HCI Group, Inc. 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

HCI Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 16:04:20 EST.

Filings

10-K filed on 2024-03-08

HCI Group, Inc. filed an 10-K at 2024-03-08 16:04:20 EST
Accession Number: 0000950170-24-028620

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C Cyber security We rely on digital technology to conduct our businesses and interact with customers, policyholders, agents, and vendors. With this reliance on technology comes the associated security risks from using today s communication technology and networks. Risk Management and Strategy The goal of our cybersecurity risk management strategy is to protect the privacy, integrity, and availability of our critical systems and information. Our processes identify, assess, and manage material risk from cybersecurity threats as part of our entity-wide risk management efforts. To safeguard our data and the data of our customers, management utilizes a multi-layered approach consisting first of an external security operations center company that specializes in the detection and containment of cyber-attacks. For protection of endpoint devices connected to our network, we use the tailored security software of a third-party consultant company for managed detection and response. Perimeter defense technology is used to filter e-mail for threats from malware viruses and e-mail phishing attempts. We also detect threats through the use of our firewalls that monitor incoming and outgoing network traffic. Tools utilized to prevent threats include multifactor authentication, e-mail security services, mobile e-mail security policies, virtual private networks, third-party security experts, and timely applied software patches, among others. We engage in annual penetration testing, disaster recovery testing, internal and external audits of our cybersecurity controls and simulated cyberattack scenarios to gauge our preparedness for these situations. In addition, employees are required to pass a mandatory cybersecurity training course annually and receive periodic phishing simulations to facilitate recognizing phishing attempts. We carry Cyber Insurance which includes access to a Cyber Incident Response team in the case of a cybersecurity event. Management of cybersecurity also extends to third-party service providers we use for specialized purposes such as payroll processing, investment tracking, regulatory financial reporting, and equity compensation plan administration. Our communication with these providers is protected by the safeguards within our security operation center. In addition, we annually obtain a Service Organization Controls (SOC) report on the suitability and operating effectiveness of the providers controls, known as a SOC 1 Type 2 Report. The report is prepared by an independent service auditor. We review such reports to confirm the existence of effective controls over unauthorized access at third party service providers. We respond to cybersecurity events in accordance with our Cyber Security Incident Response Plan (CSIRP), which follows the guidance of the National Institute of Standards and Technology Cybersecurity Framework and provides for assessment, mitigation, and if necessary, remediation of any effects of a system breach. We also conduct annual breach simulations with internal information technology teams to test each step of our CSIRP. There have been no cybersecurity events in the past that have materially affected the Company s business strategy, results of operations, or financial condition. Although we believe our defenses against cyber-intrusions are sufficient, we continue to update our prevention programs to respond to sophisticated and rapidly evolving attempts to overcome our security measures. Such continuing threats could have a variety of adverse business impacts. See Item 1A Risk Factors under the heading Security and fraud risks above for additional information on risks to our business from cybersecurity incidents and related matters. Governance Cybersecurity is a critical component of our overall risk management process. Our Board of Directors oversees our cybersecurity efforts as delegated to and performed by senior management which is responsible for the identification and assessment of material risks from cybersecurity incidents. The members of management responsible for managing cybersecurity threats are HCI Group s Director of Information Technology (IT) and its Network Security Manager, and the Chief Operating Officer of Exzeo USA, Inc., TTIG s software development and IT company. Both the Director of IT and the Chief Operating Officer have extensive experience in managing information systems including the defense of computer networks against cyber intrusions. The Network Security Manager is dedicated to overseeing our multi-layered cybersecurity defenses and leads monthly security meetings attended by IT managers. Our Board receives periodic reports on cybersecurity risks and any material cybersecurity incidents. One member of our Board of Directors, Paresh Patel, has information technology expertise. 19

Company Information