SelectQuote, Inc. 10-K Cybersecurity GRC - 2024-09-13

Page last updated on September 16, 2024

SelectQuote, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-13 16:03:34 EDT.

Filings

10-K filed on 2024-09-13

SelectQuote, Inc. filed a 10-K at 2024-09-13 16:03:34 EDT
Accession Number: 0001794783-24-000061

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our security program is designed to reflect our business objectives, meet relevant laws and regulations, prevent unauthorized use of or access to our information systems, and maintain information assets’ confidentiality, integrity, and availability. Our policies and processes are guided by security requirements specific to our operating environment, laws, and regulations that are relevant to us and information security best practices. Risk Management and Strategy The Company’s cybersecurity strategy includes recognition and deployment of the following: a. A formal approach to enterprise risk management encompassing finance, operational risk management, and Information Technology (“IT”) to manage the business and technology-related challenges and required regulatory compliance obligations i. Board approved Information Security policies that are reviewed bi-annually ii. An IT infrastructure architecture that has been designed and implemented with security at its core in order to enable key business activities while ensuring the confidentiality, integrity, and availability of our technology infrastructure and critical business and customer data. The Network Security Architecture design focuses on our ability to: i. Identify and understand organizational risks to critical systems, assets, data & capabilities ii. Protect our environment by putting in safeguards iii. Detect potential threats by developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event iv. Respond to and take the appropriate action regarding a detected cybersecurity incident v. Recover and restore any capabilities or services that were impaired due to a cybersecurity incident To reduce the risks from cybersecurity threats associated with our use of third-party service providers, we have a supplier relationship policy and process which outlines information security requirements for mitigating the risks associated with supplier’s access to our organization’s assets. This policy must be agreed to by the supplier, documented, and reviewed annually. SelectQuote has a network of third-party, industry leading, security experts whom they engage to independently test, assess and evaluate our risk management practices. We routinely engage in risk management activities designed to identify potential vulnerabilities; which, if identified, are planned for remediation. Governance Day to day management of our cybersecurity program is the responsibility of the Director, Information Technology Security. The Director manages an internal team of security professionals, as well as a third-party managed security operations center which provides 24/7 security monitoring. Our Director of IT Security reports to the Chief Information Officer. The two, combined, have over 50 years of experience in the information technology field and 30 years in IT security. Our Board of Directors recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board of Directors has oversight responsibilities for risk management with a focus on the most significant risks facing us, including strategic, operational, financial and legal compliance risks. The Board’s risk oversight process builds upon management’s risk assessment and mitigation processes, which include an enterprise risk management program of which our cybersecurity processes are an integral component. Our Board implements its risk oversight function both as a board and through delegation to board committees, which meet regularly and report back to the Board, including delegating oversight of specific risks to board committees that align with their functional responsibilities. Our Audit Committee assists the Board in overseeing the enterprise risk management program and evaluates and monitors risks related to, among other things, the company’s information security program. Our Audit Committee assesses cybersecurity and information technology risks and the controls implemented to monitor and mitigate these risks. Our Chief Information Officer and Director of Information Technology Security periodically attend meetings and provide quarterly cybersecurity updates to the Audit Committee, and as needed, to the Board. Our Chief Information Officer and Director of IT Security report directly to the Audit Committee of the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues at least once annually or more frequently as determined to be necessary or advisable. In addition, we have an escalation process in place to inform senior management and the Board of Directors when it is appropriate under the circumstances. We, like any company, have experienced cybersecurity incidents in the past. However, as of the date of this Annual Report on Form 10-K, we have not experienced any cybersecurity incidents which have been determined to be material. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business, operating results and financial condition, please refer to Part I, Item 1A, Risk Factors, in this Annual Report on Form 10-K.

Company Information