Argo Group International Holdings, Inc. - (ARGD)
10-K Filing Date: March 19, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and tests those systems pursuant to our cybersecurity policies, processes and practices. We also use security tools intended to protect our information systems from cybersecurity threats, and to help us identify, escalate, investigate, resolve and recover from security incidents in a timely manner.
In particular, our information security program and approach is based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST Framework”). The NIST Framework establishes core requirements related to information protection, processes and technologies. In addition, we maintain a Data Protection Framework and various policies, including Information Security Policy, Privacy Policy, and Records & Information Management Policy, to appropriately manage personal information necessary to operate our business and comply with applicable regulations. We also maintain a Third-Party Risk Management Program, including a Vendor Management Policy, which allows us to better oversee, monitor, identify and control certain risks related to the processing of personal information and customer information by our authorized third parties.
In accordance with these policies, we share personal information with affiliates, business partners, third-party service providers, or vendors only when we have a legitimate business purpose for doing so and it is permissible by law. We require third parties to maintain similar standards to ours to protect personal information. We have implemented a risk mitigation process to identify and assess the cyber posture of third parties providing commodities or services to our legal entities. We also have implemented multiple layers of data protection measures.
We have in the past, and may in the future, engage third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. As part of continuous improvement initiative, we strive to mature and build a robust and resilient environment to protect and defend against bad actors. We engage third parties to perform internal and external testing to improve security operations, disaster recovery, and incident response programs.
To date, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Refer to the risk factors under “Operational Risks” in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.
Governance
Our Board oversees the Company’s risk management process, including on cybersecurity risks, directly and through committees to which the Board has delegated authority. In connection with Brookfield Reinsurance’s acquisition of the Company, the Company’s Audit Committee was dissolved and all authority previously granted to the Company’s Audit Committee was delegated to the Audit Committee of Brookfield Reinsurance. The Brookfield Reinsurance Audit Committee is responsible for overseeing our internal controls, including cybersecurity and data protection programs, and reviews the effectiveness of our financial reporting processes and internal controls, including data privacy, information technology security and control. Meetings of the Brookfield Reinsurance Audit Committee often include discussions of specific risk areas, including, among others, those relating to cybersecurity. The Brookfield Reinsurance Audit Committee also frequently discusses, in accordance with its duties and responsibilities as enumerated in its committee charter, the policies, guidelines and process by which management assesses and manages risks related to data protection and cybersecurity, including assessments of the overall threat landscape, steps management has taken to monitor or mitigate its risk exposure and related strategies and investments. Our Chief Security Officer regularly reports on data protection and information technology security matters to the Brookfield Reinsurance Audit Committee and to Argo senior management via Security Governance Council meetings.
As discussed above, our information security program and approach is based on the NIST Framework, and we have implemented cybersecurity policies, processes and practices designed to monitor and address cybersecurity threats and incidents. Our Chief Security Officer, in coordination with the Head of Risk, Chief Information Officer, Head of Operations, and General Counsel, is responsible for leading the assessment and management of cybersecurity risks. Our Chief Security Officer has extensive experience in information security, data protection and privacy, and regularly receives reports from our threat intelligence resources, in concert with enterprise risk, and legal departments, on cybersecurity threats and incidents.
23
In addition, plans have been authored to assist our security, legal, and finance functions in assessing and managing Argo’s material risks from cybersecurity threats, and we conduct tabletop exercises and training sessions on a regular basis to help ensure effectiveness of said plans. Additionally, we also utilize outside resources to assist and participate in the determination of materiality of incidents stemming from cybersecurity threats.