Root, Inc. - (ROOT)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
The Company has processes in place designed to protect its information systems and to assess, identify and manage material risks from cybersecurity threats. Accordingly, the Company has designed and implemented an Information Security Program, designed to protect the confidentiality, integrity, and availability of its information systems and data (including nonpublic information in its possession, custody, or control), as well as to comply with privacy and Information Security Program requirements for insurers as set forth in applicable state laws and regulations. As part of the Information Security Program, the Company has implemented an information security and privacy training and awareness program for Root employees, which includes new-hire training, ongoing monthly training and regular phishing simulation and exercises. In addition, the Company has engaged third parties in connection with these processes.
The Company has engaged third parties to perform information security risk assessments and testing on a periodic basis. It also has engaged third parties to provide a variety of services, including providing hosted security products as well as services to support security incident detection and response activities. In order to identify and manage risk from third parties, the Company has implemented a third-party cybersecurity risk management program involving the assessment of information security risk related to the third-party, with consideration given to the inherent risk level, the adequacy of the third-party’s control environment to mitigate those risks, and areas of residual risk. The breadth and depth of the assessment activities are designed to be commensurate with the nature and scope of the services provided by the third party.
The oversight of the Company’s cybersecurity risk management processes are integrated into the Company’s enterprise risk management process. Our board of directors oversees an enterprise-wide approach to risk management, designed to support the achievement of organizational objectives, to improve long-term organizational performance and to enhance stockholder value. A fundamental part of risk management is not only understanding the most significant risks a company faces and what steps management is taking to manage those risks, but also understanding what level of risk is appropriate for a given company. The involvement of our full board of directors in reviewing our business is an integral aspect of its assessment of management’s tolerance for risk and also its determination of what constitutes an appropriate level of risk. In connection with its reviews of the operations of our business, the board of directors addresses the primary risks associated with our business including cybersecurity. In particular, our board of directors is committed to the prevention, timely detection and mitigation of the effects of cybersecurity threats or incidents.
We have experienced cybersecurity threats to our information technology infrastructure and have experienced cybersecurity attacks, attempts to breach our systems, fraudulent activity and other similar incidents. As of the filing of this Annual Report on Form 10-K, we are not aware of any such incidents that have occurred since the beginning of 2023 that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. However, future threats could materially affect our business strategy, results of operations or financial condition. Risks related to cybersecurity events are detailed in the section of this Annual Report on Form 10-K titled “Risk Factors—Risks Related to Our Business—Data security breaches, or real or perceived errors, failures or bugs in our systems, website or app could impair our operations, compromise our confidential information or our customers’ personal information, damage our reputation and brand, and harm our business and operating results.”
Cybersecurity Governance
While our full board of directors has overall responsibility for risk oversight, it has delegated oversight of certain risks to its committees, including the oversight of risks from cybersecurity threats. The board of directors delegated the oversight of cybersecurity risks to the Audit, Risk and Finance Committee, which oversees controls for the Company’s major financial and security risk exposures. The board of directors, through the Audit, Risk and Finance Committee, oversees the design and implementation of the Information Security Program. The board of directors and the Audit, Risk and Finance Committee are informed about these risks through regular reports from the Chief Information Security Officer, or CISO, about the Information Security Program.
56
Additionally, the board of directors is informed of material information security incidents, as needed, by the Computer Security Incident Response Team, which is led by the Company’s Chief Legal Officer.
The Information Security group and senior leadership are responsible for assessing and managing risks from cybersecurity threats. The Information Security group is led by the Company’s CISO, who is also responsible for the day-to-day management of the Information Security Program. Katelynn Sandy is the Company’s CISO. Ms. Sandy has an extensive background in cybersecurity, technology, and risk management across a variety of industries, including financial services, healthcare, and technology. Additionally, Ms. Sandy holds various information security certifications.
The Information Security group, senior leadership and the CISO are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through the Information Security Program. At least quarterly, the CISO provides updates to the Audit, Risk and Finance Committee, which includes updates on the overall Information Security Program status and compliance, cybersecurity related risks, and recommended changes to the Information Security Program. Senior members of our Information Security and Internal Audit functions also provide detailed, regular reports on information security and privacy to the Audit, Risk and Finance Committee.
57