Hamilton Insurance Group, Ltd. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Hamilton Insurance Group, Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:23:53 EST.

Filings

10-K filed on 2024-03-07

Hamilton Insurance Group, Ltd. filed an 10-K at 2024-03-07 16:23:53 EST
Accession Number: 0001593275-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We prioritize assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include operational risks, fraud, extortion, and loss of confidential data. Identifying, assessing, and managing cybersecurity risk is integrated into our overall enterprise risk management systems and processes. Cybersecurity risks are identified and addressed in myriad ways, including implementing internal IT general controls, our Global Head of IT Operations & Chief Information Security Officer ( CISO ) participating in the Chief Information Security Officers Committee of Lloyd s Market Association and other communities to stay current on cybersecurity matters affecting the insurance industry, conducting internal IT audits around Hamilton s cyber security posture, and conducting scenario-based cybersecurity risk assessments to ensure the right controls are in place to address identified risks. To protect against, detect, and respond to cybersecurity incidents, we, among other things, require our employees to undergo annual cybersecurity awareness training, monitor emerging laws and regulations related to data protection and information security, utilize a variety of multilayered technical tools to conduct proactive privacy and cybersecurity vulnerability assessments of our systems and applications, including scanning for and resolving open tickets. Senior management, including our Chief Technology Officer & Chief Data Officer ( CTO ) and our CISO, in coordination with our legal and compliance teams, are responsible for implementing these measures, as well as being involved in all aspects of incident response and breach management processes. These processes involve six stages: 1) detection, 2) analysis, 3) containment, 4) eradication, 5) recovery, and 6) notification. Security events and data incidents are evaluated for severity and impact on our operations, business, and data, and our response is prioritized accordingly. Our security team collaborates with stakeholders across the company and forms strategies for addressing identified issues. This involves regularly testing, as part of our business continuity and disaster recovery strategies, our ability to restore our systems if they are impacted by a cybersecurity event or incident. As part of the above processes, we annually engage third-party advisors to perform penetration tests against our infrastructure. As part of our risk management program, we also assess third-party risks, including risks posed by vendors, suppliers, and other business partners. Cybersecurity practices and risks are evaluated when selecting third-party service providers and when negotiating contractual provisions related to security and privacy, including information security audit rights. Specifically, before engaging new critical IT vendors, we require them to complete questionnaires concerning their IT and security processes, controls, and certifications. The responses in these questionnaires are then reviewed by our CISO and assessed against a checklist of minimum requirements that must be met for Hamilton to consider the service provider to be a vendor of trust whose services may be used by our organization. Thereafter, we annually follow up with approved vendors for updated certifications. Although we identify and respond to small security events and risks as a normal part of our cybersecurity risk management processes, to date, there are no significant previous risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect Hamilton, including its business strategy, results of operations, or financial condition. There can be no guarantee that (i) our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective or (ii) that there will not be incidents in the future or that they will not materially affect us, including our strategy, results of operations, or financial condition. (See Risks Related to Our Business and Industry We are subject to cybersecurity risks, including cyber-attacks, security breaches and other similar incidents with respect to our and our service providers information technology systems, which could result in regulatory scrutiny, legal liability or reputational harm, and we may incur increasing costs to minimize those risks." ) 88 Cybersecurity Governance Cybersecurity is important to our Board of Directors and management. On a quarterly basis, our CISO reports on cybersecurity matters to a risk committee comprised of a cross-functional management team ( Risk Committee ). He has reported on, among other things, cybersecurity risks and incidents, a business continuity and disaster recovery exercise, completed and ongoing cyber audits, security metrics and key performance indicators, penetration testing results and remediation progress, the status of Hamilton s data governance program, and cyber insurance coverage. The Risk Committee escalates important issues identified in these reports to our Audit Committee, to which our full Board of Directors, while having responsibility for risk management oversight generally, has delegated primary oversight of cybersecurity risks. In addition to quarterly reports to the Risk Committee, senior management, including our CTO and CISO, are responsible for directly reporting to the Audit Committee on cybersecurity matters. This includes reporting, on a quarterly basis and as significant matters arise, about existing and new cybersecurity risks, how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and status on key information security initiatives. The Audit Committee reports cybersecurity risks and other security matters to the full Board of Directors through a process in which it convenes the day before each quarterly Board meeting, it discusses cybersecurity matters with the full Board at the Board meeting, and its two chairpersons recap these discussions the following day. The members of senior management involved in managing our material risks from cybersecurity threats have extensive cybersecurity and IT experience. For example, prior to joining Hamilton, over the past two and a half decades, our CTO has held leadership roles in the areas of Software development, IT governance-, IT operations-, and security operations, ranging from executive director to chief technology officer. This experience spanned various companies, including an expert network/knowledge broker, an educational publishing company, a financial data vendor, a media conglomerate, and an investment bank. Among other things, he has provided leadership in building out global technology platforms, which have operated with multi-jurisdictional cybersecurity policies. He holds a Bachelor of Science degree in electronics and communications engineering, holds a Master s degree in computer science, and serves as a director on the board of ACORD, which is an organization responsible for setting digital standards for insurance and reinsurance companies globally. Our CISO has two decades of professional experience in various senior roles, such as Linux information systems engineer, Senior Network Engineer, Director of IT, Senior Leader Infrastructure Engineering and VP/CTO, within the financial services industry. He holds a Bachelor s degree in computer and network science and an electronics engineering degree.

Company Information