American Integrity Insurance Group, Inc. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

American Integrity Insurance Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 21:57:24 EST.

Filings

10-K filed on 2026-02-27

American Integrity Insurance Group, Inc. filed a 10-K at 2026-02-27 21:57:24 EST
Accession Number: 0002007587-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We rely on digital technology to conduct our business and interact with customers, policyholders, agents, and vendors. With this reliance on technology comes the associated security risks from using today's communication technology and networks. Risk Management and Strategy The goal of our cybersecurity risk management strategy is to protect the privacy, integrity and availability of our critical systems and information. Our processes identify, assess and manage material risk from cybersecurity threats as part of our entity-wide risk management efforts. To safeguard our data and the data of our customers, management utilizes a multi- layered approach consisting first of an external security operations center company that specializes in the detection and containment of cyber-attacks. For protection of endpoint devices connected to our network, we use the tailored security software of a third-party consultant company for managed detection and response. Perimeter defense technology is used to filter e-mail for threats from malware viruses and e-mail phishing attempts. We also detect threats through the use of our firewalls that monitor incoming and outgoing network traffic. Tools utilized to prevent threats include multifactor authentication, e-mail security services, mobile e-mail security policies, virtual private networks, third-party security experts, and timely applied software patches, among others. We engage in monthly penetration testing, annual disaster recovery testing, internal and external audits of our cybersecurity controls and simulated cyberattack scenarios to gauge our preparedness for these situations. In addition, employees are required to pass a mandatory cybersecurity training course annually and receive periodic phishing simulations to facilitate recognizing phishing attempts. We carry Cyber Insurance, which includes access to a cyber incident response team in the case of a cybersecurity event. 51 Management of cybersecurity also extends to third-party service providers we use for specialized purposes such as payroll processing, investment tracking, regulatory financial reporting, and equity compensation plan administration. Our communication with these providers is protected by the safeguards within our security operation center. In addition, we annually obtain a Service Organization Controls ( " SOC " ) report on the suitability and operating effectiveness of the providers' controls, known as a SOC 1 Type 2 Report. The report is prepared by an independent service auditor. We review such reports to confirm the existence of effective controls over unauthorized access at third party service providers . We respond to cybersecurity events in accordance with our Cyber Security Incident Response Plan ( " CSIRP " ), which follows the guidance of the National Institute of Standards and Technology Cybersecurity Framework and provides for assessment, mitigation, and if necessary, remediation of any effects of a system breach. We also conduct annual breach simulations with internal information technology teams to test each step of our CSIRP. To date, we have not experienced any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect us or our business strategy, results of operations or financial condition. Although we believe our defenses against cyber-intrusions are sufficient, we continue to update our prevention programs to respond to sophisticated and rapidly evolving attempts to overcome our security measures. Such continuing threats could have a variety of adverse business impacts. Governance Cybersecurity is a critical component of our overall risk management process, and both management and the Board of Directors are actively involved in the oversight of risks from cybersecurity threats. Our Board of Directors oversees our cybersecurity effort s and is informed regularly regarding such cybersecurity efforts and risks from cybersecurity threats. Our Board of Directors delegates certain tasks and responsibilities to be performed by senior management which is responsible for the identification and assessment of material risks from cybersecurity incidents. The members of management responsible for managing cybersecurity threats are the Head of Information Technology ( " IT " ) and our Director of Infrastructure and Operations, along with our Engineering Manager . The IT leadership team has extensive experience in managing information systems including the defense of computer networks against cyber intrusions. The Network Security Engineer is dedicated to overseeing our multi-layered cybersecurity defenses and leads monthly security meetings attended by IT managers. The Head of IT, Director of Infrastructure and Operations and Engineering Manager are regularly informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques and report to the Board of Directors on a regular basis. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. Our information systems are routinely reviewed for compliance with information security policies and standards. Outcomes of reviews and audits are reported to the Head of IT, Director of Infrastructure and Operations and Engineering Manager.

Company Information