OXBRIDGE RE HOLDINGS Ltd - (OXBR)
10-K Filing Date: March 26, 2024
Governance
Cybersecurity is an integral part of the Board’s risk analysis and discussions with management. At least annually, the full Board is updated on the Company’s cybersecurity risks and risk mitigation strategy by our Chief Information Officer (“CIO”), who is responsible for management of our Information Technology program. The Board also receives ad hoc updates, as needed, about material changes to the Company’s cybersecurity program and/or the cybersecurity landscape, including briefings on major legislative and regulatory developments.
Our CIO regularly evaluates the Company’s cybersecurity risk profile and leads the development of strategies to mitigate risks and address cybersecurity issues that may arise in consultation with members of our senior management team. Our CIO holds a Ph.D. in Information Systems from the London School of Economics and has over 20 years’ experience and certifications in the field of information technology and data security.
We have formal policies and procedures that address cybersecurity incident response and disaster recovery from interference with our critical applications. Our Cybersecurity Incident Response Standard provides a documented framework for responding to cybersecurity incidents in coordination across multiple departments. In the event of such an incident, our Cybersecurity Incident Response Team (“CIRT”), which is comprised of our CIO, Chief Executive Officer, Chief Financial Officer, and outside legal counsel, would respond to such incident in accordance with our Cybersecurity Incident Response Standard. Any cybersecurity incident that is designated by the CIRT with a “High” severity classification according to the Cybersecurity Incident Response Standard or that otherwise necessitates regulatory disclosure because of its materiality, will be communicated by the CIRT to the Board within specified timeframes. All cybersecurity incidents, will be evaluated by our CIRT to assess the impact of the incident on the Company, considering qualitative and quantitative factors. In conducting this assessment and responding to an incident, the CIRT Team may utilize the services of third-party consultants. Third-party consultants may be engaged to assist with the identification of the source of any cybersecurity incidents, remediation and recovery from such incident, and the refinement of cybersecurity controls to avert similar future cybersecurity threats and incidents.
Cybersecurity user awareness training is mandatory for all new hires and for existing employees on an annual basis to help protect our employees and the Company against cybersecurity threats. Novel cybersecurity threats to the Company that are identified by our CIO are communicated to all employees by email, as needed, in an effort to promote awareness and protect the Company from cyber attacks.
Risk Management Strategy
We maintain an Enterprise Risk Management (“ERM”) program to identify and respond to the most critical risks to our business, including cybersecurity risks. Risks and vulnerabilities from our increased reliance on information technology systems are assessed at least annually by our CIO and Executive Management Team as part of our ERM program. In response to such assessments, controls are embedded into our processes and technology by our CIO and Executive Management Team to seek to mitigate risks to our systems and processes from cybersecurity incidents. We continuously evaluate whether we have adequate controls in place utilizing a risk-based approach that tailors and applies best practice from various industry standard IT Management frameworks such as Information Technology Infrastructure Library (ITIL), Control Objectives for Information Technologies (COBIT), National Institute of Standards and Technology CyberSecurity Framework, and ISO/IEC 27001.
Our daily operations are continuously monitored. We monitor traffic traversing our computer networks and have implemented IT controls and processes to secure our business applications and prevent unauthorized access to or the loss of sensitive data. Our controls include the use of multiple encryption layers for data in transit and at rest, multi-factor authentication, data classification, and data loss prevention. We plan to assess the adequacy of our cybersecurity IT controls through annual cybersecurity vulnerability testing.
27 |
We maintain a risk-based approach to evaluating and overseeing cybersecurity risks presented by our third-party vendors. Third-party vendors that meet certain criteria, such as owning and operating any information technology networks and systems on which the Company relies, are evaluated to assess their performance across several domains, including data security and operations management. We seek to maintain effective communication with our third-party vendors to facilitate timely notification of cybersecurity incidents that might impact the Company. We also independently monitor reputable cybersecurity publications for notifications about vulnerabilities in widely used software libraries, APIs, and other generally available technologies upon which our third-party vendors’ products might rely.
Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, like other companies in our industry, we could, from time to time, experience threats and security incidents related to our and our third-party vendors’ information systems. For more information, please see “Item 1A. Risk Factors - Increased Information Technology (“IT”) security threats and more sophisticated computer crime could pose a risk to our systems, networks, and services.”