Heritage Insurance Holdings, Inc. - (HRTG)
10-K Filing Date: March 13, 2024
The Audit Committee (“Audit Committee”) of the Company’s Board of Directors (the “Board”) is actively involved in oversight of the Company’s risk management program, which includes the identification, assessment and management of material cybersecurity risks. A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, the Company’s information systems that may result in adverse effects on the confidentiality, integrity or availability of the Company’s information systems or any information residing therein. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Cybersecurity risk management and strategy
As one of the elements of the Company’s overall risk management program, the Company’s cybersecurity program is focused on the following key areas:
26
Governance
The Company maintains an Information Security Committee (the “ISC”) which is a cross-functional governance committee comprised of the AVP- Enterprise Information Technology (“IT AVP”), Chief Financial Officer (“CFO”) and Chief Executive Officer (“CEO”). The ISC is the focal point for all information security activities throughout the Company and acts as a liaison on security matters throughout our group of affiliates. The ISC, led by the IT AVP works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. The ISC is charged with developing and implementing policies and procedures for incident response handling, monitoring, and addressing security risks on an ongoing basis. The ISC is responsible for deploying technology and information security experts to monitor security risks and advise, contain, analyze, and report on security incidents, as necessary. As described above, the Company also retains a third-party cyber security firm to work hand-in-hand with the ISC to develop and oversee a program to prevent, detect, mitigate and remediate cybersecurity incidents.
The Board has delegated to the Audit Committee the responsibility for monitoring and overseeing the Company’s cybersecurity and other information technology risks, controls, strategies and procedures. The Company’s IT AVP, on behalf of the ISC, reports to the Audit Committee at least annually regarding technological risk exposure and the Company’s cybersecurity risk management strategy and reports any incidents to the Audit Committee in real time. Based on these reports, the Audit Committee periodically evaluates the Company’s information security strategies to ensure its effectiveness and, if appropriate, may also include a review from third-party experts. The Company’s Internal Audit function also provides quarterly updates to the Audit Committee which include an update on cybersecurity risks and related internal controls.
Management’s Expertise
27
Our IT AVP also ensures he is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. Staying informed on developments in the cyber industry is crucial to the Company’s effective prevention, detection, mitigation and remediation of any cybersecurity incidents. In addition, the Company’s CEO and IT AVP each hold undergraduate degrees and graduate degrees in their respective fields, and each have over 20 years of experience managing risks at the Company or at similar companies, including risks arising from cybersecurity threats.
Risks from Cybersecurity Threats
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.