TIPTREE INC. - (TIPT)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The Company has adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include response to and an assessment of internal and external threats to the security, confidentiality, integrity and availability of Company data and systems along with other material risks to our Company, at least annually or whenever there are material changes to the Company’s systems or operations. As part of our risk management process, the Company engages outside providers to conduct periodic internal and external penetration testing. Our information security management system is based upon industry leading frameworks, including CIS-18, ISO 27001, and NIST CSF. The Company stores Company data in cloud and local server environments with security appropriate to the data involved and has adopted controls around, among other things, vendor risk assessment, access and acceptable use and backup and recovery. We have implemented security monitoring capabilities designed to alert us to suspicious activity and developed an incident response program that includes periodic testing and is designed to restore business operations as quickly and as orderly as possible in the event of a breach. In addition, employees participate in an ongoing program of mandatory annual training and receive communications regarding the cybersecurity environment to increase awareness throughout the Company. The Company also performs periodic cybersecurity security assessments of our key vendors to help protect Company data when it leaves our network.
Operational responsibility for overseeing the adequacy and effectiveness of the Company’s risk management, control and governance processes is the responsibility of the Chief Operating Officer (“COO”) in consultation with senior management of the Company and the Chief Information Security Officers (“CISO”) of the Company and its operating subsidiaries. Aspects of the information systems of the parent holding company and each material operating business are distinct so each has its own CISO, which in the case of the parent holding company is an independent third-party service provider. The CISOs’ expertise in information technology and cybersecurity has been gained from a combination of education, including relevant degrees and/or certifications, and prior work experience. Each of the CISOs has more than 10 years’ experience in information technology and cybersecurity. The COO reports regularly, and at least annually, to the Company’s Audit Committee and such report may address overall assessment of the Company’s compliance with the Company’s cybersecurity policies, and include topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures.
We are not aware of any material risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, but we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. See “Risk Factors-Cybersecurity attacks, technology breaches or failures of our or our third-party service providers’ information systems could disrupt our various business operations and could result in the loss of critical and personally identifiable information, which could result in the loss of reputation and customers, reduce profitability, subject our businesses to fines, penalties and litigation and have a material adverse effect on our business’s results of operation, financial condition and cash flows” for additional information regarding cybersecurity risks.