Heritage Insurance Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

Heritage Insurance Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 16:10:51 EDT.

Filings

10-K filed on 2024-03-13

Heritage Insurance Holdings, Inc. filed an 10-K at 2024-03-13 16:10:51 EDT
Accession Number: 0000950170-24-030766

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersec urity The Audit Committee ( Audit Committee ) of the Company s Board of Directors (the Board ) is actively involved in oversight of the Company s risk management program, which includes the identification, assessment and management of material cybersecurity risks. A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, the Company s information systems that may result in adverse effects on the confidentiality, integrity or availability of the Company s information systems or any information residing therein. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity risk management and strategy As one of the elements of the Company s overall risk management program, the Company s cybersecurity program is focused on the following key areas: 26 Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: The Company has established and maintains incident response and recovery plans to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company s safeguards , and such plans are tested and evaluated on a regular basis. Third-Party Risk Management: The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Outside Consultants: The Company engages various outside consultants, including contractors, assessors, auditors, outside attorneys and other third parties, to among other things : Assist in the design, implementation, and testing of our cybersecurity program, policies and procedures monitor Company networks, servers and endpoints to identify vulnerabilities perform assessments on the Company s cybersecurity measures, including audits and independent reviews of the Company s information security control environment and operating effectiveness obtain information of a cybersecurity incident and isolate compromised systems and electronic data from further exposure determine and execute mitigation and remediation options and plans and ensure ongoing compliance with applicable legal and regulatory requirements, including notification to required individuals and regulatory bodies in the event of the discovery of an information security breach as defined under applicable laws, and timely and adequate disclosure under applicable SEC rules. Education and Awareness: The Company provides annual training for personnel regarding cybersecurity threats as a means to equip the Company s personnel with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. Governance The Company maintains an Information Security Committee (the ISC ) which is a cross-functional governance committee comprised of the AVP- Enterprise Information Technology ( IT AVP ), Chief Financial Officer ( CFO ) and Chief Executive Officer ( CEO ). The ISC is the focal point for all information security activities throughout the Company and acts as a liaison on security matters throughout our group of affiliates. The ISC, led by the IT AVP works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response and recovery plans. The ISC is charged with developing and implementing policies and procedures for incident response handling, monitoring, and addressing security risks on an ongoing basis. The ISC is responsible for deploying technology and information security experts to monitor security risks and advise, contain, analyze, and report on security incidents, as necessary. As described above, the Company also retains a third-party cyber security firm to work hand-in-hand with the ISC to develop and oversee a program to prevent, detect, mitigate and remediate cybersecurity incidents. The Board has delegated to the Audit Committee the responsibility for monitoring and overseeing the Company s cybersecurity and other information technology risks, controls, strategies and procedures. The Company s IT AVP, on behalf of the ISC, reports to the Audit Committee at least annually regarding technological risk exposure and the Company s cybersecurity risk management strategy and reports any incidents to the Audit Committee in real time. Based on these reports, the Audit Committee periodically evaluates the Company s information security strategies to ensure its effectiveness and, if appropriate, may also include a review from third-party experts. The Company s Internal Audit function also provides quarterly updates to the Audit Committee which include an update on cybersecurity risks and related internal controls. Management s Expertise 27 Our IT AVP also ensures he is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. Staying informed on developments in the cyber industry is crucial to the Company s effective prevention, detection, mitigation and remediation of any cybersecurity incidents. In addition, the Company s CEO and IT AVP each hold undergraduate degrees and graduate degrees in their respective fields, and each have over 20 years of experience managing risks at the Company or at similar companies, including risks arising from cybersecurity threats. Risks from Cybersecurity Threats Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.

Company Information