BRP Group, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

BRP Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:30:11 EST.

Filings

10-K filed on 2024-02-28

BRP Group, Inc. filed an 10-K at 2024-02-28 16:30:11 EST
Accession Number: 0001781755-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We face significant and persistent cybersecurity risks due to: the scope of geographies, networks and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our Clients; and our use of third-party products, services and components. 44 While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing Clients with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We seek to detect and investigate unauthorized attempts and attacks against our network, products and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown threats. In some instances, we, our trading partners, our Clients, and our service providers and contractors can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. Refer to Item 1A. Risk Factors of this Annual Report on Form 10-K for more information on our cybersecurity risks. Our business involves the storage and transmission of a significant amount of confidential and sensitive information. As a result, we take the confidentiality, integrity and availability of this highly sensitive information seriously and invest significant time, effort and resources into protecting such information. Our cybersecurity strategy was designed with the foregoing principles in mind and prioritizes detecting and responding to threats and effective management of security risks. To implement our cybersecurity strategy, we maintain various safeguards to secure the data we hold, including encrypting sensitive data, utilizing a robust 24/7/365 security monitoring system, regularly assessing product features for security vulnerabilities, conducting continuous internal penetration tests, and leveraging multi-factor authentication to help effectively protect sensitive information and appropriate access rights. We also have data and cybersecurity protection and control policies to facilitate a secure environment for sensitive information and to preserve the availability of critical data and systems. We have processes in place to assess and manage vendor cybersecurity risks, which include initial and periodic security program reviews through the use of third party vendors who specialize in this subject matter. We have engaged our independent, internal audit team that reports directly to the Chair of the Audit Committee of our board of directors to audit our adherence to our cybersecurity policies. These audits help us assess our internal preparedness, adherence to best practices and industry standards, and compliance with applicable laws and regulations as well as help us to identify areas for continued focus and improvement. We conduct annual information security awareness training for employees involved in the systems or processes connected to confidential and sensitive information. We also carry insurance that provides certain, limited protection against potential losses arising from a cybersecurity incident. The Technology & Cyber Risk Committee of our board of directors (the TCRC ) is responsible for overseeing and reviewing our cybersecurity program and cybersecurity risk exposure and the steps taken to monitor and mitigate such exposure. The TCRC updates the full board of directors on cybersecurity matters periodically. Our information security team for IAS, MIS and Corporate is led by our Chief Digital & Information Officer ( CDIO ), who also serves as our Chief Information Security Officer ( CISO ) for IAS, MIS and Corporate. Our CDIO/CISO reports to our President, BRP & CEO, Retail Brokerage Operations. Our CDIO/CISO has served in the role since 2021 and has experience in application security, intrusion detection, penetration testing, complex threat modeling, and unconventional cyber-attack vectors, having previously led technology teams at Comerica Bank, HSBC, Citibank and General Electric. Our CDIO/CISO oversees a team of information security professionals who are devoted full time to assessing and managing cybersecurity threats on a day-to-day basis. Our CDIO/CISO attends each quarterly meeting of the TCRC to brief members on information security matters and discuss cybersecurity risks generally. Our information security team for UCTS is led by our President of Digital Strategy & Innovation ( PDSI ), who also serves as our CISO for UCTS. Our PDSI/CISO reports to our President, BRP & CEO, Underwriting, Capacity and Technology Operations. Our PDSI/CISO has served in the role since 2022 and has experience in application security, intrusion detection, penetration testing, complex threat modeling, and unconventional cyber-attack vectors, having previously led technology teams at Crum & Forster, QBE North America, QBE FIRST, N.E.W. Customer Service Companies, Inc. and Wipro Technologies. Our PDSI/CISO oversees a team of information security professionals who are devoted full time to assessing and managing cybersecurity threats on a day-to-day basis. Our PDSI/CISO also attends each quarterly meeting of the TCRC to brief members on information security matters and discuss cybersecurity risks generally. In addition, our management team has established an internal Cyber Steering Committee (the Cyber SteerCo ), which includes processes designed to identify, assess, categorize, and monitor key current and evolving risks facing us, including cybersecurity risks. Each of the CDIO/CISO and PDSI/CISO sit on the Cyber SteerCo along with the our General Counsel and former CISO. 45 Management is made aware of current and evolving cybersecurity risks through the Cyber SteerCo reporting. Furthermore, in the event of a material or potentially material cybersecurity event, senior members of management are promptly informed of such event and oversee triage, response, and disclosure efforts pursuant to the terms of a documented incident response plan.

Company Information