TRUPANION, INC. 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

TRUPANION, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 16:07:14 EST.

Filings

10-K filed on 2026-02-13

TRUPANION, INC. filed a 10-K at 2026-02-13 16:07:14 EST
Accession Number: 0001371285-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our Board of Directors oversees our enterprise risk management ("ERM") program, and cybersecurity is a core component of that oversight. Our cybersecurity practices are fully integrated into our ERM framework and follow recognized standards, including those developed by NIST, ISO, and applicable industry regulations such as the NYDFS Cybersecurity Regulation and PCI DSS. Our approach focuses on protecting the confidentiality, integrity, and availability of our systems and data by identifying, preventing, mitigating, and responding to cybersecurity threats and incidents. Risk Management and Strategy Our cybersecurity risk management program focuses on the following areas: - Technical Safeguards. We implement multiple layers of technical controls-including firewalls, intrusion detection and prevention systems, Managed Detection and Response (MDR), anti-malware tools, and access-control systems. We continuously evaluate and improve these safeguards through security assessments and threat intelligence. - Incident Response and Recovery. We maintain formal incident response and recovery plans that outline our approach to cybersecurity events. These plans are regularly tested and refined to ensure their effectiveness. - Third-Party Risk Management. We apply a risk-based approach to evaluating and managing cybersecurity risks arising from third parties, including vendors, service providers, Territory Partners, and other external users whose systems or actions could affect our operations. - Education. All team members complete regular, mandatory training on security fundamentals, cybersecurity threats, physical security risks, and appropriate response practices. - Governance. Our management Risk Committee supports the ERM program and provides regular updates to the Board of Directors. The Chief Information Security Officer ("CISO"), who reports to the Chief Information Officer ("CIO"), leads our cybersecurity program and provides frequent briefings to the CEO, executive leadership, and the Board's Audit Committee. - Collaboration. Our cybersecurity processes are designed to identify, prevent, escalate, and mitigate threats through cross-functional coordination. This structure allows management to make timely decisions about business impacts and disclosures when necessary. We routinely evaluate the effectiveness of our cybersecurity measures through audits, assessments, tabletop exercises, threat modeling, and vulnerability testing. Independent third parties also conduct audits and reviews of our control environment and operating effectiveness. Results are shared with the management Risk Committee and the Board, and we update our documentation, processes, and controls based on these findings. Governance The Board of Directors, in collaboration with the management Risk Committee, oversees cybersecurity risk within the broader ERM program. The Board receives regular updates from the Risk Committee and the CISO on topics such as emerging threats, standards, vulnerability assessments, third-party evaluations, and overall program status. Any cybersecurity incident meeting established reporting thresholds is promptly escalated to the Board and monitored until resolved. The Audit Committee of the Board of Directors, in collaboration with management, reviews our major financial and cyber risk exposures and the steps management has taken to monitor such exposures, including our procedures and any related policies, with respect to risk assessment and risk management. Our Information Security team, led by the CISO and supported by the management Risk Committee, executes our cybersecurity program and coordinates incident response and recovery activities. Multidisciplinary teams monitor prevention, detection, mitigation, and remediation efforts in real time and escalate issues to the Risk Committee as needed. During the period covered by this report, cybersecurity threats, including those related to past incidents, have not materially affected our business strategy, operations, or financial condition, and as of the date of this report we do not believe such threats are reasonably likely to have a material impact in the future. For a discussion of the risks we face relating to cybersecurity threats, please see "Risk Factors."

Company Information