ASSURANT, INC. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

ASSURANT, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:19:52 EST.

Filings

10-K filed on 2026-02-19

ASSURANT, INC. filed a 10-K at 2026-02-19 16:19:52 EST
Accession Number: 0001267238-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We face a multitude of cybersecurity threats from a range of adversaries. Our vendors, clients, distributors and other third parties with whom we work face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our business, operations, financial condition and results of operations. Board Oversight The Board has ultimate oversight of cybersecurity risk. The Board reviews and approves our ERM Framework and risk appetite annually, including the appropriate risk appetite with respect to cybersecurity. The Information Technology Committee of the Board reviews the effectiveness of our cybersecurity policies, controls, training, technology and procedures, including procedures to identify and assess internal and external risks from cybersecurity threats; controls to prevent and protect from cyberattacks, unauthorized access or other malicious acts and risks; procedures to detect, respond to, mitigate negative effects from and remediate cybersecurity attacks; and controls and procedures for fulfilling applicable regulatory reporting and disclosure obligations related to cybersecurity incidents, risks and costs. Our Chief Information Security Officer ("CISO") briefs or provides a report to the Information Technology Committee on our cybersecurity and information security posture and program at least quarterly, including penetration test results and related remediation and significant cybersecurity incidents. Our CISO also provides an annual cybersecurity update to the full Board . Role of Management Cybersecurity risk is integrated into our Global Risk Management process . Cybersecurity risk continues to be identified as one of our key enterprise risks. Risk owners from the Management Committee, senior leadership and the Global Risk Management function have been assigned to develop risk mitigation plans, which are tracked and reported at least quarterly to the Finance and Risk Committee of the Board and annually to the full Board. See "Item 1 - Business - Global Risk Management" for more information on the Global Risk Management function. Our CISO, who reports to our Chief Technology Officer on the Management Committee, has over 20 years of information technology and security program management experience, holds a Certified Information Security Manager certification and has led our information security team, including information technology compliance and risk management, since 2009. Our Chief Technology Officer has over 30 years of information technology experience, including leading global digital, security, infrastructure, cloud services and application teams. Prior to joining the Company in 2016, our Chief Technology Officer was chief information officer at a large, publicly-traded energy company. Our CISO has implemented a management-level governance structure and process to assess, identify, manage and report cybersecurity risks, and to manage our overall information security program. The Information Security Board, led by our CISO and comprised of leaders from all of our lines of business and key functional areas such as Global Risk Management, Privacy and Compliance, as well as members of our information security team, meets quarterly, and is responsible for overseeing our information security program, including our information security strategy and related policies and standards. The information security team manages cybersecurity risks and controls, and continually enhances a global security control framework with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously minimizing the business impact should an incident occur. Risk Management Policies and Procedures We have implemented cybersecurity policies and standards based on leading industry frameworks, including the ISO 27001 standard and the National Institute of Standards and Technology Cybersecurity Framework, and we regularly assess our policies and practices, including through tabletop exercises with senior management (and periodically with members of the Board), aimed at mitigating cybersecurity risks. In the event of a cybersecurity incident, we follow our Enterprise Information Security Incident Response Plan (the "IRP"), which outlines steps from incident detection to assessment, response, mitigation, recovery and notification, including to key functional areas such as Global Risk Management, Corporate Law, Privacy and Compliance, senior leadership, and the Information Technology Committee of the Board and the full Board, as appropriate. The IRP includes quantitative and qualitative incident assessment guidance and promotes engagement with multidisciplinary teams across the enterprise to facilitate real-time information-sharing during a cybersecurity incident. Employees outside of our information security team as well as third-party cybersecurity experts have an important role in our cybersecurity defenses. We require employees to participate in annual cybersecurity training and provide them with additional optional training and awareness materials, and we regularly engage our employees in phishing exercises, reporting results to the Information Technology Committee. In addition, we regularly engage assessors, consultants, auditors and other 39 third parties in our management of cybersecurity risk. For example, third parties are engaged to conduct evaluations of the maturity and effectiveness of our security program, including testing the design and operational effectiveness of security controls, penetration testing, engaging in independent audits, reviewing our policies and standards, and consulting on best practices to address new challenges. We also receive threat intelligence from government agencies, information sharing and analysis centers, and cybersecurity associations. We assess third-party cybersecurity controls through a cybersecurity questionnaire and a review of independent cybersecurity rating assessments. Our vendor risk management process includes a review of the information security policies of our key vendors against our standards, and ongoing monitoring for compliance. Our contracts with third parties generally include security and privacy addendums where applicable and require counterparties to meet a specific standard of data security and to report cybersecurity incidents to us. Risks from Cybersecurity Threats While we have not experienced a cybersecurity incident that resulted in a material adverse effect on our business, operations, financial condition or results of operations, there can be no guarantee that we will not experience such an incident in the future. See "Item 1A - Risk Factors - Technology, Cybersecurity and Privacy Risks - The failure to effectively maintain and modernize our technology systems and infrastructure and integrate those of acquired businesses could adversely affect our business, " " - Technology, Cybersecurity and Privacy Risks - We could incur significant liability if our technology systems or those of third parties are breached or we or third parties otherwise fail to protect the security of data residing on our respective systems, which could adversely affect our business and results of operations, " " - Business Strategic and Operational Risks - Our inability to successfully recover should we experience a business continuity event could have a material adverse effect on our business, financial condition and results of operations " and "- Failure to successfully manage vendors and other third parties could adversely affect our business" for more information.

Company Information