UNIVERSAL INSURANCE HOLDINGS, INC. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

UNIVERSAL INSURANCE HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:15:13 EST.

Filings

10-K filed on 2025-02-28

UNIVERSAL INSURANCE HOLDINGS, INC. filed a 10-K at 2025-02-28 16:15:13 EST
Accession Number: 0000891166-25-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company understands the critical importance of developing, implementing, and maintaining robust cybersecurity measures to protect our information systems and ensure the confidentiality, integrity, and availability of our data that is created, collected, stored, and used to operate our business. The Company assesses cybersecurity risks, along with other key risks through its comprehensive Enterprise Risk Management (“ERM”) framework. This framework mandates the compilation of a quarterly risk packet, which includes the results of KPIs for the designated risks and determinations as to where the results fell within the predefined tolerance threshold. All key risks are identified at the company level, which is governed by the Risk Committee of the Board and encompasses the broad spectrum of risks, including cybersecurity risks and threats, which are integral to the Company’s strategic objectives. Cybersecurity risks and threats are managed by a dedicated team within the Information Technology (“IT”) Department, as well as a Security Operations Center (“SOC”) managed by a third-party provider, under the leadership of the Chief Information Officer (“CIO”). This team collaborates with various departments across the Company, including legal, compliance, and human resources, to ensure a comprehensive approach to cybersecurity. The Risk Committee is tasked with developing and overseeing risk management processes and systems of internal controls. These are intended to ensure that management and the Company’s Board of Directors have identified, and evaluated key enterprise risks and implemented mitigating controls. This includes the groups Incident Management and Information Security Plan, which assesses, identifies, and manages cybersecurity risks. The Committee reports to and receives direction from the Board as part of its oversight function. 23 Risk Management and Strategy The Company’s process for assessing, identifying, evaluating and managing cybersecurity risks as part of its broader ERM program includes: - Risk Identification and Prioritization : The Company employs various methods to assess and identify cybersecurity risks, which methods may, from time to time, include tabletop exercises to test our preparedness and incident response process, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, penetration tests, and engaging third parties to conduct analyses of our information security program. This process includes evaluating the likelihood and impact of potential cybersecurity incidents. The company engages third parties in connection with risk management processes. - Continuous Risk Monitoring : The Company actively monitors cybersecurity risks including third-party risk from vendors and suppliers. Significant fluctuations in the prevalence or impact of such risks are reported to the Risk Committee on a quarterly basis. - Mitigation Strategies : While continuous backups to a warm failover site are performed, the Company’s Incident Management and Information Security Plan is designed to identify and respond to security incidents and threats in a timely manner to minimize the loss or compromise of information assets and to facilitate incident resolution. In general, our incident response process follows the framework established by the National Institute of Standards and Technology (“NIST”) and focuses on four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident remediation. We also conduct mandatory annual cybersecurity training for all employees. Cybersecurity Risks and Business Impact To date, the Company has not been subject to cyberattacks that, individually or in the aggregate, have been material to our operations or financial condition. We do not believe that risks from cybersecurity threats are reasonably likely to materially affect our strategy, results of operations or financial condition over the long term. See the discussion of cybersecurity risk in Item 1A, “Risk Factors.” Governance Role of the Board and Management in Cybersecurity Risk Oversight The Board’s Risk Committee provides oversight of cybersecurity and privacy risks, including overseeing management’s efforts to monitor and mitigate those risks and reviewing with management any significant privacy and cybersecurity incidents and the effectiveness of the Incident Management and Information Security Plan. The CIO and IT Management inform key management personnel on relevant cybersecurity issues, which can span a wide range of topics, including but not limited to recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, and the current threat environment. IT Department The Company has appointed our CIO to establish, implement, and carryout our cybersecurity risk management policies and processes, including the Incident Management and Information Security Plan, and to facilitate the communication of such matters to the Risk Committee and the Board . Our CIO and other IT senior members of management responsible for our cybersecurity program have extensive experience assessing and managing cybersecurity risks. Our CIO and Security Team have over 30 years of experience in information technology and cybersecurity positions. Internal Audit Periodic audits are performed by our Internal Audit team as part of the Company’s compliance with the Incident Management and Information Security Plan and the overall ERM framework. Chief Risk Officer The ERM structure is further bolstered by the support of a dedicated Chief Risk Officer, who provides specialized expertise and oversight in the broader domain of risk management. 24

Company Information