Hippo Holdings Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 5, 2026

Hippo Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 18:22:48 EST.

Filings

10-K filed on 2026-03-04

Hippo Holdings Inc. filed a 10-K at 2026-03-04 18:22:48 EST
Accession Number: 0001828105-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Cybersecurity risk management is a key component of our overarching risk management strategy. Given the susceptibility of our industry to cyber threats and attacks, we regularly encounter attempted attacks of varying types. Both the financial and personal data in our systems, coupled with the dynamic nature of our products and services, make us a potential target. We operate internationally with employees, contractors, vendors, developers, partners, and third parties, which complicates our risk exposures. Our information security program encompasses policies and controls aimed at mitigating cybersecurity risks , including an incident response plan that includes procedures for assessing and responding to cybersecurity incidents. However, we acknowledge the presence of both known and unknown risks, alongside vulnerabilities within our security program. Continuous improvement efforts are integral to enhancing our information security program and overall risk management endeavors. We employ a risk management framework aligned with relevant laws, regulations, and industry standards to manage cybersecurity risks across our products and services, infrastructure, and organization. Our internal risk assessment processes incorporate various factors, including tracking threat intelligence and identified first- and third-party vulnerabilities, evaluating evolving regulatory requirements, and analyzing internally observed cybersecurity threats and incidents. We regularly conduct an internal risk assessment to evaluate the effectiveness of the security of our systems and our processes, identify areas for remediation, and explore opportunities for enhancement, such as cloud and endpoint security enhancements, application programming interface ("API") security, and contractor access management. We periodically utilize third-party security experts and consultants to assess and improve our cybersecurity risk management tools and processes and to benchmark them against industry standards. Additionally, we maintain a privacy risk management program to evaluate risks associated with the collection, usage, sharing, and storage of customer data. An independent third-party assesses our privacy risk management program, to evaluate efficacy and to benchmark against industry standards. On an annual basis, we engage an independent third-party to perform a SOC 2 Type II examination of certain systems and controls within a defined scope. This examination assesses the design and operating effectiveness of specified controls over a defined review period. The results of this assessment are one of several inputs used to inform our risk management processes and ongoing enhancement of our cybersecurity controls. Our risk mitigation efforts include a range of technical and operational safeguards, supplemented by annual cybersecurity and privacy training for employees. Additionally, we have specific policies and practices governing third-party security risks, including our third-party risk management ("TPRM") program. Under this program, we gather information from relevant third parties to assess potential risks associated with their security controls. Cybersecurity Governance Our board of directors oversees our strategic and business risk management, with cybersecurity risk management oversight delegated to the Audit, Risk, and Compliance Committee (the "Committee"). The Committee also oversees risks related to privacy and data use and monitors our compliance with our privacy program. Management is responsible for the ongoing identification, assessment, and management of material cybersecurity risks, along with the implementation of processes for monitoring potential cybersecurity risk exposures, deploying appropriate mitigation measures, maintaining cybersecurity policies and procedures, and providing regular reports to the Committee and to the board of directors. Our Chief Information Security Officer ("CISO") has 15 years of experience in technology, engineering and building cybersecurity programs and leads our cybersecurity program , overseeing teams supporting security functions across the company. Our cybersecurity team includes individuals with cybersecurity-related certifications such as CISSP, CISM and MS Cybersecurity Architect and monitors prevention, detection, mitigation, and remediation of cybersecurity incidents through technical and operational measures, regularly reporting to the CISO. As a key member of the senior management team, the CISO provides updates to the Committee on the company's cybersecurity program, including risks, incidents, and mitigation strategies. Our cybersecurity team monitors prevention, detection, mitigation, and remediation of cybersecurity incidents through technical and operational measures, regularly reporting to the CISO. As a key member of the senior management team, the CISO provides updates to the Committee on the company's cybersecurity program, including risks, incidents, and mitigation strategies. Impact of cybersecurity risks on business strategy, results of operations or financial condition As of the date of this Annual Report, we have not identified any cybersecurity threats materially affecting, or reasonably likely to materially affect, our business strategy, results of operations, or financial situation. However, despite our efforts, we recognize the impossibility of eliminating all cybersecurity risks or guaranteeing the absence of undetected cybersecurity incidents that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For additional information about these risks, refer to Part I, Item 1A, "Risk Factors," in this Annual Report on Form 10-K.

Company Information