Enact Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Enact Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:02:08 EST.

Filings

10-K filed on 2025-02-28

Enact Holdings, Inc. filed a 10-K at 2025-02-28 16:02:08 EST
Accession Number: 0001823529-25-000070

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Assessment and Strategy Our approach towards cybersecurity follows our enterprise risk management framework. Through this process our management identifies risks to achieving our strategy and objectives; assesses, manages, controls and monitors those risks; and communicates results, including elevation of those risks to the Risk Committee of the Board of Directors, where applicable. We employ a multi-layered approach to data security and data privacy. This approach begins with our information security program, which leverages the National Institute of Standards and Technology Cybersecurity Framework. Our program includes policies and standards that delineate requirements for the implementation and on-going maintenance of our information systems as well as security responsibilities for all personnel. We review these policies and standards periodically and update as needed. We have processes to oversee the maintenance and enforcement of our information security policies and educate personnel on their responsibilities. We maintain a “defense-in-depth” model, which employs multiple layers of protection for the Company. Among other things, we perform external and internal risk assessments, penetration testing, vulnerability scanning, secure code development and monthly security awareness training (including phishing awareness tests) for all personnel. The monitoring and surveillance procedures over our key systems and IT environments are performed jointly with Genworth. Potential threats are evaluated, correlated and escalated to the extent appropriate. Incidents that are subject to escalation are initially evaluated by a team of IT security personnel led by our Chief Information Security Officer. If the incident is sufficiently severe, it will trigger our cybersecurity incident response plan, which is carried out by a cross-functional team who ultimately report findings and suggest action plans to our senior leadership team and Genworth. In accordance with 57 the plan, we assess, contain and eradicate the threat and notify relevant external parties. We engage with third parties to assist with the research and evaluation, if deemed necessary. We also consider cybersecurity threats with respect to third party service providers. Third parties who hold sensitive data are subject to our risk assessment process and vendor management due diligence procedures, which include an evaluation of cybersecurity risk. Based on the information available as of the date of this Annual Report on Form 10-K, we believe that risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and as of the date of this Annual Report on Form 10-K, the Company is not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, there can be no guarantee that we will not be the subject of future successful cybersecurity attacks, threats or incidents that may materially affect our business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face can be found in “Item 1A Risk Factors” of this Annual Report. Cybersecurity Governance The Chief Information Security Officer, who is primarily responsible for our cybersecurity strategy and assessing and managing risks from cybersecurity threats, works together with our Chief Information Officer, Chief Risk Officer and compliance organization, as well as other functions, in administering our information security program in a manner that satisfies applicable legal and regulatory requirements. The Chief Information Security Officer has over 19 years of experience in information security, technology audit, and technology operations and includes the design, implementation, and maintenance of greenfield cybersecurity programs for regulated specialty insurance and software-as-a-service companies. The Chief Information Security Officer has a master’s degree in information technology with a specialization in cybersecurity augmented with numerous professional designations. The Chief Information Security Officer receives reports on potential cybersecurity threats from throughout the business on an ongoing basis and regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Further, our team strives to stay current with respect to cybersecurity threats through training and investing in the relevant tools. Our Chief Information Security Officer, Chief Information Officer and Chief Risk Officer provide regular updates and reports to our senior leaders. The Risk Committee of our Board of Directors, in coordination with our management risk committee, has primary responsibility for overseeing cybersecurity, information technology and information security systems, processes, policies and risk management and the effectiveness of security controls. At least quarterly, the Risk Committee meets with management and reviews reports related to the status of our information technology related risks, which includes information such as the status of our environment, employee education, penetration testing, server patching, systems availability, as well as debriefs of Company cybersecurity tabletop exercises, director education sessions on a variety of topics concerning cybersecurity, and annual assessment. The Risk Committee also reviews the Chief Compliance Officer’s quarterly report, which includes information regarding certain data security incidents that meet the risk criteria for inclusion in the report. Management also keeps the Risk Committee apprised of changes in the threat landscape, such as new projects or strategies that may involve cybersecurity risks, evolving trends, and cyber incidents that involve our customers and suppliers. At least annually, management presents a cybersecurity report to our full Board of Directors along with semiannual briefings. These sessions may cover, among other topics, the information security organization, material risks, technical threats, information technology security infrastructure, patching and vulnerability management, cybersecurity incidents, an annual cybersecurity tabletop exercise and incident preparedness, supplier management, security awareness training, cybersecurity personnel/staffing and a cybersecurity threat assessment. 58

Company Information