XML 50 R34.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Processes for Assessing, Identifying, and Managing Material Risks from Cybersecurity Threats
The Company has developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of its critical systems and information. The Company's cybersecurity risk management is integrated into and embedded in its overall enterprise risk management framework, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
The Enterprise Risk Management Committee oversees cybersecurity risks Company-wide while the Company’s Chief Technology Officer (“CTO”), a member of the Enterprise Risk Management Committee, oversees the Information Security business unit's cybersecurity management programs and activities. The Company’s cybersecurity risk management program includes the following key elements:
formal cybersecurity risk assessment designed to help identify material cybersecurity risks to the Company’s critical systems, information, services, and its broader enterprise information technology environment led by the Company's Information Security business unit and reported to its Enterprise Risk Management Committee;
a team comprised of information security, information technology, infrastructure, and compliance personnel responsible for directing the Company’s cybersecurity risk assessment and security processes and its cybersecurity incident response;
third-party cybersecurity service provider, as needed, to conduct independent review and testing of the Company's cybersecurity risks and report to the Company;
systems for protecting information technology systems and monitoring for suspicious events, such as threat protection, firewall and anti-virus software;
cybersecurity awareness and prevention training for all employees;
a Security Incident Response Plan designed to respond to cybersecurity incidents, which is regularly tested;
a Vendor Risk Management Process for vetting third party service providers with access to the Company’s information technology systems.
The Information Security business unit regularly evaluates the Company's cybersecurity risk profile and reports to the Board of Directors (the “Board”). In the event that a significant cybersecurity incident is identified, the Company engages a third-party cybersecurity incident response consultant, as needed, to provide an independent evaluation of the incident.
B.Oversight of Cybersecurity Risks Associated with Third Party Service Providers
The Company oversees and identifies material risks from cybersecurity threats related to its use of third-party service providers in accordance with its Vendor Risk Management Process. The contracts with service providers are reviewed during
the onboarding process, renewal periods, and as necessary. The contracts require service providers to report cybersecurity incidents that impact the Company's data or information systems or that can otherwise disrupt its operations to the Company on a timely basis.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
The Company has developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of its critical systems and information. The Company's cybersecurity risk management is integrated into and embedded in its overall enterprise risk management framework, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] Board of Directors' Oversight of Risks from Cybersecurity ThreatsThe Company’s Board considers cybersecurity risk as critical to the enterprise. The full Board oversees the Company’s Enterprise Risk Management program which incorporates cybersecurity risks together with other top operational, reporting and compliance risks the Company manages. The full Board is kept apprised by Management of the Company’s cybersecurity risk assessment results, and an escalation process exists to inform the Board of high-severity cybersecurity incidents that may occur. In addition, the Board periodically engages independent third-party technology experts to test the Company’s information technology systems, including cybersecurity.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Company's Enterprise Risk Management Committee provides the Board with an overview of cybersecurity risks regularly. Additionally, the Company's Chief Executive Officer (“CEO”) provides the Board with an Information Security Incident Report for Board meetings, which summarizes new incidents that did not require "off-cycle" escalation to the Board, and status updates on previously reported high severity incidents, as well as a cybersecurity incident analysis report issued by a third-party cybersecurity service provider.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
The five management personnel above also serve in the Company's Enterprise Risk Management Committee and are informed about and discuss updates to the cybersecurity risk management programs and cybersecurity incidents, including any prevention and detection measures as well as mitigation and remediation measures for any reported cybersecurity incidents. The Enterprise Risk Management Committee oversees the Company's overall risk management processes that include oversight of material risks from cybersecurity threats. The CEO and CFO are also members of the Company's Disclosure Committee. The CTO and Head of Information Security participate in Disclosure Committee meetings, as needed, to facilitate discussion and provide information on cybersecurity incidents reported. The CEO, CTO and Head of Information Security provide the Board with information and updates on cybersecurity risks and incidents as in-house technology and cybersecurity experts during Board meetings or as needed.
Depending on the nature and severity of the reported cybersecurity incidents, the Enterprise Risk Management Committee may recommend activation of the Crisis Management Plan under the Company's Business Continuity Management Program. The Disclosure Committee is informed by the CEO of significant cybersecurity incidents for purposes of determining materiality.
Cybersecurity Risk Role of Management [Text Block]
The Company's Information Security business unit primarily manages the day-to-day operations of monitoring cybersecurity risks to the Company's information systems, takes prevention, detection, and remediation measures for cybersecurity incidents, makes initial assessment of reported cybersecurity incidents, and reports such incidents to the Company's CEO, Chief Operating Officer (“COO”), CTO, Board and Enterprise Risk Management Committee as well as certain regulatory bodies, as needed. The following five management personnel are primarily responsible for assessing and managing the Company's material risks from cybersecurity threats:
Gabriel Tirador, Chief Executive Officer: The Company’s CEO, along with its COO, oversees the Technology team who monitors the Company’s information technology systems for suspicious events. The Company’s CEO reports to the Board regarding cybersecurity incidents and issues. The Company’s CEO, COO and CTO oversee the use of third-party cybersecurity consultants by the Information Security business unit to engage in periodic evaluations. Mr. Tirador has over 30 years' experience in the property and casualty insurance industry and in the Company and is an inactive Certified Public Accountant. As CEO of the Company, he has overseen its Technology business unit for over 20 years, among other business units.
Victor Joseph, President and Chief Operating Officer: The Company’s President and COO oversees the technology team who monitors the Company’s information technology systems for suspicious events. Mr. Joseph has overseen the technology team since 2022. Mr. Joseph has been employed by the Company in various capacities since 2009, and was appointed Executive Vice President and COO in January 2022 and President and COO in January 2024.
Theodore R. Stalick, Senior Vice President and Chief Financial Officer: The Company’s CFO oversees its enterprise risk management program which, among others, includes oversight of cybersecurity risk management and serves as Chairperson of the Company's Enterprise Risk Management Committee. Mr. Stalick has been the Company's CFO since 2001. Mr. Stalick is a Certified Public Accountant and has a Bachelors Degree in Business Administration, Accounting and Finance concentration, and an MBA, Business Analytics concentration.
Wilson Pang, Vice President and Chief Technology Officer: The Company’s CTO regularly provides the Board with updates on cybersecurity risk management or significant reported cybersecurity incidents. The Company’s CTO works with the Company’s CEO, COO and Head of Information Security to determine the severity of cybersecurity incidents. The Company’s CTO also works with its Head of Information Security to direct action in the event of a severe cybersecurity incident. Mr. Pang has over 20 years’ experience in the
technology industry. He has served in Chief Technology Officer and Chief Data Officer roles in several public companies and has deep expertise in technology, data, and artificial intelligence. He has a Master’s and a Bachelor’s Degree in electrical engineering.
Dustin Howard, Head of Information Security: The Company’s Head of Information Security supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment. The Company’s Head of Information Security also oversees the creation of remediation action plans with the affected business units. Mr. Howard has over 30 years’ experience managing various aspects of information technology, and has extensive expertise in information security, compliance, and information technology infrastructure and service delivery. He has served in Head of Information Security, Chief Information Officer and Vice President roles in several public companies and has maintained Certified Information Systems Security Professional (“CISSP”) certification since 2001. He has a Bachelor’s Degree in Business Administration and a Master’s Degree in Information Systems.
The five management personnel above also serve in the Company's Enterprise Risk Management Committee and are informed about and discuss updates to the cybersecurity risk management programs and cybersecurity incidents, including any prevention and detection measures as well as mitigation and remediation measures for any reported cybersecurity incidents. The Enterprise Risk Management Committee oversees the Company's overall risk management processes that include oversight of material risks from cybersecurity threats. The CEO and CFO are also members of the Company's Disclosure Committee. The CTO and Head of Information Security participate in Disclosure Committee meetings, as needed, to facilitate discussion and provide information on cybersecurity incidents reported. The CEO, CTO and Head of Information Security provide the Board with information and updates on cybersecurity risks and incidents as in-house technology and cybersecurity experts during Board meetings or as needed.
Depending on the nature and severity of the reported cybersecurity incidents, the Enterprise Risk Management Committee may recommend activation of the Crisis Management Plan under the Company's Business Continuity Management Program. The Disclosure Committee is informed by the CEO of significant cybersecurity incidents for purposes of determining materiality.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
The Company's Information Security business unit primarily manages the day-to-day operations of monitoring cybersecurity risks to the Company's information systems, takes prevention, detection, and remediation measures for cybersecurity incidents, makes initial assessment of reported cybersecurity incidents, and reports such incidents to the Company's CEO, Chief Operating Officer (“COO”), CTO, Board and Enterprise Risk Management Committee as well as certain regulatory bodies, as needed. The following five management personnel are primarily responsible for assessing and managing the Company's material risks from cybersecurity threats:
Gabriel Tirador, Chief Executive Officer: The Company’s CEO, along with its COO, oversees the Technology team who monitors the Company’s information technology systems for suspicious events. The Company’s CEO reports to the Board regarding cybersecurity incidents and issues. The Company’s CEO, COO and CTO oversee the use of third-party cybersecurity consultants by the Information Security business unit to engage in periodic evaluations. Mr. Tirador has over 30 years' experience in the property and casualty insurance industry and in the Company and is an inactive Certified Public Accountant. As CEO of the Company, he has overseen its Technology business unit for over 20 years, among other business units.
Victor Joseph, President and Chief Operating Officer: The Company’s President and COO oversees the technology team who monitors the Company’s information technology systems for suspicious events. Mr. Joseph has overseen the technology team since 2022. Mr. Joseph has been employed by the Company in various capacities since 2009, and was appointed Executive Vice President and COO in January 2022 and President and COO in January 2024.
Theodore R. Stalick, Senior Vice President and Chief Financial Officer: The Company’s CFO oversees its enterprise risk management program which, among others, includes oversight of cybersecurity risk management and serves as Chairperson of the Company's Enterprise Risk Management Committee. Mr. Stalick has been the Company's CFO since 2001. Mr. Stalick is a Certified Public Accountant and has a Bachelors Degree in Business Administration, Accounting and Finance concentration, and an MBA, Business Analytics concentration.
Wilson Pang, Vice President and Chief Technology Officer: The Company’s CTO regularly provides the Board with updates on cybersecurity risk management or significant reported cybersecurity incidents. The Company’s CTO works with the Company’s CEO, COO and Head of Information Security to determine the severity of cybersecurity incidents. The Company’s CTO also works with its Head of Information Security to direct action in the event of a severe cybersecurity incident. Mr. Pang has over 20 years’ experience in the
technology industry. He has served in Chief Technology Officer and Chief Data Officer roles in several public companies and has deep expertise in technology, data, and artificial intelligence. He has a Master’s and a Bachelor’s Degree in electrical engineering.
Dustin Howard, Head of Information Security: The Company’s Head of Information Security supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment. The Company’s Head of Information Security also oversees the creation of remediation action plans with the affected business units. Mr. Howard has over 30 years’ experience managing various aspects of information technology, and has extensive expertise in information security, compliance, and information technology infrastructure and service delivery. He has served in Head of Information Security, Chief Information Officer and Vice President roles in several public companies and has maintained Certified Information Systems Security Professional (“CISSP”) certification since 2001. He has a Bachelor’s Degree in Business Administration and a Master’s Degree in Information Systems.
The five management personnel above also serve in the Company's Enterprise Risk Management Committee and are informed about and discuss updates to the cybersecurity risk management programs and cybersecurity incidents, including any prevention and detection measures as well as mitigation and remediation measures for any reported cybersecurity incidents. The Enterprise Risk Management Committee oversees the Company's overall risk management processes that include oversight of material risks from cybersecurity threats. The CEO and CFO are also members of the Company's Disclosure Committee. The CTO and Head of Information Security participate in Disclosure Committee meetings, as needed, to facilitate discussion and provide information on cybersecurity incidents reported. The CEO, CTO and Head of Information Security provide the Board with information and updates on cybersecurity risks and incidents as in-house technology and cybersecurity experts during Board meetings or as needed.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Mr. Tirador has over 30 years' experience in the property and casualty insurance industry and in the Company and is an inactive Certified Public Accountant. As CEO of the Company, he has overseen its Technology business unit for over 20 years, among other business units.Mr. Joseph has overseen the technology team since 2022. Mr. Joseph has been employed by the Company in various capacities since 2009, and was appointed Executive Vice President and COO in January 2022 and President and COO in January 2024.Mr. Stalick has been the Company's CFO since 2001. Mr. Stalick is a Certified Public Accountant and has a Bachelors Degree in Business Administration, Accounting and Finance concentration, and an MBA, Business Analytics concentration.Mr. Pang has over 20 years’ experience in the
technology industry. He has served in Chief Technology Officer and Chief Data Officer roles in several public companies and has deep expertise in technology, data, and artificial intelligence. He has a Master’s and a Bachelor’s Degree in electrical engineering.
Mr. Howard has over 30 years’ experience managing various aspects of information technology, and has extensive expertise in information security, compliance, and information technology infrastructure and service delivery. He has served in Head of Information Security, Chief Information Officer and Vice President roles in several public companies and has maintained Certified Information Systems Security Professional (“CISSP”) certification since 2001. He has a Bachelor’s Degree in Business Administration and a Master’s Degree in Information Systems.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Additionally, the Company's Chief Executive Officer (“CEO”) provides the Board with an Information Security Incident Report for Board meetings, which summarizes new incidents that did not require "off-cycle" escalation to the Board, and status updates on previously reported high severity incidents, as well as a cybersecurity incident analysis report issued by a third-party cybersecurity service provider.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true