Kinsale Capital Group, Inc. - (KNSL)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk management and strategy
The Company’s risk management process includes assessing, identifying and managing material risks from various sources, including those related to cybersecurity. The Company uses information from incident history, industry publications and analysis centers, public news, government information sharing and recognized information security frameworks to inform its risk management program. Management employs a suite of detective and preventative cybersecurity measures including, but not limited to
•Maintaining a vulnerability management program,
•implementing and operating controls over logical access provisioning,
•maintaining an enterprise-wide security awareness program and
•administering periodic trainings.
The Company engages multiple vendors with subject matter and technological expertise in various aspects of cybersecurity management, including continuous threat detection and response coverage, endpoint detection, anti-malware, penetration testing and suspicious activity alerting, among others. When the Company engages third parties, management retains responsibility for the security and resiliency of its information assets. The Company maintains an incident response plan that includes escalation criteria and preliminary materiality assessments to guide business continuity and disclosure objectives.
We describe risks related to cybersecurity threats that could materially impact our business strategy, results of operations or financial condition under the heading “Risk Factors.” Material impacts could include loss of access to systems and data, financial costs and reputational harm, among others.
Governance
Our Chief Executive Officer ("CEO") is responsible for assessing and managing overall material risks to the Company. With respect to cybersecurity risks, our CEO leverages the collective expertise of the Company’s information security function which reports to our CEO through the Company’s Chief Information Officer. The information security function is staffed with individuals with extensive information security employment experience, including in the financial services sector, educational experience and relevant credentials. The Audit Committee of the Board of Directors (the "Audit Committee") is responsible for receiving periodic updates on cybersecurity and information security risks, reviewing and discussing with management the quality and effectiveness of the Company’s efforts to mitigate such risks and reporting such findings to the Board of Directors. Management informs the Audit Committee about prevention, detection, mitigation and remediation of cybersecurity incidents at least annually and monitors such matters continuously.