MGIC INVESTMENT CORP 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

MGIC INVESTMENT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:49:37 EST.

Filings

10-K filed on 2025-02-26

MGIC INVESTMENT CORP filed a 10-K at 2025-02-26 16:49:37 EST
Accession Number: 0000876437-25-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity RISK MANAGEMENT AND STRATEGY MGIC’s Information Security Program (ISP) includes information security policies, annual risk assessments and analyses, threat monitoring and alerting, vulnerability management, incident response, and data loss prevention controls. With the ISP, MGIC seeks to prevent, detect, and respond to unauthorized access, use, or disclosure of confidential information. MGIC’s Information Risk Management (IRM) team is responsible for safeguarding the organization’s information assets, data, and technology infrastructure from security threats and vulnerabilities. The IRM team’s primary focus is the protection of the confidentiality, integrity, and availability of sensitive information and compliance with relevant laws, regulations, and industry standards. The IRM team is overseen by the Company’s Chief Information Security Officer (CISO). Our ISP is benchmarked against the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Additionally, various aspects of the ISP are subject to periodic audit by the Company’s Internal Audit department or third-party professionals engaged by the Internal Audit department. Such audits vary from year-to-year but are generally focused on compliance with stated control activities, standards, and internal policies, as well as maintaining the integrity and independence of the audit process. Cybersecurity risk reviews such as SOC2, SOX controls, penetration tests, and regulatory controls are conducted by independent third parties. The ISP also incorporates a vendor due diligence process that is designed to assess vendor control environments and evaluate risks associated with vendor access to the Company’s confidential data and systems. The process includes assessing and managing the cyber risks associated with engaging third-party vendors and reviewing their information security practices. In the event of a suspected or threatened cybersecurity incident, the CISO determines whether to activate the Company’s Cyber Incident Response Team (“CIRT”), composed of different subject matter experts from applicable domains such as network, infrastructure, and application areas in order to evaluate the technical issues relative to the incident. The CIRT is overseen by the CISO. If necessary, the CIRT may engage third-party cybersecurity experts to evaluate and/or remediate the incident. If and when the CIRT is activated, the CISO will inform the Company’s Chief Information Officer (CIO). In the event that the CIRT confirms that the incident relates to a cybersecurity incident or compromise of MGIC’s computer systems, the CISO will notify the General Counsel, who will advise the Chief Executive Officer (“CEO”), who is a member of the Board of Directors . In addition to advising the CEO, the General Counsel will also convene an established committee whose members include the General Counsel, Chief Financial and Risk Officer, Senior Vice President of Investor Relations, and Chief Accounting Officer in order to determine if the event is a material cybersecurity incident so as to trigger an Item 1.05 filing on Form 8-K. If a determination is made that the event is material, or if the CEO or General Counsel otherwise determines it advisable, the CEO or General Counsel, or a delegate thereof, shall notify the Chairman of the Board, Lead Independent Director, and Chairpersons of the Board’s Business Technology and Transformation Committee (the “BTTC”) and Audit Committee. To our knowledge, during the reporting period there were no cybersecurity incidents that materially affected or are reasonably likely to materially affect our business strategies, results of operations, or financial condition. For additional information about risks related to cybersecurity, see our risk factors titled “Information technology system failures or interruptions may materially impact our operations and/or adversely affect our financial results” and “We could be materially adversely affected by a cybersecurity breach or failure of information security controls.” GOVERNANCE The CISO reports to the CIO and partners with the Company’s Risk, Audit, Legal and Compliance Departments to promote alignment of cybersecurity risk management strategy with the broader risk management strategy for the organization. The integration of information security into the overall enterprise risk management framework enables collaboration on the identification, assessment, mitigation and monitoring of cybersecurity risks that have the potential to materially impact the operation of the Company. The Risk Management Committee of the Board coordinates with the Board and other Board committees regarding the assignment to the Board and Committees of oversight responsibilities for all identified key risks to the Company. Risks related to cybersecurity are overseen by the BTTC. The BTTC monitors cybersecurity risks associated with both internal and external actors, including third-party vendors and service providers. Additional information about the BTTC’s role in overseeing risks related to cybersecurity and information technology generally can be found in the Committee’s Charter at mtg.mgic.com/corporate-governance/highlights. The CISO provides quarterly updates about the Company’s cybersecurity program to the BTTC. Updates may include topics such as management’s efforts to identify and monitor risks, investments to improve the Company’s detection and response systems, the results of risk assessments, compliance with controls, vendor oversight, strategic technology planning, and if necessary, the status of any new, ongoing, or prior cybersecurity incident. The CISO also periodically attends the BTTC meetings; the CIO regularly attends the meetings. MGIC Investment Corporation 2024 Form 10-K | 41 MGIC Investment Corporation and Subsidiaries The Company’s current CISO , Jennifer Westphal, is responsible for assessing and managing the material risks posed by cybersecurity threats. Ms. Westphal has over 25 years of experience in information technology, with 18 of those years focused on cybersecurity. Ms. Westphal has been with the Company for more than ten years and was promoted to the position of CISO in January 2021. Prior to 2021, Ms. Westphal served as the Deputy CISO and before that, as the Director of Information Risk Management. The Company’s current CIO, Robert Candelmo, has over 38 years of experience in information technology, with 20 of those years in senior leadership positions. Prior to becoming CIO in 2019, he served as the Company’s Chief Technology Officer for approximately five years. Before joining the Company, Mr. Candelmo served as Senior Vice President of Enterprise Information Services for a large banking company. Mr. Candelmo has a Bachelor of Science in Computer Science.

Company Information