Enact Holdings, Inc. - (ACT)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Risk Assessment and Strategy
Our approach towards cybersecurity follows our enterprise risk management framework. Through this process our management identifies risks to achieving our strategy and objectives; assesses, manages, controls and monitors those risks; and communicates results, including elevation of those risks to the Risk Committee of the Board of Directors, where applicable.
We employ a multi-layered approach to data security and data privacy. This approach begins with our information security program, which leverages National Institute of Standards and Technology, SP 800-53. Our program includes policies and standards that delineate requirements for the implementation and on-going maintenance of our information systems as well as security responsibilities for all personnel. We review these policies and standards periodically and update as needed. We have processes to oversee the maintenance and enforcement of our information security policies and educate personnel on their responsibilities. We maintain a “defense-in-depth” model, which employs multiple layers of protection for the Company. Among other things, we perform external and internal risk assessments, penetration testing, vulnerability scanning, secure code development and monthly security awareness training (including phishing awareness tests) for all personnel.
The monitoring and surveillance procedures over our key systems and IT environments are performed jointly with Genworth. Potential threats are evaluated, correlated and escalated to the extent appropriate. Incidents that are subject to escalation are initially evaluated by a team of IT security personnel led by our Chief Information Security Officer. If the incident is sufficiently severe, it will trigger our cybersecurity incident response plan, which is carried out by a cross-functional team of professionals who ultimately report findings and suggest action plans to our senior leadership team and Genworth. In accordance with the plan, we assess, contain and eradicate the threat and notify relevant external parties. We engage with third parties to assist with the research and evaluation, if deemed necessary.
We also consider cybersecurity threats with respect to third party service providers. Third parties who hold sensitive data are subject to our risk assessment process and vendor management due diligence procedures, which include an evaluation of cybersecurity risk.
We have not identified any risks from cybersecurity incidents or threats that have materially affected our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. Additional information on cybersecurity risks we face can be found in “Item 1A Risk Factors” of this Annual Report.
Cybersecurity Governance
The Chief Information Security Officer, who is primarily responsible for our cybersecurity strategy and assessing and managing risks from cybersecurity threats, works together with our Chief Information Officer, Chief Risk Officer and compliance organization, as well as other functions, in administering our information security program in a manner that satisfies applicable legal and regulatory requirements. The Chief Information Security Officer has over 18 years of experience in information security, technology audit, and technology operations and includes the design, implementation, and maintenance of greenfield cybersecurity programs for regulated specialty insurance and software-as-a-service companies. The
63
Chief Information Security Officer has a master’s degree in information technology with a specialization in cybersecurity augmented with professional designations including the Amazon Web Services (“AWS”) Certified Solutions Architect Associate, AWS Certified Security - Specialty, Global Information Assurance Certification (“GIAC”) Cloud Security Automation, GIAC Certified Intrusion Analyst, GIAC Penetration Tester, GIAC Web Application Penetration Tester, and Certified Information Systems Security Professional. The Chief Information Security Officer receives reports on potential cybersecurity threats from throughout the business on an ongoing basis and regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Further, our team strives to stay current with respect to cybersecurity threats through training and investing in the relevant tools. Our Chief Information Security Officer, Chief Information Officer and Chief Risk Officer provide regular updates and reports to our senior leaders.
The Risk Committee of our Board of Directors, in coordination with our management risk committee, has primary responsibility for overseeing cybersecurity, information technology and information security systems, processes, policies and risk management and the effectiveness of security controls. At least quarterly, the Risk Committee meets with management and reviews reports related to the status of our information technology related risks, which includes information such as the status of our environment, employee education, penetration testing, server patching, systems availability, as well as debriefs of Company cybersecurity tabletop exercises, director education sessions on a variety of topics concerning cybersecurity, and annual assessment. The Committee also reviews the Chief Compliance Officer’s quarterly report, which includes information regarding certain data security incidents that meet the risk criteria for inclusion in the report. Management also keeps the Committee apprised of changes in the threat landscape, such as new projects or strategies that may involve cybersecurity risks, evolving trends, and cyber incidents that involve our customers and suppliers.
At least annually, we present a cybersecurity report to our full Board of Directors along with semiannual briefings. These sessions may cover, among other topics, the information security organization, material risks, technical threats, information technology security infrastructure, patching and vulnerability management, cybersecurity incidents, an annual cybersecurity tabletop exercise and incident preparedness, supplier management, security awareness training, cybersecurity personnel/staffing and a cybersecurity threat assessment.