Porch Group, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Porch Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 14:47:15 EDT.

Filings

10-K filed on 2024-03-15

Porch Group, Inc. filed an 10-K at 2024-03-15 14:47:15 EDT
Accession Number: 0001784535-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity threats monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. We have a team comprised of representatives from cross-functional business teams (e.g., legal, engineering, finance, technology, security, internal audit, and commercial), that assesses risks based on probability and potential impact to key business systems and processes. Risks that are considered high are incorporated into our overall risk management program. A mitigation plan is developed for each identified high risk, with progress reported to the security management team and tracked as part of our overall risk management program overseen by the Audit Committee of our board of directors. We maintain a Cybersecurity Incident Response Plan ( CIRP ), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of our assets. The CIRP outlines roles and responsibilities of a cybersecurity incident response team comprised of cross-functional members of management from information technology, information security, legal, finance, and human resources the specific criteria for measuring the severity of a cybersecurity incident and an escalation framework. The CIRP also addresses senior management responsibility with respect to public disclosure determinations related to a cybersecurity incident and provides for Audit Committee and Board briefings. Along with the CIRP, management sustains numerous programs and processes to stay informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The list of cybersecurity programs and processes described below is not meant to be exhaustive, but to provide examples of such programs and processes. When needed, we collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We have also developed a third-party cybersecurity risk management process to conduct due diligence on external entities. A cybersecurity incident may be detected in a number of ways, including, but not limited to, through automated reporting mechanisms, network and system indicators, intrusion detection systems, proactive threat hunt, internal investigations, employee reports, law enforcement reports, threat intelligence feeds, or other third-party notifications. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third party service providers, we maintain a security operations center with full time monitoring. Upon detection of a cybersecurity incident, the cybersecurity incident response team acts to isolate and contain the threat. The cybersecurity incident response team analyzes the incident and determines, based on the CIRP framework, whether the incident should be escalated. Escalation includes notification to the board of directors, senior executives, and to the cyber response reporting committee. The cyber response reporting committee is an internal cross-functional team comprised of members of management or other key employees that analyzes each incident for disclosure under the U.S. securities laws. Throughout the process, steps are taken to stop or lower the impact, prevent spread of the incident, evaluate the scope of the incident, plan to contain the impacted data and systems, and to fully remove and stop the incident. We may engage third party experts for assistance with crisis management, including forensic investigations, ransom negotiation, or crisis communication. We also consult with outside counsel as appropriate, including with respect to the materiality analysis for disclosure matters. Our management also apprises our independent registered public accounting firm of cybersecurity incidents and developments. During this process, the cybersecurity operations team will take steps to preserve evidence as soon as possible, including, but not limited to, memory dumps, log preservation and forensic hard drive collection. We have not identified any risks from known cybersecurity threats, including those resulting from any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Refer to the risk factor captioned, We may not be able to protect our systems, technology and infrastructure from cyberattacks and cyberattacks experienced by third parties may adversely affect us, in Item 1A. Risk Factors, in this Annual Report for additional description of cybersecurity risks and potential related impacts on us. 44 Table of Content s Governance Our board of directors oversees our risk management process, including as it pertains to cybersecurity risks, directly and through its committees. The Audit Committee of the board is primarily responsible for overseeing our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity threats. The Audit Committee reviews our cybersecurity risk profile with management on a periodic basis using key performance and/or risk indicators. These key performance indicators are metrics and measurements designed to assess the effectiveness of our cybersecurity program in the prevention, detection, mitigation, and remediation of cybersecurity incidents. Management is responsible for the day-to-day assessment and management of cybersecurity risks. Teams of IT, engineering, and information security professionals oversee cybersecurity risk management and mitigation, incident prevention, detection, and remediation. Leadership of these teams are professionals with cybersecurity expertise across multiple industries. Specifically, our Senior Information Security Manager leads our cybersecurity risk management function and is primarily responsible for assessing and managing our cybersecurity risk, with support from our Director of Information Technology and the Senior Director of Engineering. Our Senior Information Security Manager has over twenty years experience leading and managing cyber security programs and teams at various companies, and holds a CISSP certification (Certified Information Systems Security Professional).

Company Information