STEWART INFORMATION SERVICES CORP - (STC)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Stewart recognizes the importance of protecting our customers', employees' and partners’ confidentiality and data integrity. To that end, we continuously and methodically evaluate cyber risks, how they evolve and how they may affect us. We utilize considerable resources in our cybersecurity efforts, and we are committed to continuous cybersecurity education and training across our entire organization as well as our partners and customers. We continuously evaluate and monitor third-party risk relating to the protection of sensitive data. Our program focuses on a broad area of security domains, including, but not limited to: risk management, data protection, incident response, identity and access management, threat and vulnerability management, disaster recovery, business resiliency, and continuity.

Risk assessment and management
Stewart has an enterprise risk management (ERM) program to assess, identify, and manage risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program to align cybersecurity efforts with Stewart’s broader business goals and objectives. The cybersecurity risk is assigned to the Vice President, Information Technology (IT), who is a member of the ERM committee, for monitoring. The cybersecurity risk is also under the management oversight of Stewart's Senior Leadership Team.

Stewart takes a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks that could affect Stewart’s operations, finances, legal or regulatory compliance, or reputation. Once identified, cybersecurity risks and related mitigation efforts are prioritized based upon their potential impact and likelihood. Risk mitigation strategies are developed and implemented based upon the specific nature of each cybersecurity risk. These strategies include the application of cybersecurity policies, procedures, and technologies, and employee training, education, and awareness. Additionally, Stewart’s cybersecurity program provides mechanisms for employees to report any unusual or potentially malicious activity.

Stewart is regularly assessed against the cybersecurity frameworks of the National Institute of Standards and Technology (NIST CSF) and also evaluated for compliance with the SSAE-18 Systems and Organization Controls (SOC) standards of the American Institute of Certified Public Accountants (AICPA).

13


Stewart receives certain confidential or personal information related to its customers and employees. Stewart’s operations depend upon the secure collection, processing, retention and transmission of such information by and through Stewart and its vendors. Therefore, the performance, reliability, and security of Stewart’s technology infrastructure and information systems, and those of its vendors, are critical to Stewart’s operations and initiatives.

Vendor risk management is an essential part of Stewart’s Enterprise Governance Risk and Compliance (GRC) program. Critical vendors, which includes vendors that have access to personal information, are assessed and measured against standard security frameworks. Critical vendors are monitored for performance and compliance, and vendor security requirements are well defined and included with all master service agreements and contracts.

Incident response
In the event of a material breach or an information technology disruption, management has an incident response team in place to take immediate action, work with local and national law enforcement, and notify the appropriate regulators, our Board of Directors and impacted parties. In addition, we would work with the NYSE to disclose the scope and effect of the breach or disruption through an appropriate Form 8-K filing, without providing information that could affect any law enforcement investigation.

Cybersecurity governance and board oversight
The Board is responsible for overseeing management’s assessment of significant risks facing Stewart. The Board approves management’s strategy to manage these risks and monitors management’s performance in implementing the strategy. The Board’s oversight of cybersecurity risks occurs at both the full Board level and at the Board committee level through the Audit Committee.

The Board receives, at each regularly scheduled meeting, a risk report which includes an updated cybersecurity risk exposure assessment, a summary of existing cybersecurity controls and risk mitigations, and further planned controls and risk mitigation activities.

Our Chief Information Security Officer (CISO) reports quarterly to the Audit Committee concerning Stewart’s cybersecurity program, operations, and other ad hoc updates. On a regular basis, management conducts a third-party assessment of Stewart's cybersecurity controls, the results of which are reported to the Audit Committee.

Management’s role
Stewart’s cybersecurity function is led by Stewart’s CISO, who reports to the Group President, Technology and Operations. The Group President, Technology and Operations, is responsible for all areas of Stewart’s digital business strategy, enterprise technology solutions, innovation, and global information technology. The CISO leads a holistic security program to defend enterprises against emerging threats. He has served in various roles in information technology and security leadership for over 30 years.

Management uses third party consultants, as necessary, to assist in assessing, identifying and managing risks from cybersecurity threats. Annually, senior management participates in tabletop exercises to assess its readiness responding to cybersecurity incidents. Our cybersecurity team routinely challenges our employees and the effectiveness of existing controls.

Risk from cybersecurity threats
While Stewart regularly defends against, responds to and mitigates risks from IT systems and software vulnerabilities, broader cybersecurity threats and data security incidents, as of the date of this report, Stewart has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization, however, there can be no guarantee that we will not experience such an incident in the future. Stewart experienced no known material cyber breaches during the three-year period ended December 31, 2023. For additional information concerning Stewart’s risks related to cybersecurity, see Item 1A. Risk Factors.


14