MGIC INVESTMENT CORP 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

MGIC INVESTMENT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 17:05:49 EST.

Filings

10-K filed on 2026-02-25

MGIC INVESTMENT CORP filed a 10-K at 2026-02-25 17:05:49 EST
Accession Number: 0000876437-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy MGIC's Information Security Program ("ISP") includes information security policies, annual risk assessments and analyses, threat monitoring and alerting, vulnerability management, incident response, and data loss prevention controls. With the ISP, MGIC seeks to prevent, detect, and respond to unauthorized access, use, or disclosure of confidential information. MGIC's Information Risk Management ("IRM") team is responsible for safeguarding the organization's information assets, data, and technology infrastructure from security threats and vulnerabilities. The IRM team's primary focus is the protection of the confidentiality, integrity, and availability of sensitive information and compliance with relevant laws, regulations, and industry standards. The IRM team is currently overseen by the Company's Senior Director, Information Systems - Security Technology ("Senior Director"). Our ISP is benchmarked against the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. Additionally, various aspects of the ISP are subject to periodic audit by the Company's Internal Audit department or third-party professionals engaged by the Internal Audit department. Such audits vary from year-to-year but are generally focused on compliance with stated control activities, standards, and internal policies, as well as maintaining the integrity and independence of the audit process. Cybersecurity risk reviews such as SOC2, SOX controls, penetration tests, and regulatory controls are conducted by independent third parties. The ISP also incorporates a vendor due diligence process that is designed to assess vendor control environments and evaluate risks associated with vendor access to the Company's confidential data and systems. The process includes assessing and managing the cyber risks associated with engaging third-party vendors and reviewing their information security practices. The ISP includes a Cyber Incident Response Team (CIRT) which is comprised of lead security engineers along with subject matter experts from applicable domains such as network, infrastructure, and application areas in order to evaluate the technical issues relative to the incident. The CIRT may engage third-party cybersecurity experts to evaluate and/or remediate an incident. In the event that the CIRT determines that there has been a cybersecurity incident or compromise of MGIC's computer systems, the General Counsel will be notified, and, will advise the Chief Executive Officer ("CEO"), who is a member of the Board of Directors . In addition to advising the CEO, the General Counsel will also convene an established committee whose members include the General Counsel, Chief Financial and Risk Officer, Senior Vice President of Investor Relations, and Chief Accounting Officer in order to determine if the event is a material cybersecurity incident such that the Chairman of the Board, Lead Independent Director, and Chairpersons of the Board's Business Technology and Transformation Committee (the "BTTC") and Audit Committee should be notified. To our knowledge, during the reporting period there were no cybersecurity incidents that materially affected or are reasonably likely to materially affect our business strategies, results of operations, or financial condition. Notwithstanding having implemented what we believe to be an appropriate ISP, no company is immune to cybersecurity threats, and we may not be successful in preventing or mitigating a future cybersecurity incident that could have a material adverse effect on our business. For additional information about risks related to cybersecurity, see our risk factors titled " Failed, disrupted, or inadequate information technology systems may materially impact our operations and/or adversely affect our financial results " and " We could be materially adversely affected by a cybersecurity breach or failure of information security controls ." Governance The Senior Director currently reports to the President and Chief Operating Officer. The President and Chief Operating Officer, as well as senior members of the IRM team partner with the Company's Risk, Audit, Legal and Compliance Departments to promote alignment of cybersecurity risk management strategy with the broader risk management strategy for the organization. The integration of information security into the overall enterprise risk management framework enables collaboration on the identification, assessment, mitigation and monitoring of cybersecurity risks that have the potential to materially impact the operation of the Company. The Risk Management Committee of the Board coordinates with the Board and other Board committees regarding the assignment to the Board and Committees of oversight responsibilities for all identified key risks to the Company. Risks related to cybersecurity are overseen by the BTTC. The BTTC monitors cybersecurity risks associated with both internal and external actors. Additional information about the BTTC's role in overseeing risks related to cybersecurity and information technology generally can be found in the Committee's Charter at mtg.mgic.com/corporate-governance/highlights. Risks related to AI are overseen by the Risk Management Committee of the Board. The IRM team provides quarterly updates about the Company's cybersecurity program to the BTTC. Updates may include topics such as management's efforts to identify and monitor risks, investments to improve the Company's detection and response systems, the results of risk assessments, compliance with controls, vendor oversight, strategic technology planning, and if necessary, the status of any new, ongoing, or prior cybersecurity incident. Senior members of the IRM team also periodically attend the BTTC meetings. MGIC Investment Corporation 2025 Form 10-K | 40 The Company's current Senior Director is responsible for assessing and managing the material risks posed by cybersecurity threats. He has over 20 years of experience in information technology and cybersecurity, with experience developing and implementing comprehensive security programs, risk management frameworks, and incident response strategies. He also holds several security-related certifications.

Company Information