BROWN & BROWN, INC. 10-K Cybersecurity GRC - 2025-02-12

Page last updated on February 13, 2025

BROWN & BROWN, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 17:37:07 EST.

Filings

10-K filed on 2025-02-12

BROWN & BROWN, INC. filed a 10-K at 2025-02-12 17:37:07 EST
Accession Number: 0000950170-25-019039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. The Company relies on our internal Technology Solutions team and third-party vendors to deliver effective and efficient services to our customers, process claims, and report information accurately and promptly to carriers. This often requires the secure handling of confidential, sensitive, proprietary, and other types of information. We actively monitor the risks associated with potential cybersecurity breaches of any of these systems. Therefore, we have made investments, and will continue to invest, in technology security initiatives, information technology policies, resources, and teammate training to mitigate the risk of unauthorized access to sensitive or personally identifiable information. The Audit Committee, composed entirely of independent directors, is responsible for organization-wide oversight regarding information security and reports to the full board of directors. All directors typically attend our committee meetings, which we believe creates transparency and a more collaborative and informed Board. The Audit Committee receives reports on at least a quarterly basis from the Company’s chief security officer on the Company’s latest information security risks and mitigation strategies. Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) program. As part of the Company’s ERM program, the Board receives a report at least annually from the Company’s chief executive officer and chief legal officer concerning the Company’s risks, which include cybersecurity risks. The Company’s chief security officer is responsible for developing and implementing our information security program. Our chief security officer has more than 35 years of experience in technology, operations, information risk and security. Our chief security officer has deep experience developing comprehensive information security programs for large and complex organizations. He also brings extensive experience in both the military and the private sector and is a specialist in attack surface reduction, incident response and recovery, targeted threat hunting, forensics/malware analysis and threat group analysis. Our information security team deployed a structured and measured vulnerability management program that proactively identifies vulnerabilities across our platforms and processes. The program is composed of the following: Internal persistent scans and external monthly scans; - Internal persistent scans and external monthly scans; - Static and dynamic software custom code to develop scans for secure code development; - Periodic third-party executed penetration tests and risk assessments; and - A model to comply with SOC 2 Type II standards or other industry certifications at certain offices based on an office’s contractual agreements with carrier partners or other third parties. Additionally, external partners and products undergo a comprehensive security risk assessment process using our security scorecard tool, which evaluates data security risks and vulnerability maturity. Our teammates participate in an annual online security and compliance training program that includes testing. They are also subject to security awareness communications and random simulated phishing campaigns. Moreover, teammates are required to complete Health Insurance Portability and Accountability Act of 1996 (HIPAA) training every one or two years, depending on their location. In 2024, nearly all Brown & Brown teammates completed ethical conduct training, cybersecurity awareness training, the California Consumer Privacy Act (CCPA) Survey, and the Annual Certification for Insurance Licensees training, which serves as a reminder of the regulatory obligation to report certain changes to the jurisdictions where they are licensed. We have also established a structured incident response process driven by the severity and type of issue. This process, which engages our security operations center (SOC) for incident identification, our internal security team for incident analysis and assignment, our Technology Solutions team for isolation/remediation and our third-party business partner for continuity awareness and escalations. These teams operate at the direction of our Legal Department when we identify potentially impactful information security incidents, which, among other things, directs external and internal reporting, including escalation to other functional areas within the Company and the board of directors. We have adopted an in-depth defense approach that includes intrusion detection systems and intrusion prevention systems, endpoint protection, endpoint detection and response and a log management platform. Additionally, to defray the costs of any future data breach, we have a cyber liability insurance policy. We face a number of cybersecurity risks in connection with our business and have from time-to-time experienced cybersecurity incidents, such as malware infections, phishing campaigns, ransomware and vulnerability exploit attempts, which to date have not had a material impact on our business strategy, results of operations, or financial condition. For more information about the cybersecurity risks we face, see the risk factor entitled “A cybersecurity attack, or any other interruption in information technology and/or data security that may impact our operations 24 or the operations of third parties that support us, could adversely affect our business, financial condition and reputation” in Item 1A - Risk Factors.

Company Information