TRUPANION, INC. 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

TRUPANION, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 21:42:24 EST.

Filings

10-K filed on 2024-02-26

TRUPANION, INC. filed an 10-K at 2024-02-26 21:42:24 EST
Accession Number: 0001371285-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As part of its oversight of our company, our board of directors is involved in overseeing our risk management program. Cybersecurity is an important component of overall enterprise risk management ( ERM ). Our cybersecurity processes are fully integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and industry standards and regulations, including the NYDFS Cybersecurity Regulation and PCI DSS. We address cybersecurity risks through an approach that focuses on preserving the confidentiality, integrity, and availability of our assets, including the information we collect and store, by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents as they occur. Risk Management and Strategy Our cybersecurity risk management program focuses on the following key areas: Technical Safeguards. We utilize technical safeguards that are designed to protect our assets from cybersecurity threats. These safeguards include firewalls, intrusion prevention and detection systems, Managed Detection and Response, antimalware and access controls solutions, which we evaluate and improve through security assessments and threat intelligence. Incident Response and Recovery Planning. We have established and maintained incident response and recovery plans that address how we respond to cybersecurity incidents, and we test and evaluate these plans on a regular basis. Third-Party Risk Management. We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including software and services vendors, Territory Partners and other external users of our systems and those of third parties that could adversely impact our business in the event of a cybersecurity incident. Education. We provide regular, mandatory training for all team members regarding general security concepts, cybersecurity, and physical threats. The training is designed to equip team members to identify and properly respond to a variety of cybersecurity threats and risks, as well as to communicate our processes. Governance. We maintain a management Risk Committee that assists with our ERM function. We also utilize a virtual Chief Information Security Officer ( vCISO ) and other members of senior management and our IT team to support our risk management program. Our board of directors receives regular reports regarding our ERM function to support its oversight responsibilities, and we ensure our business units receive appropriate updates that may impact operations. Collaboration. Our processes are designed to identify, prevent, and mitigate cybersecurity threats and incidents and provide for prompt escalation when appropriate. This approach is cross-functional, drawing on the skills and experiences of our diverse team, and it is designed to allow management to make timely decisions regarding public disclosure and business matters. We periodically assess and test our cybersecurity processes. These efforts include a wide range of activities, such as audits, assessments, tabletop exercises, threat modeling and vulnerability testing focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage independent third parties to assess our cybersecurity measures, including audits and reviews of our information security control environment and operating effectiveness. The results of such assessments are reported to management’s Risk Committee and to our board of directors. We adjust our cybersecurity documentation, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. Governance Our board of directors, in coordination with our internal Risk Committee, oversees our ERM function, including the management of risks arising from cybersecurity threats. Our board of directors receives regular updates on cybersecurity matters from management’s Risk Committee and from the Information Security Committee, which is comprised of Information Technology and Security leadership and oversees operational aspects of our cybersecurity program. Those updates to our board of directors address a wide range of topics that may include information on recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, and information security considerations with respect to our partners and third parties. Our board of directors and management’s Risk Committee also receive prompt information regarding any cybersecurity incident that meets established reporting thresholds and ongoing updates on any such incident until it has been addressed. Our Information Security Committee and vCISO annually report on the status of our cybersecurity program and meet with our board of directors to discuss our approach to cybersecurity and risk management. 34 Our Information Security Committee and vCISO, in coordination with management’s Risk Committee, work collaboratively to implement a program designed to protect our assets from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, we deploy multidisciplinary teams to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, our Information Security Committee monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real-time and report such threats and incidents to management’s Risk Committee when appropriate. Our vCISO has served in various information technology, security, and privacy roles for over 25 years, including as the Chief Information Security Officer for several large public companies. Our vCISO holds undergraduate and graduate degrees in business administration and law, including specialties in information systems management and legal risk and compliance. Additionally, he has attained professional certifications in information security, auditing and assessment, and threat intelligence. Cybersecurity threats, including those related to previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect us, our business strategy, operations, or financial condition.

Company Information