BROWN & BROWN, INC. - (BRO)

10-K Filing Date: February 22, 2024
ITEM 1C. Cybersecurity.

The Company relies on our internal Technology Solutions team and third-party vendors to provide effective and efficient service to our customers, process claims and timely and accurately report information to carriers, which often involves secure processing of confidential, sensitive, proprietary and other types of information. We monitor the risks presented by the possibility of cybersecurity breaches of any of these systems. Accordingly, we have significantly invested, and will continue to invest, in technology security initiatives, information technology policies and resources, and teammate training to mitigate the risk of improper access to private information.

The Audit Committee, composed entirely of independent directors, is responsible for organization-wide oversight regarding information security and reports to the full Board. All directors typically attend our committee meetings, which we believe creates transparency and a more

22


 

collaborative and informed Board. The Audit Committee receives reports on at least a quarterly basis from the Company’s chief information security officer, who is typically accompanied by the Company’s chief security officer and chief information officer, on the Company’s latest information security risks and mitigation strategies.

Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) program. As part of the Company’s ERM program, the Board receives a report at least annually from the Company’s chief executive officer and chief legal officer concerning the Company’s risks, which include cybersecurity risks.

The Company’s chief information security officer, under the direction of our chief security officer, is responsible for developing and implementing our information security program. Our chief information security officer and our chief security officer each has more than 35 years of experience in technology, operations, information risk and security. Our chief information security officer has deep experience developing comprehensive information security programs for large and complex financial services and insurance organizations. Our chief security officer brings extensive experience in both the military and the private sector and is a specialist in attack surface reduction, incident response and recovery, targeted threat hunting, forensics/malware analysis and threat group analysis.

Our Information Security team has deployed a structured and measured vulnerability management program that proactively identifies vulnerabilities across our platforms and processes. The program is composed of the following:

Internal persistent scans and external monthly scans;
Static and dynamic software custom code to develop scans for secure code development;
Periodic third-party executed penetration tests and risk assessments; and
A model to comply with SOC 2 Type II standards or other industry certifications at certain offices based on an office’s contractual agreements with carrier partners or other third parties.

In addition, external partners and products are submitted through a security risk assessment process facilitated through our security scorecard tool for data security risk and vulnerability maturity rating, and our teammates undertake a yearly security and compliance online training with test certification. Our teammates are also subject to security awareness communications and random simulated phishing campaigns. Teammates are also required to complete Health Insurance Portability and Accountability Act of 1996 (HIPAA) training every one or two years, depending on location. In 2023, substantially all Brown & Brown teammates completed ethical conduct training; cybersecurity awareness training; the California Consumer Privacy Act (CCPA) Survey; and the Annual Certification for Insurance Licensees training as a reminder of the regulatory obligation to report certain changes to the jurisdictions in which they are licensed.

We have also established a structured incident response process driven by the severity and type of issue. This process, which engages our Security Operations Center (SOC) for incident identification, our internal security team for incident analysis and assignment, our Technology Solutions teams for isolation/remediation and our third-party business partner for continuity awareness and escalations. These teams operate at the direction of our Legal Department when we identify potentially impactful information security incidents, which, among other things, directs external and internal reporting, including escalation to other functional areas within the Company and the Board of Directors. We have adopted an in-depth defense approach that includes intrusion detection systems and intrusion prevention systems, endpoint protection, endpoint detection and response and a log management platform. Additionally, to defray the costs of any future data breach, we have a cyber liability insurance policy.

We face a number of cybersecurity risks in connection with our business and have from time-to-time experienced cybersecurity incidents, such as malware infections, phishing campaigns and vulnerability exploit attempts, which to date have not had a material impact on our business strategy, results of operations, or financial condition. For more information about the cybersecurity risks we face, see the risk factor entitled “A cybersecurity attack, or any other interruption in information technology and/or data security that may impact our operations or the operations of third parties that support us, could adversely affect our business, financial condition and reputation” in Item 1A - Risk Factors.

23