|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company has processes in place designed to protect its information systems and to assess, identify and manage material risks from cybersecurity threats. Accordingly, the Company has designed and implemented an Information Security Program, designed to protect the confidentiality, integrity, and availability of its information systems and data (including nonpublic information in its possession, custody, or control), as well as to comply with privacy and Information Security Program requirements for insurers as set forth in applicable state laws and regulations. As part of the Information Security Program, the Company has implemented an information security and privacy training and awareness program for Root employees, which includes new-hire training, ongoing periodic training and regular phishing simulation and exercises. In addition, the Company has engaged third parties in connection with these processes.
The Company has engaged third parties to perform information security risk assessments and testing on a periodic basis. It also has engaged third parties to provide a variety of services, including providing hosted security products as well as services to support security incident detection and response activities. In order to identify and manage risk from third parties, the Company has implemented a third-party cybersecurity risk management program involving the assessment of information security risk related to the third-party, with consideration given to the inherent risk level, the adequacy of the third-party’s control environment to mitigate those risks, and areas of residual risk. The breadth and depth of the assessment activities are designed to be commensurate with the nature and scope of the services provided by the third party.
The oversight of the Company’s cybersecurity risk management processes are integrated into the Company’s enterprise risk management process. Our board of directors oversees an enterprise-wide approach to risk management, designed to support the achievement of organizational objectives, to improve long-term organizational performance and to enhance stockholder value. A fundamental part of risk management is not only understanding the most significant risks a company faces and what steps management is taking to manage those risks, but also understanding what level of risk is appropriate for a given company. The involvement of our full board of directors in reviewing our business is an integral aspect of its assessment of management’s tolerance for risk and also its determination of what constitutes an appropriate level of risk. In connection with its reviews of the operations of our business, the board of directors addresses the primary risks associated with our business including cybersecurity. In particular, our board of directors is committed to the prevention, timely detection and mitigation of the effects of cybersecurity threats or incidents.
We have experienced cybersecurity threats to our information technology infrastructure and have experienced cybersecurity incidents that have resulted in threat actors obtaining customer personal information, attempts to breach our systems, fraudulent activity and other incidents. As of the filing of this Annual Report on Form 10-K, we are not aware of any such incidents that have occurred since the beginning of 2024 that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. However, future threats could materially affect our business strategy, results of operations or financial condition. Risks related to cybersecurity events are detailed in the section of this Annual Report on Form 10-K titled “Risk Factors—Risks Related to Our Business—Cybersecurity incidents, or real or perceived errors, failures or bugs in our or our vendors’ systems, or our website or app could impair our operations, compromise our confidential information or our customers’ personal information, damage our reputation and brand, and harm our business, financial condition, operating results and prospects.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Company has processes in place designed to protect its information systems and to assess, identify and manage material risks from cybersecurity threats. Accordingly, the Company has designed and implemented an Information Security Program, designed to protect the confidentiality, integrity, and availability of its information systems and data (including nonpublic information in its possession, custody, or control), as well as to comply with privacy and Information Security Program requirements for insurers as set forth in applicable state laws and regulations. As part of the Information Security Program, the Company has implemented an information security and privacy training and awareness program for Root employees, which includes new-hire training, ongoing periodic training and regular phishing simulation and exercises.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
While our full board of directors has overall responsibility for risk oversight, it has delegated oversight of certain risks to its committees, including the oversight of risks from cybersecurity threats. The board of directors delegated the oversight of cybersecurity risks to the Audit, Risk and Finance Committee, which oversees controls for the Company’s major financial and security risk exposures. The board of directors, through the Audit, Risk and Finance Committee, oversees the design and implementation of the Information Security Program. The board of directors and the Audit, Risk and Finance Committee are informed about these risks through regular reports from the Chief Information Security Officer, or CISO, about the Information Security Program.
Additionally, the board of directors is informed of material information security incidents, as needed, by the Computer Security Incident Response Team, which is led by the Company’s General Counsel.
The Company’s CISO is responsible for assessing and managing risks from cybersecurity threats. The Company’s CISO also leads the Information Security group and is responsible for the day-to-day management of the Information Security Program. Katelynn Sandy is the Company’s CISO and reports directly to the Company’s President and Chief Technology Officer. Ms. Sandy has an extensive background in cybersecurity, technology, and risk management across a variety of industries, including financial services, healthcare, and technology. Additionally, Ms. Sandy holds various information security certifications.
The Information Security group, senior leadership and the CISO are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through the Information Security Program. At least quarterly, the CISO provides updates to the Audit, Risk and Finance Committee, which includes updates on the overall Information Security Program status and compliance, cybersecurity related risks, and recommended changes to the Information Security Program. Senior members of our Information Security and Internal Audit functions also provide detailed, regular reports on information security and privacy to the Audit, Risk and Finance Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|While our full board of directors has overall responsibility for risk oversight, it has delegated oversight of certain risks to its committees, including the oversight of risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The board of directors delegated the oversight of cybersecurity risks to the Audit, Risk and Finance Committee, which oversees controls for the Company’s major financial and security risk exposures.
|Cybersecurity Risk Role of Management [Text Block]
|The board of directors and the Audit, Risk and Finance Committee are informed about these risks through regular reports from the Chief Information Security Officer, or CISO, about the Information Security Program.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The board of directors, through the Audit, Risk and Finance Committee, oversees the design and implementation of the Information Security Program. The board of directors and the Audit, Risk and Finance Committee are informed about these risks through regular reports from the Chief Information Security Officer, or CISO, about the Information Security Program.
Additionally, the board of directors is informed of material information security incidents, as needed, by the Computer Security Incident Response Team, which is led by the Company’s General Counsel.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Ms. Sandy has an extensive background in cybersecurity, technology, and risk management across a variety of industries, including financial services, healthcare, and technology. Additionally, Ms. Sandy holds various information security certifications.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Company’s CISO is responsible for assessing and managing risks from cybersecurity threats. The Company’s CISO also leads the Information Security group and is responsible for the day-to-day management of the Information Security Program. Katelynn Sandy is the Company’s CISO and reports directly to the Company’s President and Chief Technology Officer. Ms. Sandy has an extensive background in cybersecurity, technology, and risk management across a variety of industries, including financial services, healthcare, and technology. Additionally, Ms. Sandy holds various information security certifications.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef