Skyward Specialty Insurance Group, Inc. - (SKWD)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity
Our information technology systems (“IT Systems”) play a central role in running nearly all aspects of our business operations. Our IT Systems are used for a variety of critical business functions including, but not limited to, internal and external communications, managing our documents and records, and providing shared work environments across various business functions. Therefore, responding efficiently and effectively to cybersecurity incidents and threats is an important component of our overall ERM strategy. In order to respond to such incidents and threats, we have implemented a carefully designed Crisis Response Plan (“CRP”).
Cybersecurity Risk Management and Strategy
Our management and information technology personnel have implemented processes and procedures for assessing, identifying, managing and escalating material risks from cybersecurity threats. These processes and procedures have been integrated into our overall risk management processes. For example, cybersecurity related risks are included in the risk universe that our enterprise risk management committee evaluates on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. Further, security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact.
Our cybersecurity risk management program leverages the National Institute of Standards and Technology framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media and email. In the event of an incident, we intend to follow our detailed crisis response playbook.
Further, we have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also prepares a monthly cyber scorecard, regularly collects data on cybersecurity threats and risk areas and conducts an annual risk assessment. Further, we conduct periodic external penetration tests, red team testing and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. In the event of an incident, we have outside cybersecurity legal counsel who would consult and coordinate with other third parties in the, including communication and notification to third-parties as required; cybersecurity vendors that would perform various investigation services as well as assisting with the recovery and restoration of any impacted IT System services; cybersecurity experts who would assist with validation of the incident and assist with ransomware demands; and cybersecurity insurance providers.
In addition, we have also implemented processes to oversee and identify risks from cybersecurity threats associated with our use of key third-party service providers, including requiring third-party service providers to provide provisions of their SOC-1 or SOC-2 report and their cybersecurity/disaster recovery plans.
Cybersecurity Governance
Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Security Team with assistance from our Compliance and Legal teams. Such individuals have decades of experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through
29

their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our crisis response plan, and report to the Risk Committee on any appropriate items.
Under its committee charter, the Risk Committee of our Board of Directors oversees our cybersecurity strategy, reviews our cybersecurity and other information technology risks, controls and procedures, and receives periodic updates from management regarding the adequacy and effectiveness of our cybersecurity measures. Included in this review is a thorough discussion of the risks from cybersecurity threats including the potential impact to our operations of such threats.
We have also instituted a separate process for communicating with the Risk Committee in the event we are the target of a specific cybersecurity incident. As part of our response to such an incident, members of the Crisis Management Team would provide an initial awareness communication of the incident to our Chief Executive Officer/Chair of the Board who would in turn inform the Chair of the Risk Committee. Following an initial assessment of the incident by senior management and IT Systems personnel, we would provide a follow-up communication to the CEO and Risk Committee Chair and determine whether further escalation to the full Board is warranted.
Although the risks from cybersecurity threats have not materially affected our business strategy, results of operations or financial condition, it is possible that a cybersecurity incident resulting in a serious compromise of our IT Systems or a demand for payment to restore our IT Systems, could have a material adverse effect on us by negatively impacting our ability to operate our business effectively and by diverting the attention of our management and other resources, including financial resources, to address the cybersecurity incident.