Technology ( NIST ) along with the COBIT 2019 framework to align with applicable laws, regulatory guidance, and industry best practices. We employ a security operations team led by our Chief Information and Security Officer, who has over 20 years experience in information systems and security. Our security operations team is primarily responsible for the day-to-day assessment and management for material risks from cybersecurity threats. We require mandatory cybersecurity, privacy, and information handling training for all team members upon onboarding and on an annual basis thereafter. Additional role-based training is provided to the security, IT operations, and development teams. We also regularly communicate important cybersecurity updates to employees. To test the effectiveness of our training, a simulated phishing campaign is run monthly against all team members. We leverage a variety of tools to protect information. These tools include but are not limited to multifactor authentication, firewalls, intrusion detection, vulnerability and penetration testing, central log management, endpoint protection and patch management systems. Our identity and access management systems include industry leading products leveraged through our internally developed best practices. We also leverage threat hunting services that actively monitor for anomalies on our network and escalate these anomalies to our security operations team. We continue to mature our threat hunting, proactively searching for and identifying malicious attacks, and testing our cybersecurity posture to further enhance our cybersecurity programs. Our threat hunting includes comprehensive risk analysis of our assets along with routine external penetration testing from third party providers. The Company also utilizes a third-party consultant to perform a cybersecurity risk assessment annually in which we measure the current state of our cybersecurity program using the NIST Cybersecurity Framework. The results of this assessment are used to identify possible gaps, risks, and areas requiring remediation. With the assistance of outside consultants, we have developed cybersecurity incident monitoring and reporting procedures. These procedures begin with continuously monitoring network hardware and applications for cybersecurity breaches and continuously identifying and recording any cyber security events. If appropriate, cyber security events are escalated as incidents and our incident management plan and incident response team are activated. Our incident management plan focuses on containing, eradicating, recovering and following up as necessary from a cybersecurity incident. In addition, incidents are evaluated to determine materiality as well as business impact and reviewed for privacy impact. This evaluation may involve members of our Board of Directors, executive team as well as consultants such as our outside legal counsel and independent auditors. Our cybersecurity incident monitoring and reporting procedures are tested annually through a tabletop event involving the business and IT operations staff. A tabletop event is a role-playing exercise simulating a real cybersecurity event which aims to ensure the plans are still covering all relevant and critical services and stakeholders are prepared. We continuously make cybersecurity improvements based on lessons learned from the tabletop exercises, enterprise risk assessments, and penetration testing. The ERM Committee of our Board of Directors is updated regularly on cybersecurity matters. The ERM Committee is comprised of select board members and select members of executive management and meets at least quarterly. During ERM meetings, our Chief Information and Security officer discusses key areas of cyber risk, and reviews key cybersecurity metrics and results of cybersecurity risk assessments and testing. In the event of a cybersecurity incident, our ERM Committee would also receive reports from our incident response team. The Board of Directors are briefed quarterly by the ERM Committee on cybersecurity matters that would include threats, policies, practices, and the roadmap being implemented to improve the security posture. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. 51 Table of Contents

Company Information