Hippo Holdings Inc. - (HIPO)
10-K Filing Date: March 06, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Cybersecurity risk management is a key component of our overarching risk management strategy. Given the susceptibility of our industry to cyber threats and attacks, we regularly encounter attempted attacks of varying types. Both the financial and personal data in our systems, coupled with the dynamic nature of our products and services, make us a potential target. We operate internationally with employees, contractors, vendors, developers, partners, and third parties, which complicates our risk exposures.
Our information security program encompasses policies and controls aimed at mitigating cybersecurity risks. However, we acknowledge the presence of both known and unknown risks, alongside vulnerabilities within our security program. Continuous improvement efforts are integral to enhancing our information security program and overall risk management endeavors.
55
We employ a risk management framework aligned with relevant laws, regulations, and industry standards to manage cybersecurity risks across our products and services, infrastructure, and organization. Our internal risk assessment processes incorporate various factors, including tracking threat intelligence and identified first- and third-party vulnerabilities, evaluating evolving regulatory requirements, and analyzing internally observed cybersecurity threats and incidents. We regularly conduct an internal risk assessment to evaluate the effectiveness of the security of our systems and of our processes, identify areas for remediation, and explore opportunities for enhancement, such as cloud and endpoint security enhancements, application programming interface (API) security, and contractor access management. We utilize third-party security experts and consultants on an annual basis to assess and improve our cybersecurity risk management tools and processes and to benchmark against industry standards.
Additionally, we maintain a privacy risk management program to evaluate risks associated with the collection, usage, sharing, and storage of customer data. An independent third-party assesses our privacy risk management program, to evaluate efficacy and to benchmark against industry standards.
On an annual basis we obtain an independent assessment and evaluation of the operation of our cybersecurity and privacy programs, as well as the supporting control frameworks. The findings of these independent assessments facilitate our risk-based decision-making, prioritization of cybersecurity countermeasures, and risk mitigation strategies. Our risk mitigation strategies encompass an array of technical and operational measures, complemented by annual cybersecurity and privacy training for all employees.
Additionally, we have specific policies and practices governing third-party security risks, including our third-party risk management (TPRM) program. Under this program, we gather information from relevant third parties to assess potential risks associated with their security controls.
Cybersecurity Governance
Our board of directors oversees our strategic and business risk management, with cybersecurity risk management oversight delegated to the Audit, Risk, and Compliance Committee (the “Committee”). The Committee also oversees risks related to privacy and data use and monitors our compliance with our privacy program. Management is responsible for the ongoing identification, assessment, and management of material cybersecurity risks, along with the implementation of processes for monitoring potential cybersecurity risk exposures, deploying appropriate mitigation measures, maintaining cybersecurity policies and procedures, and providing regular reports to the Committee and to the board of directors.
Tal Hornstein, our Chief Information Security Officer (CISO), leads our cybersecurity program and oversees teams supporting security functions across the company. Mr. Hornstein holds a CISSP certification from ISC2 and has over 20 years of experience in multiple cybersecurity and technology-related roles. He joined Hippo in late 2021 and has been instrumental in designing and executing our entire cybersecurity stack.
Our cybersecurity team monitors prevention, detection, mitigation, and remediation of cybersecurity incidents through technical and operational measures, regularly reporting to the CISO. As a key member of the senior management team, the CISO provides updates to the Committee on the company’s cybersecurity program, including risks, incidents, and mitigation strategies.
Impact of cybersecurity risks on business strategy, results of operations or financial condition
As of the date of this Annual Report, we have not identified any cybersecurity threats materially affecting, or reasonably likely to materially affect, our business strategy, results of operations, or financial situation. However, despite our efforts, we recognize the impossibility of eliminating all cybersecurity risks or guaranteeing the absence of undetected cybersecurity incidents. For additional information about these risks, refer to Part I, Item 1A, "Risk Factors," in this Annual Report on Form 10-K.