Bowhead Specialty Holdings Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Bowhead Specialty Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:14:15 EST.

Filings

10-K filed on 2025-02-27

Bowhead Specialty Holdings Inc. filed a 10-K at 2025-02-27 17:14:15 EST
Accession Number: 0002002473-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company employs a comprehensive, cross-departmental approach designed to continuously identify, assess, and mitigate potential cybersecurity risks. Our cybersecurity risk management program involves collaboration between our employees, the Information Technology (“IT”) team, and the Information Security (“InfoSec”) team, which is led by our Chief Information Security Officer (“CISO”) . The Company’s cybersecurity policies, standards, and processes are integrated into the Company’s overall risk management program, and we regularly consider cybersecurity risks in the context of material risks to the Company. Our cybersecurity risk management program categorizes cybersecurity risks into five distinct areas: identify, protect, detect, respond, and recover, as defined by the National Institute of Standards and Technology Cybersecurity Framework. We regularly assess the evolving cybersecurity threat landscape, employing a layered cybersecurity strategy that emphasizes prevention, detection, and mitigation through a variety of technical and operational measures. As part of our cybersecurity risk management program, our information security program is tailored to address identified risks, while aligning with pertinent business requirements. Cybersecurity is a shared responsibility across the Company, and all our employees are subject to periodic email phishing simulation campaigns and mandatory quarterly cybersecurity training to enhance awareness and readiness against potential common cyber threats. Certain roles require additional role-based, specialized cybersecurity training, such as tabletop exercises to ensure proactive preparation and effective coordination in the event of a security incident. We conduct tabletop exercises annually or as needed to review our incident response plan, as well as to identify and prioritize opportunities for improvement within our cybersecurity program and associated security controls. To help protect our data and information systems, we maintain Company-wide cybersecurity policies and procedures regarding encryption standards, antivirus protection, remote access, multifactor authentication, confidential information, and internet, social media, email, and wireless device usage. Our IT and InfoSec teams review and update such policies and procedures to adapt to the evolving cybersecurity threat landscape, industry best practices, and regulatory updates. Our CISO conducts thorough reviews of these updates on an annual basis or as needed to help ensure their continued relevance and effectiveness in safeguarding the Company’s assets and business interests. 49 Tab le of Contents We continually seek to update our cybersecurity posture, encompassing end-user awareness training, layered defenses, critical asset identification and protection, enhanced monitoring and alerting. We engage with third-party experts to evaluate the efficacy of our security measures which includes network penetration testing. We also regularly evaluate cybersecurity risks associated with our use of third-party service providers, conducting an annual review of hosted applications and assessing their cybersecurity readiness. In addition, we annually obtain Service Organization Control (“SOC”) reports on the suitability and operating effectiveness of the service providers’ controls, known as a SOC 1 Type 2 Report. The report is prepared by an independent service auditor. We review such reports to confirm the existence of effective security controls over unauthorized access at third party service providers. To date, there have been no cybersecurity events in the past that have materially affected, or are reasonably likely to materially affect, the Company’s business strategy, results of operations, or financial condition. Although we believe our defenses against cyber-intrusions are sufficient, we continue to update our prevention programs to help respond to sophisticated and rapidly evolving threats that may try to circumvent our security measures. Governance Our Board, with the assistance of our Audit Committee, oversees our cybersecurity efforts performed by senior management, which is responsible for the identification and assessment of materials risk from cybersecurity incidents. In particular, our CISO is responsible for leading the management and assessment of material cybersecurity threats, and works closely with our head of IT, head of IT Operations and General Counsel. Our CISO has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies and managing information systems and protecting computer networks against cyber intrusions. Also, our IT Operations team meets regularly with the InfoSec and the head of Internal Audit. Our Board and our Audit Committee receive reports on the Company’s cyber security program, including an assessment of that our cybersecurity risk management program, annually or as needed. In addition, the Board and Audit Committee receive reports on the cybersecurity program, including any material cybersecurity risks, periodically or as needed.

Company Information