UNIVERSAL INSURANCE HOLDINGS, INC. - (UVE)

10-K Filing Date: February 28, 2024
ITEM 1C.
CYBERSECURITY
The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data that is created, collected, stored, and used to operate our business.

26


The Company evaluates cybersecurity risks through its comprehensive Enterprise Risk Management (“ERM”) framework, which is governed by the Risk Committee of the Board and encompasses the spectrum of risks, including cybersecurity risks and threats, that are integral to the Company’s strategic objectives. Cybersecurity risks and threats are managed by a dedicated security team within the Information Technology (“IT”) Department, under the leadership of the Chief Information Officer (“CIO”), who is also a member of the Risk Committee (Executive Director). This team collaborates with various departments across the Company, including legal, compliance, and human resources, to ensure a comprehensive approach to cybersecurity.

The Risk Committee provides assurances to management and the Board that the Company has identified, and evaluated key risks and implemented mitigating controls, including the Company’s Incident Management and Information Security Plan, to assess, identify, and manage cybersecurity risks.

Risk Management and Strategy
The Company’s process for assessing, identifying, evaluating and managing cybersecurity risks as part of its broader ERM program includes:
Risk Identification and Prioritization: The Company employs various methods to assess and identify cybersecurity risks, which methods may, from time to time, include tabletop exercises to test our preparedness and incident response process, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, penetration tests, and engaging third parties to conduct analyses of our information security program. This process includes evaluating the likelihood and impact of potential cybersecurity incidents.
Continuous Risk Monitoring: The Company actively monitors cybersecurity risks including third-party risk from vendors and suppliers. Significant fluctuations in the prevalence or impact of such risks are reported to the Risk Committee on a quarterly basis.
Mitigation Strategies: While continuous backups to a warm failover site are performed, the Company’s Incident Management and Information Security Plan is designed to identify and respond to security incidents and threats in a timely manner to minimize the loss or compromise of information assets and to facilitate incident resolution. In general, our incident response process follows the framework established by the National Institute of Standards and Technology (“NIST”) and focuses on four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident remediation. We also conduct mandatory annual cybersecurity training for all employees.

Cybersecurity Risks and Business Impact
To date, the Company has not been subject to cyberattacks that, individually or in the aggregate, have been material to our operations or financial condition. We do not believe that risks from cybersecurity threats are reasonably likely to materially affect our strategy, results of operations or financial condition over the long term. See the discussion of cybersecurity risk in Item 1A, “Risk Factors.”
Governance
Role of the Board and Management in Cybersecurity Risk Oversight
The Board’s Risk Committee provides oversight of cybersecurity and privacy risks, including overseeing management’s efforts to monitor and mitigate those risks and reviewing with management any significant privacy and cybersecurity incidents and the effectiveness of the Incident Management and Information Security Plan. The CIO and IT Management continuously address key management personnel on relevant cybersecurity issues, which can span a wide range of topics, including but not limited to recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, and the current threat environment.

IT Department

The Company has appointed our CIO to establish, implement, and carryout our cybersecurity risk management policies and processes, including the Incident Management and Information Security Plan, and to facilitate the communication of such matters to the Risk Committee and the Board. Our CIO and other IT senior members of management responsible for our cybersecurity program have extensive experience assessing and managing cybersecurity risks. Our CIO and Security Team have over 30 years of experience in information technology and cybersecurity positions.

Internal Audit
Periodic audits are performed by our Internal Audit team as part of the Company’s compliance with the Information Security Plan and the overall ERM framework.

27


Chief Risk Officer
The ERM structure is further bolstered by the support of a dedicated Chief Risk Officer, who provides specialized expertise and oversight in the broader domain of risk management.

© 2024 Material-Incidents. All rights reserved.