Essent Group Ltd. - (ESNT)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
As with all institutions involved in financial services, information security represents a significant operational risk. To mitigate this risk, we have developed and manage a comprehensive information security program dedicated to protecting data entrusted to us by our clients as well as our own proprietary corporate information and the information technology infrastructure we use to process this data and information. Our approach is considered to be a defense-in-depth strategy, with multiple tiers of security controls and monitoring. Our security program is benchmarked against the National Institute of Standards and Technology Cybersecurity Framework ("NIST"), including, among other things, with respect to application security, vulnerability management and data protection, threat detection and incident response.
Cybersecurity risk management is the direct responsibility of our IT security team, which is led by our chief information officer ("CIO") and our chief information security officer ("CISO"). The IT security team develops, maintains, and enforces our information security program and information security policies, which are reviewed at least annually and are subject to approval by our information security committee. Additionally, we complete the following:
•an annual enterprise risk assessment;
•an annual threat and vulnerability assessment conducted in accordance with NIST guidance which considers adversarial and non-adversarial threat events that could impact our environment;
•periodic IT risk assessments;
•quarterly vulnerability management reviews; and
•periodic cloud risk assessments.
Our IT security team regularly monitors the company's technology environment to address and investigate potential incidents. In the event of an incident, we would follow our internally developed incident response playbook, which includes but is not limited to guidelines for determining the severity of an incident, roles and responsibilities of the cyber response team, mitigation and recovery steps, and communication to internal and external stakeholders based upon nature and extent of the incident. We conduct regular external and internal penetration testing, "red teaming" exercises to seek to identify and remediate potential vulnerabilities, and other methods to ensure the readiness and effectiveness of our program and to continue to enhance our security posture. Our information security team also performs periodic tabletop exercises to simulate potential incidents in order to identify potential enhancements to monitoring and our incident response process.
We have also established a formal third party risk management (TPRM) policy which defines the criteria that a third party service provider must meet in order to be considered by us. All vendors are risk ranked and reviewed by our TPRM team with results reported to our information security committee, which ultimately approves the use of new and existing vendors. In addition, we maintain an internal information security committee comprised of cross-departmental company executives and IT leaders to ensure that we maintain strong governance mechanisms and to ensure compliance with our security policies and procedures.
51
During the year ended December 31, 2023, we did not experience any material cybersecurity incidents.
Although our information security program is designed to attempt to prevent, detect and respond to unauthorized use or disclosure of confidential information, including non-public personal information, there can be no assurance that such use or disclosure will not occur. See “Risk Factors—Risks Relating to the Operation of Our Business—The security of our information technology systems may be compromised and confidential information, including non-public personal information that we maintain, could be improperly disclosed."
Cybersecurity Governance
Our board of directors, led by the board’s technology, innovation and operations committee, actively oversees our information security program, with our management providing that committee with regular updates (including at each of the four meetings held by that committee in 2023) and reporting on our IT strategy, including information security strategies and initiatives, event preparedness and incremental improvement efforts.
The CIO and CISO, who oversee our information security program, are well qualified to oversee and manage risks posed by potential cybersecurity threats. Our CIO has over 25 years of experience serving Fortune 500 companies in the area of information technology, including nearly 20 years in mortgage and financial services, with roles ranging from overseeing application development and delivery to enhance risk management capability and improve operational efficiency to information technology strategy, architecture, delivery, and management. Similarly, our CISO has over 25 years of experience working for financial services companies in information technology, including roles overseeing e-commerce, technical infrastructure management and architecture, and 20 years overseeing information security programs.