AMERICAN COASTAL INSURANCE Corp - (ACIC)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Our cybersecurity program is led by our Chief Information Security Officer (CISO) and overseen by the Audit Committee and the Board. Our cybersecurity program prioritizes threat mitigation, while focusing on maintaining the integrity and resilience of our systems. Our cybersecurity program includes identifying threats, considering potential damages through the lens of residual risk, identifying potential actions to manage cyber risk, implementation, and ongoing monitoring and testing for design and performance effectiveness.

The Company’s risk management strategy identifies cybersecurity risks, such as vulnerabilities on assets, fraud, abuse of systems and services, unauthorized data access, data exfiltration, data destruction, and service disruption, as among the Company’s top enterprise risks. As such, the cybersecurity risk management process and related governance process are integrated into the broader information technology control environment, which is integrated into the Company’s overall risk management systems and processes. Additionally, we regularly review and test our cybersecurity controls.

Our cybersecurity team, in partnership with external vendors and a third-party security operations center, designs and implements data security and cybersecurity programs, risk assessments, monitoring, external and internal penetration tests, controls testing and training for our employees. In 2023, a third-party consultant was engaged to facilitate a table top exercise to test the company’s cyber incident response plan. We continue to make investments to enhance our ability to identify and detect cybersecurity risks within our environment and protect the Company from those identified risks.

Risk Assessment, Risk Management and Incident Management

We employ processes and technologies to proactively address cybersecurity risks. This includes the periodic review and update of IT security policies, employee security awareness training programs complemented by simulated phish testing, and the implementation of firewalls, intrusion prevention and detection systems, anti-malware functionality, and access and identity management controls.

As one of our processes, we have implemented cybersecurity incident response plans, including the Security Incident Response Plan and IT Disaster Recovery Plan, that set forth specific frameworks for responding to and managing potential and actual cybersecurity incidents, provide guidance on the roles of, and interactions with, various departments within ACIC and define certain processes and procedures for cybersecurity incident response and management. Our cybersecurity incident response plans and procedures also establish escalation protocols in connection with a potential cybersecurity incident. These protocols vary depending upon the specific factors involved, including the materiality of an incident, the related harms and risks associated therewith, any undertakings required to mitigate and remediate any such incident and any corresponding legal or regulatory actions. Under the cybersecurity incident response plans and their protocols, incidents are responded to by multidisciplinary teams and are further escalated to the attention of senior management and our Board when applicable. The Company reviews and updates these cybersecurity incident response plans annually.

26

AMERICAN COASTAL INSURANCE CORPORATION
The Company’s risk assessment considers cybersecurity threats associated with the use of third-party service providers. Failure to assess potential risks associated with a third party could expose us to a variety of risks, including, but not limited to supply chain attacks, data breaches, and reputational damage which can have devastating and long-lasting impacts. As such, we have employed contracting policies and procedures which include data protection and other cybersecurity considerations during the vendor onboarding process, and periodic review of service organization controls reports for material third-party service providers.

In the last three fiscal years, we have not experienced a material cybersecurity incident, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business other than what is already disclosed in Item 1.A Risk Factors in this annual report on Form 10-K. For more information about the risks posed by cybersecurity threats, see “If we experience difficulties with our information technology or data security systems and/or outsourcing relationships, our ability to conduct our business could be negatively impacted, which could adversely affect our financial condition or results of operations” in Item 1A. Risk Factors in this annual report on Form 10-K.

Governance

Management Oversight

Our CISO has the overall responsibility of implementing its strategy and objectives to build a strong cyber management function. Our CISO has over 25 years of IT experience with specialization in IT compliance, information security and risk management.

Our Chief Information Officer (CIO) has the overall responsibility of establishing and overseeing the Company’s technology infrastructure and security posture. Our CIO has over 25 years of experience of IT experience, nearly all in the insurance space.

Finally, our Chief Compliance and Risk Officer (CCRO) has more than 30 years of experience in finance and accounting and has managed tax planning, insurance accounting, internal audit and risk management functions. Our CCRO maintains an active Certified Public Accountant license.

Board Oversight

The Board and Audit Committee are responsible for overseeing our annual enterprise risk assessment, reviewing the guidelines and policies for assessing and managing the Company’s exposure to risks, including cybersecurity risks, and the steps management has taken to monitor and control such exposures. The Board and Audit Committee periodically meet to facilitate oversight of cybersecurity risk.

The Board regularly devotes time during its meetings to review and discuss the most significant risks facing the Company over the short-, medium- and long-term, and management’s responses to those risks, including cybersecurity. Within these discussions, the Board receives updates from the CISO on the risks posed by cybersecurity threats and the Company’s cybersecurity program. In addition to evaluating the Company’s cybersecurity risks, the Board has oversight of management’s cybersecurity function and is responsible for reviewing and approving of the Company’s cybersecurity program, as well as reviewing the quality and effectiveness of the Company’s technology security.