Hagerty, Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Hagerty, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 10:42:33 EDT.

Filings

10-K filed on 2024-03-12

Hagerty, Inc. filed an 10-K at 2024-03-12 10:42:33 EDT
Accession Number: 0001840776-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our cybersecurity strategy is predicated on a risk-based approach, which is continuously informed by the standards provided by organizations such as the American Institute of Certified Public Accountants, the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization, the Payment Card Industry, and others. Cybersecurity represents an important input to our overall approach to enterprise risk management (“ERM”). Our cybersecurity program is based on a framework designed to safeguard the confidentiality, integrity, and availability of our information assets. This program encompasses enterprise security policies, procedures, and technical measures to manage risks, protect sensitive data, and ensure compliance with relevant regulations. Our information security program utilizes a layered defense approach where components such as risk assessments, access controls, network security, encryption, employee training, and continuous monitoring and response processes provide layers of protection for our systems and assets. As part of our cybersecurity program, our information security team identifies and assesses material risks based on the NIST risk assessment model and then collaborates with internal business and technical partners to proactively create internal risk treatment plans that address identified risk exposures. In addition, we assess and manage cybersecurity risks through an incident security program which consolidates input from three primary departments, including our ERM department, which operates out of the Office of the Chief Financial Officer, our Privacy department which operates out of the Office of the Chief Legal Officer, and the Information Security department which operates out of the Office of the Chief Information Officer (“CIO”). Together, these departments provide subject matter expertise and specialized resources to deliver concentric layers of risk management and defense against both internal and external threats. In addition, our cybersecurity program includes third-party cyber risk assessments which evaluate the security posture of our vendors and partners to mitigate potential vulnerabilities introduced through external connections. Data loss prevention controls are systematically implemented to prevent unauthorized data exfiltration and to protect sensitive information from compromise. Our information security program undergoes assessments conducted by both internal and external experts. The outcomes of these evaluations are communicated to senior management and the Board for review. Governance The Board, through the Audit Committee, oversees our risk assessment and risk management activities, including our cybersecurity program. The Audit Committee receives periodic reports from our CIO and is notified any time our incident security program has determined that a cybersecurity incident is material or requires reporting to a regulatory body. Further, the Chair of the Audit Committee is regularly informed of both material and non-material cybersecurity risks and incidents. Our cybersecurity program is led by an experienced CIO and an experienced Chief Information Security Officer (“CISO”). Our CIO has extensive experience in our industry with over 30 years of information technology experience, including extensive experience leading large global teams at several companies in his tenure. Our CISO has over 35 years of information technology experience, including 24 years of experience as a CISO leading large cybersecurity teams at four different insurance companies. Our CISO also has several industry recognized designations. As part of our cybersecurity risk management program, our information security department identifies, assesses, and manages cybersecurity risks, whether material or non-material. Through our Information Security department, the CIO 42 TABLE OF CONTENTS and CISO work to ensure that key stakeholders are informed about the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents. We have established and maintain incident response and recovery plans that address the detection, reporting, analysis, response, recovery, communication, documentation, and post-incident review of cybersecurity incidents. We periodically test and evaluate such plans on a routine basis. As of the date of this Annual Report, we do not believe that any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, are reasonably likely to have a material adverse effect on us, our business strategy, results of operations, or financial condition.

Company Information