Heritage Insurance Holdings, Inc. - (HRTG)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity

The Audit Committee (“Audit Committee”) of the Company’s Board of Directors (the “Board”) is actively involved in oversight of the Company’s risk management program, which includes the identification, assessment and management of material cybersecurity risks. A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, the Company’s information systems that may result in adverse effects on the confidentiality, integrity or availability of the Company’s information systems or any information residing therein. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Cybersecurity risk management and strategy

As one of the elements of the Company’s overall risk management program, the Company’s cybersecurity program is focused on the following key areas:

26

 


 

Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Incident Response and Recovery Planning: The Company has established and maintains incident response and recovery plans to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company’s safeguards, and such plans are tested and evaluated on a regular basis.
Third-Party Risk Management: The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact the Company’s business in the event of a cybersecurity incident affecting those third-party systems.
Outside Consultants: The Company engages various outside consultants, including contractors, assessors, auditors, outside attorneys and other third parties, to among other things:
Assist in the design, implementation, and testing of our cybersecurity program, policies and procedures;
monitor Company networks, servers and endpoints to identify vulnerabilities;
perform assessments on the Company’s cybersecurity measures, including audits and independent reviews of the Company’s information security control environment and operating effectiveness;
obtain information of a cybersecurity incident and isolate compromised systems and electronic data from further exposure;
determine and execute mitigation and remediation options and plans; and
ensure ongoing compliance with applicable legal and regulatory requirements, including notification to required individuals and regulatory bodies in the event of the discovery of an information security breach as defined under applicable laws, and timely and adequate disclosure under applicable SEC rules.
Education and Awareness: The Company provides annual training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices.

Governance

The Company maintains an Information Security Committee (the “ISC”) which is a cross-functional governance committee comprised of the AVP- Enterprise Information Technology (“IT AVP”), Chief Financial Officer (“CFO”) and Chief Executive Officer (“CEO”). The ISC is the focal point for all information security activities throughout the Company and acts as a liaison on security matters throughout our group of affiliates. The ISC, led by the IT AVP works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. The ISC is charged with developing and implementing policies and procedures for incident response handling, monitoring, and addressing security risks on an ongoing basis. The ISC is responsible for deploying technology and information security experts to monitor security risks and advise, contain, analyze, and report on security incidents, as necessary. As described above, the Company also retains a third-party cyber security firm to work hand-in-hand with the ISC to develop and oversee a program to prevent, detect, mitigate and remediate cybersecurity incidents.

The Board has delegated to the Audit Committee the responsibility for monitoring and overseeing the Company’s cybersecurity and other information technology risks, controls, strategies and procedures. The Company’s IT AVP, on behalf of the ISC, reports to the Audit Committee at least annually regarding technological risk exposure and the Company’s cybersecurity risk management strategy and reports any incidents to the Audit Committee in real time. Based on these reports, the Audit Committee periodically evaluates the Company’s information security strategies to ensure its effectiveness and, if appropriate, may also include a review from third-party experts. The Company’s Internal Audit function also provides quarterly updates to the Audit Committee which include an update on cybersecurity risks and related internal controls.

Management’s Expertise

27

 


 

Our IT AVP also ensures he is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. Staying informed on developments in the cyber industry is crucial to the Company’s effective prevention, detection, mitigation and remediation of any cybersecurity incidents. In addition, the Company’s CEO and IT AVP each hold undergraduate degrees and graduate degrees in their respective fields, and each have over 20 years of experience managing risks at the Company or at similar companies, including risks arising from cybersecurity threats.

Risks from Cybersecurity Threats

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.