Doma Holdings, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Doma Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:41:24 EDT.

Filings

10-K filed on 2024-04-01

Doma Holdings, Inc. filed an 10-K at 2024-04-01 16:41:24 EDT
Accession Number: 0001437749-24-010388

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, third party assessments, IT security, governance, risk and compliance reviews, audit applicable data policies, perform testing using external third-party tools and techniques to test security controls, conduct comprehensive annual and monthly employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. 55 Table of Contents We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also conduct tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies. The results of these assessments are reported to the Audit and Risk Committee. Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business or customer data. In addition to new vendor onboarding, we perform risk management evaluations during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading: If the security of the personal information that we (or our vendors) collect, store or process is compromised or is otherwise accessed without authorization, or if we fail to comply with our commitments and assurances regarding the privacy and security of such information, our reputation may be harmed and we may be exposed to significant liability and loss of business. included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit and Risk Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit and Risk Committee receive biannual updates from senior management, including leaders from our Information Security, Risk and Legal teams, regarding cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Security, Risk and Legal teams. Such individuals have decades of work experience in various roles involving information technology, including security, compliance, systems and programming, and/or hold industry recognized information security certifications. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit and Risk Committee on any appropriate items. 56 Table of Contents

Company Information