Exzeo Group, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Exzeo Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:14:34 EST.

Filings

10-K filed on 2026-02-26

Exzeo Group, Inc. filed a 10-K at 2026-02-26 16:14:34 EST
Accession Number: 0001193125-26-076686

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We rely on digital technology to conduct our business and interact with customers, policyholders, agents, and vendors. With this reliance on technology comes the associated security risks from the use of communication technology and networks. Risk Management and Strategy The goal of our cybersecurity risk management strategy is to maintain confidentiality, integrity, and availability of our critical systems and information. Our processes are designed to identify, assess, and manage material risks from cybersecurity threats as part of our entity-wide risk management efforts. To safeguard our data and the data of our customers, management utilizes a multi-layered cybersecurity approach including the use of an external security operations center that specializes in the detection and containment of cyber-attacks. For protection of endpoint devices connected to our network, we use third-party managed detection and response security software. Perimeter defense technology is used to filter e-mail for malware, viruses, and phishing attempts, and network firewalls are used to monitor incoming and outgoing network traffic. Tools utilized to prevent cybersecurity threats include multifactor authentication, e-mail security services, mobile e-mail security policies, virtual private networks, third-party security experts, and timely applications of software patches, among others. We conduct annual penetration testing, disaster recovery testing, and internal and external audits of our cybersecurity controls, as well as simulated cyberattack scenarios to evaluate our preparedness. Employees are required to complete mandatory annual cybersecurity training and participate in periodic phishing simulations. We also maintain cyber insurance coverage, which includes access to a cyber incident response team in the event of a cybersecurity incident. Management of cybersecurity risks also extends to third-party service providers engaged for specialized functions such as payroll processing, financial reporting systems, and equity compensation administration. Oversight of these providers is maintained through a third-party risk management process which includes obtaining and reviewing independent assurance reports, such as SOC 1 and SOC 2 reports, as applicable, to evaluate the design and operating effectiveness of relevant controls. Certain third-party providers are monitored and reviewed through oversight procedures performed by external service providers to assess controls related to data protection, system security, and access management. We respond to cybersecurity events in accordance with our Cyber Security Incident Response Plan (CSIRP), which follows the guidance of the National Institute of Standards and Technology Cybersecurity Framework and provides for assessment, mitigation, and if necessary, remediation of cybersecurity incidents. We conduct annual breach simulations to test the effectiveness of our CSIRP. There have been no cybersecurity events that have materially affected or are reasonably likely to materially affect the Company's business strategy, results of operations, or financial condition. Although we believe our cybersecurity controls are appropriate, cybersecurity threats continue to evolve and could result in adverse business impacts. Refer to Item 1A - Risk Factors - Security and fraud risks for additional information. Governance Cybersecurity is a critical component of our overall risk management process. Our Board of Directors oversees our cybersecurity risk management, including oversight of policies, processes and material risks related to cyber security. Responsibility for the assessment and management of cybersecurity risks resides with senior management, including our Chief Technology Officer, who is responsible for overseeing the Company's information security program, cybersecurity risk assessments, and incident response activities. Our Chief Technology Officer has more than 30 years of experience in information technology, including over 20 years in senior leadership roles within the P&C businesses. Prior to serving as our Chief Technology Officer, he served for more than 10 years as Vice President of Information Technology at HCI, where he was responsible for IT infrastructure security, disaster recovery planning, DevOps implementation, and compliance. His experience includes oversight of operations, network security, and cybersecurity risk management, including the implementation and monitoring of security controls and coordination with third-party security service providers. Day to day cybersecurity operations are supported by internal information technology personnel with experience in system security, threat monitoring, incident detection, and response, who are responsible for implementing cybersecurity controls, monitoring threats, and coordinating response activities in accordance with our Cyber Security Response Plan. Our Board receives periodic updates from management regarding cybersecurity risks, controls, and any material cybersecurity incidents. At least one member of the Board has information technology and cybersecurity-related experience, which supports the Board's oversight of cybersecurity risk management.

Company Information