Hamilton Insurance Group, Ltd. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Hamilton Insurance Group, Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:19:54 EST.

Filings

10-K filed on 2026-02-25

Hamilton Insurance Group, Ltd. filed a 10-K at 2026-02-25 16:19:54 EST
Accession Number: 0001593275-26-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Managing risks related to cybersecurity is a priority for Hamilton, and we focus on assessing, identifying, and managing material risks associated with "cybersecurity threats," as such term is defined in Item 106(a) of Regulation S-K. Both our management and Board of Directors recognize the importance of developing, implementing, and maintaining appropriate cybersecurity measures and, as described below, are actively involved in cybersecurity and overall enterprise risk management. Cybersecurity Risk Management and Strategy We maintain a cybersecurity risk management program that is integrated into our enterprise risk management function. The program is designed to assess, identify, manage, and protect our information systems and data from unauthorized access, use, disclosure, disruption, modification, or destruction. Identifying, assessing, and managing cybersecurity risk within Hamilton utilizes the same or similar methodologies, reporting channels, and governance processes as those in our broader risk management program, including legal, compliance, strategic, operational, and financial risk areas. We have implemented and maintain several safeguards and processes designed to identify cybersecurity risks and protect our information systems from cybersecurity threats. We also conduct internal IT audits of our cybersecurity posture and perform scenario-based cybersecurity risk assessments to ensure that appropriate controls are in place. We require employees to undergo annual cybersecurity awareness training, monitor emerging laws and regulations relating to data protection and information security, and use multilayered technical tools to perform proactive privacy and cybersecurity vulnerability assessments of our systems and applications, including scanning for and addressing identified risks. To stay current on cybersecurity matters affecting the insurance industry and marketplace generally, our Chief Information Security Officer ("CISO") is an active member of the International Information System Security Certification Consortium and regularly participates in cybersecurity-focused conferences and forums, including serving on the Chief Information Security Officers Committee of the Lloyd's Market Association. In 2025, following the retirement of our Chief Technology Officer, responsibility for technology leadership transitioned to our Chief Information Officer ("CIO"). The CIO, together with the CISO and in coordination with our legal and compliance teams, is responsible for implementing our cybersecurity risk management program and is involved in all aspects of incident response and breach-management processes. These processes include six stages: (1) detection, (2) analysis, (3) containment, (4) eradication, (5) recovery, and (6) notification. Security events and data incidents are evaluated for severity and potential impact on our operations, business, and data, and responses are prioritized accordingly. As part of our business continuity and disaster recovery strategies, we regularly test our ability to restore systems impacted by a cybersecurity event or incident. We also engage third-party advisors annually to perform penetration tests of our infrastructure. As part of our risk management program, we assess third-party risks, including risks posed by vendors, suppliers, and other business partners. Cybersecurity practices and risks are evaluated when selecting third-party service providers and when negotiating contractual provisions relating to security and privacy, including information-security audit rights. Before engaging new critical IT vendors, we require them to complete questionnaires concerning their IT and security processes, controls, and certifications. The CISO or designated members of the cybersecurity team review responses against a checklist of minimum requirements that must be met for Hamilton to consider the service provider a trusted vendor. We then follow up with approved vendors annually for updated certifications. We maintain an incident response plan to address cybersecurity incidents, which identifies key stakeholders, defines escalation processes, and sets the thresholds above which our cybersecurity, legal, and crisis-management teams will inform senior management and our Board of Directors of a cybersecurity incident. For incidents below those thresholds, subordinate incident response plans and standard operating procedures are used by our security incident response team. Although we routinely identify and respond to lower-level security events as part of normal cybersecurity risk-management processes, to date we have not identified any direct or third-party cybersecurity incidents, or otherwise identified cybersecurity threats, that have materially affected or are reasonably likely to materially affect Hamilton, including our business strategy, results of operations, or financial condition. 72 While there have been no material cybersecurity incidents affecting Hamilton during the period covered by this annual report, no assurance can be given that our policies and procedures will be properly followed in every instance or will be fully effective, or that future incidents will not materially affect us. For further discussion of risks associated with cybersecurity threats, see "Risk Factors-Risks Related to Our Business and Industry-Interruptions to or failures of the information technology systems upon which we rely, including those resulting from cybersecurity attacks and security breaches, could materially adversely affect our business, financial condition and results of operations" and "Risk Factors-Risks Related to Regulation-Our business is subject to cybersecurity, privacy and data protection laws, rules and regulations in the jurisdictions in which we operate, which can increase the cost of doing business, compliance risks and potential liability. " Cybersecurity Board Oversight and Governance Cybersecurity is a component of our Board's oversight responsibilities. In 2025, the Board established a Technology Committee to assist the Board in its oversight of the Company's technology strategy, technology service delivery, technology governance and cybersecurity risk management program. The Technology Committee receives regular reports from our CIO, CISO, and other senior management regarding cybersecurity risks and incidents, business continuity exercises, completed and ongoing cyber audits, security metrics, penetration-testing results and remediation progress, data-governance initiatives, and cyber-insurance coverage. The Audit Committee retains primary responsibility for oversight of enterprise-level cybersecurity risk. Significant matters identified by the Technology Committee, CIO, CISO, or senior management are escalated to the Audit Committee. Both the Technology Committee and the Audit Committee report to the full Board, which maintains ultimate responsibility for oversight of the Company's risk-management framework. At the management level, cybersecurity oversight is supported by our cross-functional Risk Management Working Group, which is part of our enterprise risk-management program. On at least a quarterly basis-and more frequently as needed-the CIO, CISO, and other senior personnel provide updates to the Risk Management Working Group, Technology Committee, and Audit Committee regarding cybersecurity risk assessments, emerging threats, incident readiness, audit findings, remediation progress, business continuity and disaster recovery testing, regulatory developments, and the status of key information-security initiatives. Material issues are escalated to the Technology and Audit Committees to ensure alignment and timely action. Senior management responsible for managing material cybersecurity risks have extensive cybersecurity and IT experience. Our CIO previously served in multiple senior technology leadership roles in the insurance and financial sectors and was inducted into the CIO Hall of Fame in 2018, reflecting recognized expertise in enterprise technology and information security. Our CISO has approximately two decades of experience in senior engineering, infrastructure, and information-security roles within the financial services industry, providing deep technical knowledge to support cybersecurity risk management.

Company Information