Hamilton Insurance Group, Ltd. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Hamilton Insurance Group, Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:23:46 EST.

Filings

10-K filed on 2025-02-27

Hamilton Insurance Group, Ltd. filed a 10-K at 2025-02-27 16:23:46 EST
Accession Number: 0001593275-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Managing risk related to cybersecurity is a top priority for Hamilton, and we concentrate on assessing, identifying, and managing material risks associated with “cybersecurity threats,” as such term is defined in Item 106(a) of Regulation S-K. Both our management and Board of Directors recognize the importance of developing, implementing and maintaining appropriate cybersecurity measures and, as described below, are actively involved in cybersecurity and overall enterprise risk management. Cybersecurity Risk Management and Strategy We maintain a cybersecurity risk management program that is an important part of, and integrated into, our enterprise risk management function. The program is designed to assess, identify, manage and protect our information systems and data from unauthorized access, use, disclosure, disruption, modification or destruction. Identifying, assessing, and managing cybersecurity risk shares common methodologies, reporting channels and governance processes that apply across our risk management process, including other legal, compliance, strategic, operational and financial risk areas. We have implemented and maintain several safeguards and processes designed to identify cybersecurity risks and protect our information systems from cybersecurity threats. For example, we have implemented internal IT general controls such as data encryption, monitoring, data storage, identity / authentication controls and anti-malware and anti-virus solutions. We also routinely conduct internal IT audits around our cybersecurity posture as well as scenario-based cybersecurity risk assessments to ensure the right controls are in place to address identified risks. To protect against, detect, and respond to cybersecurity incidents, we, among other things, require our employees to undergo annual cybersecurity awareness training, monitor emerging laws and regulations related to data protection and information security and utilize a variety of multilayered technical tools to conduct proactive privacy and cybersecurity vulnerability assessments of our systems and applications, including scanning for and resolving open tickets. Additionally, to stay current on cybersecurity matters affecting the insurance industry and the marketplace in general, our Chief Information Security Officer & Global Head of IT Operations (“CISO”) is an active member of the ISC2 organization and regularly participates in cybersecurity-focused conferences and forums, including serving on the Chief Information Security Officers Committee of Lloyd’s Market Association. Senior management, including our Chief Technology Officer & Chief Data Officer (“CTO”) and our CISO, in coordination with our legal and compliance teams, are responsible for implementing our cybersecurity risk management program, as well as being involved in all aspects of incident response and breach management processes. These processes involve six stages: 1) detection, 2) analysis, 3) containment, 4) eradication, 5) recovery, and 6) notification. Security events and data incidents are evaluated for severity and impact on our operations, business, and data, and our response is prioritized accordingly. Our security team collaborates with stakeholders across the Company and forms strategies for addressing identified issues. This involves regularly testing, as part of our business continuity and disaster recovery strategies, our ability to restore our systems if they are impacted by a cybersecurity event or incident. In addition, as part of the foregoing processes, we annually engage third-party advisors to perform penetration tests against our infrastructure. As part of our risk management program, we also assess third-party risks, including risks posed by vendors, suppliers, and other business partners. Cybersecurity practices and risks are evaluated when selecting third-party service providers and when negotiating contractual provisions related to security and privacy, including information security audit rights. Specifically, before engaging new critical IT vendors, we require them to complete questionnaires concerning their IT and security processes, controls, and certifications. The responses in these questionnaires are then reviewed by our CISO and assessed against a checklist of minimum requirements that must be met for Hamilton to consider the service provider to be a vendor of trust whose services may be used by our organization. Thereafter, we annually follow up with approved vendors for updated certifications. 86 As discussed above, we maintain an incident response plan to address cybersecurity incidents, which identifies key stakeholders, defines escalation processes and sets the thresholds above which our cybersecurity, legal and crisis management teams will inform senior management as well as our Board of Directors of a cybersecurity incident. For cybersecurity incidents below these crisis thresholds, we maintain subordinate incident response plans and standard operating procedures used by our security incident response team. Although we identify and respond to small security events and risks as a normal part of our cybersecurity risk management processes, to date, we are not aware of any direct or third-party cybersecurity incidents or otherwise identified any ongoing or previous risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect Hamilton, including its business strategy, results of operations, or financial condition. While there have been no material cybersecurity incidents that have affected Hamilton for the period covered by this annual report , there can be no guarantee that (i) our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective or (ii) that there will not be incidents in the future or that they will not materially affect us, including our strategy, results of operations, or financial condition. For a further discussion of the risks associated with cybersecurity threats see “Risk Factors - Risks Related to Our Business and Industry-We are subject to cybersecurity risks, including cyber-attacks, security breaches and other similar incidents with respect to our and our service providers’ information technology systems, which could result in regulatory scrutiny, legal liability or reputational harm, and we may incur increasing costs to minimize those risks” and “Risk Factors-Risks Related to Regulation - Our business is subject to cybersecurity, privacy and data protection laws, rules and regulations in the jurisdictions in which we operate, which can increase the cost of doing business, compliance risks and potential liability.” Cybersecurity Board Oversight and Governance Cybersecurity is important to our Board of Directors and management. On a quarterly basis, our CISO reports on cybersecurity matters to a risk committee comprised of a cross-functional management team (“Risk Committee”). He has reported on, among other things, cybersecurity risks and incidents, a business continuity and disaster recovery exercise, completed and ongoing cyber audits, security metrics and key performance indicators, penetration testing results and remediation progress, the status of Hamilton’s data governance program, and cyber insurance coverage. The Risk Committee escalates important issues identified in these reports to our Audit Committee, to which our full Board of Directors, while having ultimate responsibility for risk management oversight generally, has delegated primary oversight of cybersecurity risks. In addition to quarterly reports to the Risk Committee, senior management, including our CTO and CISO , are responsible for directly reporting to the Audit Committee on cybersecurity matters. This includes reporting, on a quarterly basis and as significant matters arise, about existing and new cybersecurity risks, how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and status on key information security initiatives. The Audit Committee convenes prior to each quarterly Board meeting to discuss cybersecurity risks and other information security matters. The Audit Committee also periodically reviews our processes and policies for managing material risks from cybersecurity threats. Any material risks, cybersecurity incidents or other matters are subsequently discussed with the full Board at the Board meeting. The members of senior management involved in managing our material risks from cybersecurity threats have extensive cybersecurity and IT experience. For example, prior to joining Hamilton, over the past two and a half decades, our CTO has held leadership roles in the areas of software development, IT governance, IT operations, and security operations, ranging from executive director to chief technology officer. This experience spanned various companies, including an expert network/knowledge broker, an educational publishing company, a financial data vendor, a media conglomerate, and an investment bank. Among other things, he has provided leadership in building out global technology platforms, which have operated with multi-jurisdictional cybersecurity policies. He holds a Bachelor of Science degree in electronics and communications engineering, holds a Master’s degree in computer science, is a Certified Information Systems Security Professional and serves as a director on the board of ACORD, which is an organization responsible for setting digital standards for insurance and reinsurance companies globally. Our CISO has two decades of professional experience in various senior roles, such as Linux information systems engineer, Senior Network Engineer, Director of IT, Senior Leader Infrastructure Engineering and VP/CTO, within the financial services industry. He holds a Bachelor’s degree in computer and network science and an electronics engineering degree. 87

Company Information