|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Hilltop recognizes the critical importance of protecting company data and the information systems that collect, process and maintain data, and we have developed an enterprise-wide program for assessing, identifying and managing material cybersecurity risks and threats. The systems we utilize include safeguards to protect against or mitigate possible threats, as well as controls designed to ensure accountability, availability, integrity and confidentiality of the data. Security measures are implemented to guard against unauthorized access, alteration, disclosure or destruction of data and systems, including accidental loss and destruction. Our program is supported by management and the board of directors.
Organizational Model
Our Information Security Department is comprised of four primary functions:
Managing Material Cybersecurity Risks
As a part of our overall risk management strategy, Information Security Risk conducts risk assessments on the technology environment as well as application systems implemented to support the various business functions of Hilltop based on the Gramm-Leach-Bliley Act guidance. Risks are identified from the Enterprise Risk Management and Internal Audit assessments of IT and Information Security. Information Security then quantifies the incidents and risks that have been identified and reports to the Operations & Strategy Committee, which is comprised of executives from across the enterprise representing disciplines including compliance, regulatory, information technology, risk, finance, and operations, if they meet certain thresholds. The necessary controls are identified to address the risk and this control evaluation contributes to the assessment of the residual risk value. In 2024, additional assessments were completed utilizing the FFIEC Cybersecurity Assessment Tool and the Ransomware Self-Assessment Tool for the enterprise.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Hilltop recognizes the critical importance of protecting company data and the information systems that collect, process and maintain data, and we have developed an enterprise-wide program for assessing, identifying and managing material cybersecurity risks and threats. The systems we utilize include safeguards to protect against or mitigate possible threats, as well as controls designed to ensure accountability, availability, integrity and confidentiality of the data. Security measures are implemented to guard against unauthorized access, alteration, disclosure or destruction of data and systems, including accidental loss and destruction. Our program is supported by management and the board of directors.
Organizational Model
Our Information Security Department is comprised of four primary functions:
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors Oversight
Our board of directors and the Risk Committee of the board of directors oversee an enterprise-wide approach to risk management, including cybersecurity risks, intended to support the achievement of organizational objectives, including strategic objectives, to improve long-term organizational performance and enhance stockholder value. The Risk Committee is central to the board of directors’ oversight of cybersecurity risks and bears the primary responsibility for this function. The Risk Committee is composed of board members with diverse expertise including, risk management assisting them to oversee cybersecurity risks. The Risk Committee receives regular reports from our Chief Information Security Officer (“CISO”) and provides updates to the full board of directors at each regular meeting of the board of directors. The Risk Committee also reviews all information security plans and policies, which are then recommended to the full board of directors for its review and approval.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Risk Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee receives regular reports from our Chief Information Security Officer (“CISO”) and provides updates to the full board of directors at each regular meeting of the board of directors. The Risk Committee also reviews all information security plans and policies, which are then recommended to the full board of directors for its review and approval.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s Role Managing Risk
Our CISO plays a pivotal role in informing the Risk Committee on cybersecurity risks and developments. Our CISO provides comprehensive briefings to the Risk Committee on a regular basis, with a minimum frequency of four times per year. These briefings encompass a broad range of topics, including:
In addition to Risk Committee meetings, our CISO generally meets with executive management weekly to provide updates regarding current activities and areas of focus. In the event of a potential or actual cybersecurity event, the CISO immediately notifies the General Counsel at which point the information security incident response plan is activated if warranted. The information security incident response plan provides the procedures for responding, including personnel required to be informed and updated. The board of directors is informed promptly in the event such incident is, or is reasonably expected to have, a material impact on operations or financial condition. We also conduct cybersecurity tabletop exercises each year to ensure our processes and procedures align with our technical controls, and to ensure that the organization is prepared for a security-related event.
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CISO. With over twenty years of experience in the field of cybersecurity, our CISO brings a wealth of expertise to his role. His background includes extensive experience in all facets of information technology and information security and is well-recognized within the industry. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies.
Our CISO is responsible for our Information Security Program and our information security leaders report directly to our CISO. We also maintain a standing committee, the Information Security Governance Committee, which consists of certain members of executive management, our CISO and information security leaders. Our Information Security Governance Committee allows for direct management reporting for IT Risk management, audit/examination report(s) review, and oversight of our Information Security strategy and program, and daily Security Operations.
Monitor Cybersecurity Incidents
Our CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. To assist our information security team in such knowledge acquisition, we subscribe to certain services that provide us alerts on security incidents and threats. Our CISO oversees the implementation of, and the processes for, the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. As previously noted, in the event of a cybersecurity incident, the information security incident response plan is enacted. This plan includes immediate actions to mitigate the impact of and remediate the incident.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Information Security Officer (“CISO”)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CISO. With over twenty years of experience in the field of cybersecurity, our CISO brings a wealth of expertise to his role. His background includes extensive experience in all facets of information technology and information security and is well-recognized within the industry. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. To assist our information security team in such knowledge acquisition, we subscribe to certain services that provide us alerts on security incidents and threats. Our CISO oversees the implementation of, and the processes for, the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. As previously noted, in the event of a cybersecurity incident, the information security incident response plan is enacted. This plan includes immediate actions to mitigate the impact of and remediate the incident.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef