CCC Intelligent Solutions Holdings Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

CCC Intelligent Solutions Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:10:55 EST.

Filings

10-K filed on 2024-02-28

CCC Intelligent Solutions Holdings Inc. filed an 10-K at 2024-02-28 17:10:55 EST
Accession Number: 0000950170-24-022253

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Disclosures Cybersecurity is the responsibility of our Chief Information Security Officer ( CISO ) who oversees an information security team responsible for maintaining the confidentiality, integrity, and accessibility of data within CCC while continuously monitoring for and responding to cybersecurity threats, with oversight by our EVP, Chief Product and Technology Officer who is responsible for all of our information technology systems. Our Chief Information Security Officer has 18 years of experience managing risks from security threats and developing and implementing security policies and procedures, as well as relevant degrees and certifications, including a bachelor of science in information systems and 34 cybersecurity and being a Certified Information Security Manager and a Certified Information Systems Security Professional. Our EVP, Chief Product and Technology Officer has over three decades of experience in the technology industry and holds a bachelor of science in computer science. Our Board of Directors has tasked the Audit Committee with oversight of enterprise risk management, including cybersecurity risk management. Our CISO or EVP, Chief Product and Technology Officer briefs the Audit Committee on cybersecurity risks at each of the quarterly meetings of the Audit Committee. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. The Audit Committee and/or the EVP, Chief Product and Technology Officer also regularly briefs the entire Board on cybersecurity matters. Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology Cybersecurity Framework ( NIST ) and contractual, industry and regulatory best practices and requirements. Our written Cybersecurity Incident Response Program coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to prepare for, assess severity of, escalate information about, contain, eradicate, and recover from the incident, as well as to conduct post-incident activities, including reporting and conducting root cause analysis and remediation activities. Our incident response policies and the cybersecurity posture are subject to annual testing to evaluate our adherence to policies and compliance requirements. Policies and practices are reviewed periodically to improve processes and practice. We carry cybersecurity insurance to provide a level of financial protection should a covered incident occur. Our cybersecurity and privacy program includes mandatory annual training for all employees and contractors reinforced by targeted phishing tests. The annual training includes training on how to identify potential cybersecurity and privacy risks and protect our resources and information. Additionally, we provide additional specialized security training for employees in roles relating to product development or information technology. While we believe our cybersecurity and privacy program to be appropriately designed in light of the risks we have identified, we have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business strategy, results of operations or financial condition. See Risk Factors Our solutions or our third-party cloud providers have experienced in the past, and could experience in the future, data security breaches, which could adversely impact our reputation, business, and ongoing operations.

Company Information