Baldwin Insurance Group, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Baldwin Insurance Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:25:27 EST.

Filings

10-K filed on 2026-02-26

Baldwin Insurance Group, Inc. filed a 10-K at 2026-02-26 17:25:27 EST
Accession Number: 0001781755-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We face significant and persistent cybersecurity risks due to: the scope of geographies, networks and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our clients; and our use of third-party products, services and components . While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing clients with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We seek to detect and investigate unauthorized attempts and attacks against our network, products and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown threats. In some instances, we, our trading partners, our clients, and our service providers and contractors can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. Refer to Item 1A. Risk Factors of this Annual Report on Form 10-K for more information on our cybersecurity risks. Our business involves the storage and transmission of a significant amount of confidential and sensitive information. As a result, we take the confidentiality, integrity and availability of this highly sensitive information seriously and invest significant time, effort and resources into protecting such information. Our cybersecurity strategy was designed with the foregoing principles in mind and prioritizes detecting and responding to threats and effective management of security risks. To implement our cybersecurity strategy, we maintain various safeguards to secure the data we hold, including encrypting sensitive data, utilizing a robust 24/7/365 security monitoring system, regularly assessing product features for security vulnerabilities, conducting continuous internal penetration tests, and leveraging multi-factor authentication to help effectively protect sensitive information and appropriate access rights. We also have data and cybersecurity protection and control policies to facilitate a secure environment for sensitive information and to preserve the availability of critical data and systems. We have processes in place to assess and manage vendor cybersecurity risks, which include initial and periodic security program reviews through the use of third-party vendors who specialize in this subject matter. We have engaged our independent, internal audit team that reports directly to the Chair of the Audit Committee of our board of directors to audit our adherence to our cybersecurity policies. These audits help us assess our internal preparedness, guidance based on best practices and industry standards, and compliance with applicable laws and regulations as well as help us to identify areas for continued focus and improvement. We conduct annual information security awareness training for employees involved in the systems or processes connected to confidential and sensitive information. We also carry insurance that provides certain, limited protection against potential losses arising from a cybersecurity incident. 51 The Technology & Cyber Risk Committee of our board of directors (the "TCRC") is responsible for overseeing and reviewing our cybersecurity program and cybersecurity risk exposure and the steps taken to monitor and mitigate such exposure. The TCRC also monitors and reviews our strategic artificial intelligence initiatives, the risk exposure related to such initiatives, and the steps being taken to mitigate such exposure. The Retail CTO (as defined below), the Chief Information Security Officer ("CISO") for IAS, MIS and Corporate, who also serves as our General Counsel, and the UCTS CTO/CISO (as defined below) report to the TCRC periodically, and the TCRC updates the full board of directors on cybersecurity matters periodically. Our information security team for IAS, MIS and Corporate is led by our Retail Brokerage Chief Technology Officer ("Retail CTO"). Our Retail CTO reports to our President, The Baldwin Group & CEO, Retail Brokerage Operations. Our Retail CTO has served in the role since 2025 and has experience in application security, intrusion detection, penetration testing, Continuous Threat Exposure Management ("CTEM"), and unconventional cyber-attack vectors, having previously led technology teams at Players Health, Everest Reinsurance, Quanta Holdings, and Converium (now part of SCOR). Among other functions, our Retail CTO oversees a team of information security professionals who are devoted full time to assessing and managing cybersecurity threats on a day-to-day basis. Our Retail CTO attends each quarterly meeting of the TCRC to brief members on information security matters and discuss cybersecurity risks generally. Our information security team for UCTS is led by our Chief Technology Officer-UCTS ("UCTS CTO"), who also serves as our CISO for UCTS. Our UCTS CTO/CISO reports to our President, The Baldwin Group & CEO, Underwriting, Capacity and Technology Operations. Our UCTS CTO/CISO has served in the role since 2024 and has experience in application security, intrusion detection, penetration testing, CTEM, and unconventional cyber-attack vectors, having previously led technology teams across various sectors, including financial services and travel management. Among other functions, our UCTS CTO/CISO oversees a team of information security professionals who are devoted full time to assessing and managing cybersecurity threats on a day-to-day basis. Our UCTS CTO/CISO also attends each quarterly meeting of the TCRC to brief members on information security matters and discuss cybersecurity risks generally. In addition, our management team has established an internal Cyber Steering Committee (the "Cyber SteerCo"), which includes processes designed to identify, assess, categorize, and monitor key current and evolving risks facing us, including cybersecurity risks. Each of the Retail CTO and UCTS CTO/CISO sits on the Cyber SteerCo along with our General Counsel and CISO. Management is made aware of current and evolving cybersecurity risks through the Cyber SteerCo reporting. Furthermore, in the event of a material or potentially material cybersecurity event, our process as designed is intended to result in senior members of management being promptly informed of such event and oversee triage, response, and disclosure efforts pursuant to the terms of a documented incident response plan.

Company Information