|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
We recognize the critical importance of maintaining the safety and security of our systems and data and take a holistic approach to overseeing and managing cybersecurity, which is supported by both management and our Board of Directors. The Company’s Board, the Audit Committee of the Board and management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our approach to cybersecurity risk management is multi-layered and includes governance and risk, monitoring and incidence response, data security, application security, endpoint security, network security and perimeter security.
The Company’s Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee of the Board. The Audit Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) regarding cybersecurity matters. The CISO also briefs the full Board of Directors on cybersecurity matters semi-annually.
The Company maintains an extensive and structured enterprise risk management (“ERM”) program encompassing senior executive leaders from all facets of its business, including operations, human resources, finance, accounting, treasury, information security, information technology, legal/regulatory, internal audit, compliance, underwriting, and real estate. As part of our ERM program, the Company maintains an Information Security Oversight Committee (“ISO Committee”) that oversees the Company’s cybersecurity program from a management perspective.
The ISO Committee meets quarterly and is comprised of the Company’s Chief Executive Officer, Chief Financial Officer and Chief Legal Officer, whose relevant expertise and experience can be found in the Company’s Proxy Statement on Schedule 14A filed on April 1, 2024.
The ISO Committee also includes the Co-Presidents of First American Title Insurance Company, the Vice-Chairman of our data and analytics business and the President of our international division, who bring deep operational experience specific to our businesses; the Chief Intellectual Property and Privacy Officer, who is responsible for protecting and advising on innovation, data privacy and intellectual property; and is chaired by the Company’s Chief Risk Officer, who has over 25 years of experience in risk management. The Company’s CISO and Chief Technology Officer (“CTO”) are participants on the ISO Committee.
The Company’s CISO is primarily responsible for assessing and managing cybersecurity risks and threats and is responsible for developing and implementing our information security program, working closely with the ISO Committee. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity governance, cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Our CISO has been with the Company for 14 years in various information security leadership roles and has over 20 years of experience in the cybersecurity field. The CISO provides regular reports to the ISO Committee that are shared with the Company’s Board of Directors.
The Company’s CTO is responsible for overseeing the Company’s overall technology strategy, including integrating security considerations into all aspects of our technology development. Our CTO has over 20 years of experience in technology management roles.
As part of our risk management process, the Company maintains an overall risk management program that encompasses cybersecurity, conducts security audits, annual System and Organization Controls (“SOC 2”) testing, and ongoing risk assessments using a company-wide risk framework. We also require employees with access to information systems to undertake data protection and cybersecurity training. The Company has processes in place for assessing, identifying, and managing material risks from potential cybersecurity incidents, including vulnerability identification, intrusion prevention, encryption, endpoint protection, behavior analysis, mitigation and the processes and protocols set forth in the Company’s incident response plans. Certain of our subsidiaries manage their own cybersecurity functions and coordinate with the Company’s CISO. The Company also employs systems and processes designed to oversee and identify cybersecurity threats associated with third-party vendors, including a risk assessment and rigorous evaluation of each vendor that may access, process or store highly sensitive or proprietary data or that is systematically integrated with the Company’s systems or network. In addition to our in-house cybersecurity capabilities, we engage assessors, consultants, auditors, and other third parties to assist with assessing, identifying, mitigating and managing cybersecurity risks, including the maintenance of a Security Operations Center that is co-managed between the Company and a managed security service provider (“MSSP”), which continuously reviews the Company’s network using threat intelligence from a variety of sources and reports potential incidents from users.
While the Company has experienced cybersecurity threats to its data and systems, such threats have not materially affected the Company, including our business strategy, results of operations or financial condition, with the exception of an incident in the fourth quarter of 2023, as disclosed in a Current Report filed by the Company on Form 8-K on December 22, 2023, as amended on December 29, 2023 and January 12, 2024 and followed by a Current Report on Form 8-K on May 28, 2024. On June 21, 2024, the Company received a complaint, on a class action basis, relating to the incident in the fourth quarter of 2023. For additional information on cybersecurity risks we face, see Item 1A. Risk Factors of this Annual Report, which should be read in conjunction with the foregoing information.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|process or store highly sensitive or proprietary data or that is systematically integrated with the Company’s systems or network
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company’s Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee of the Board. The Audit Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) regarding cybersecurity matters. The CISO also briefs the full Board of Directors on cybersecurity matters semi-annually.
The Company maintains an extensive and structured enterprise risk management (“ERM”) program encompassing senior executive leaders from all facets of its business, including operations, human resources, finance, accounting, treasury, information security, information technology, legal/regulatory, internal audit, compliance, underwriting, and real estate. As part of our ERM program, the Company maintains an Information Security Oversight Committee (“ISO Committee”) that oversees the Company’s cybersecurity program from a management perspective.
The ISO Committee meets quarterly and is comprised of the Company’s Chief Executive Officer, Chief Financial Officer and Chief Legal Officer, whose relevant expertise and experience can be found in the Company’s Proxy Statement on Schedule 14A filed on April 1, 2024.
The ISO Committee also includes the Co-Presidents of First American Title Insurance Company, the Vice-Chairman of our data and analytics business and the President of our international division, who bring deep operational experience specific to our businesses; the Chief Intellectual Property and Privacy Officer, who is responsible for protecting and advising on innovation, data privacy and intellectual property; and is chaired by the Company’s Chief Risk Officer, who has over 25 years of experience in risk management. The Company’s CISO and Chief Technology Officer (“CTO”) are participants on the ISO Committee.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) regarding cybersecurity matters.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee of the Board.
|Cybersecurity Risk Role of Management [Text Block]
|
As part of our risk management process, the Company maintains an overall risk management program that encompasses cybersecurity, conducts security audits, annual System and Organization Controls (“SOC 2”) testing, and ongoing risk assessments using a company-wide risk framework. We also require employees with access to information systems to undertake data protection and cybersecurity training. The Company has processes in place for assessing, identifying, and managing material risks from potential cybersecurity incidents, including vulnerability identification, intrusion prevention, encryption, endpoint protection, behavior analysis, mitigation and the processes and protocols set forth in the Company’s incident response plans. Certain of our subsidiaries manage their own cybersecurity functions and coordinate with the Company’s CISO. The Company also employs systems and processes designed to oversee and identify cybersecurity threats associated with third-party vendors, including a risk assessment and rigorous evaluation of each vendor that may access, process or store highly sensitive or proprietary data or that is systematically integrated with the Company’s systems or network. In addition to our in-house cybersecurity capabilities, we engage assessors, consultants, auditors, and other third parties to assist with assessing, identifying, mitigating and managing cybersecurity risks, including the maintenance of a Security Operations Center that is co-managed between the Company and a managed security service provider (“MSSP”), which continuously reviews the Company’s network using threat intelligence from a variety of sources and reports potential incidents from users.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s CISO is primarily responsible for assessing and managing cybersecurity risks and threats and is responsible for developing and implementing our information security program, working closely with the ISO Committee. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity governance, cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has been with the Company for 14 years in various information security leadership roles and has over 20 years of experience in the cybersecurity field. The CISO provides regular reports to the ISO Committee that are shared with the Company’s Board of Directors.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CISO also briefs the full Board of Directors on cybersecurity matters semi-annually.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef