HCI Group, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

HCI Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:16:52 EST.

Filings

10-K filed on 2026-02-26

HCI Group, Inc. filed a 10-K at 2026-02-26 16:16:52 EST
Accession Number: 0001193125-26-076743

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - Cyber security We rely on digital technology to conduct our businesses and interact with customers, policyholders, agents, and vendors. With this reliance on technology comes the associated security risks from the use of communication technology and networks. Risk Management and Strategy The goal of our cybersecurity risk management strategy is to protect the privacy, integrity, and availability of our critical systems and information. Our processes are designed to identify, assess, and manage material risks from cybersecurity threats as part of our entity-wide risk management efforts. To safeguard our data and the data of our customers, management utilizes a multi-layered approach including the use of an external security operations center that specializes in the detection and containment of cyber-attacks. For protection of endpoint devices connected to our network, we use third-party managed detection and response security software. Perimeter defense technology is used to filter e-mail for threats from malware, viruses, phishing attempts, and network firewalls are used to monitor incoming and outgoing network traffic. Tools utilized to prevent threats include multifactor authentication, e-mail security services, mobile e-mail security policies, virtual private networks, third-party security experts, and timely applications of software patches, among others. We conduct annual penetration testing, disaster recovery testing, internal and external audits of our cybersecurity controls, as well as simulated cyberattack scenarios to evaluate our preparedness for these situations. Employees are required to complete mandatory semiannual cybersecurity training and participate in periodic phishing simulations. We also maintain cyber insurance coverage, which includes access to a cyber incident response team in the event of a cybersecurity incident. Management of cybersecurity risks also extends to third-party service providers engaged for specialized functions. Oversight of these providers is maintained through a third-party risk management process which includes obtaining and reviewing independent service organization audit reports on Service Organization Controls ("SOC") to evaluate the design and operating effectiveness of relevant controls. Certain third-party providers are monitored and reviewed through oversight procedures performed by external service providers to assess controls related to data protection, system security, and access management. We respond to cybersecurity events in accordance with our Cyber Security Incident Response Plan ("CSIRP"), which follows the guidance of the National Institute of Standards and Technology Cybersecurity Framework and provides for assessment, mitigation, and if necessary, remediation of any effects of a system breach. We also conduct annual breach simulations with internal information technology teams to test each step of our CSIRP. There have been no cybersecurity events in the past that have materially affected or are reasonably likely to materially affect the Company's business strategy, results of operations, or financial condition. Although we believe our defenses against cyber-intrusions are sufficient, we continue to update our prevention programs to respond to sophisticated and rapidly evolving attempts to overcome our security measures. Such continuing threats could have a variety of adverse business impacts. See Item 1A - "Risk Factors" under the heading "Security and fraud risks" above for additional information on risks to our business from cybersecurity incidents and related matters. Governance Cybersecurity is a critical component of our overall risk management process. Our Board of Directors oversees our cybersecurity risk management, including oversight of policies, processes, and material risks related to cyber security. Responsibility for the assessment and management of cybersecurity risks resides with senior management. The members of management responsible for managing cybersecurity threats are HCI Group's Vice President of Information Technology and the Chief Technology Officer of Exzeo. Both the Vice President of Information Technology and the Chief Technology Officer have extensive experience in information technology, operations, network security, and cybersecurity risk management, including the implementation and monitoring of security controls, coordination with third-party security service providers, and defense of computer networks against cyber intrusions. In addition, HCI Group's Director of Cybersecurity is dedicated to overseeing our multi-layered cybersecurity defenses and leads monthly security meetings attended by information technology managers. Day to day cybersecurity operations are supported by internal information technology personnel with experience in system security, threat monitoring, incident detection, and response, who are responsible for implementing cyber security controls, monitoring threats and coordinating response activities. 21 Our Board receives periodic updates from management regarding cybersecurity risks, controls, and any material cybersecurity incidents . At least one member of the Board has information technology and cybersecurity-related experience, which supports the Board's oversight of cybersecurity risk management. 22

Company Information