Global Indemnity Group, LLC - (GBLI)

10-K Filing Date: March 15, 2024
Item 1C. CYBERSECURITY

 

Risk Management and Strategy

 

The Company recognizes the importance of developing, implementing and maintaining cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its data. The Company maintains a cybersecurity program to assess, identify and manage cybersecurity threat risks. The Company assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities and tests those systems pursuant to the Company’s cybersecurity policies, processes, and practices, which are integrated into the Company’s overall risk management process. To protect the Company’s information systems from cybersecurity threats, the Company uses various security tools and personnel that help the Company identify, escalate, investigate, resolve, and recover from security incidents.

 

Managing Material Risks & Integrated Overall Risk Management

 

The Company has incorporated cybersecurity risk management within its Enterprise Risk Management framework. Led by the Company’s Senior Vice President of Operations, the Company's risk management team, comprised of senior management team members, integrates the evaluation of cybersecurity risks in accordance with its business objectives, operational needs, and legal requirements.

Acknowledging the intricate and dynamic landscape of cybersecurity threats, the Company collaborates with external experts, such as cybersecurity assessors, consultants, and auditors, to assess and test its risk mitigation tools. The Company’s

35


 

engagement with these external entities encompasses routine reviews, threat assessments, and ongoing consultations to enhance the Company’s security measures.

Prior to engagement, the Company undertakes security assessments of third-party providers that process or store confidential Company information, and monitors their activities for alignment with the Company’s cybersecurity standards. This monitoring involves evaluations performed by the Company’s team of security analysts, and annual review by the Company’s Chief Information Security Officer (“CISO”).

 

Risks from Cybersecurity Threats

 

Refer to the risk factor captioned “A failure in the Company’s operational systems or infrastructure or those of third parties, including security breaches or cyber-attacks, could disrupt the Company’s business, its reputation, and / or cause losses which would have a material effect on the Company’s business operations and financial results” in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks that could materially impact the Company’s business strategy, results of operations or financial condition.

 

Governance

 

Management’s Role Managing Risk

 

The CISO advises the Enterprise Risk Management Committee (the “ERM Committee”) of the Board of Directors on cybersecurity risks. The CISO provides the following information to the ERM Committee on a quarterly basis:

Company threat profile and emerging threats;
Status of cybersecurity initiatives and strategies;
Incident reports and learnings from any cybersecurity events; and
Compliance with regulatory requirements and industry standards.

The Company conducts an annual review of the Company’s cybersecurity posture and the effectiveness of its risk mitigation strategies. This review helps in identifying areas for improvement and aligning cybersecurity efforts with the overall risk management framework.

 

Risk Management Personnel

 

Primary responsibility for assessing, monitoring, and managing the Company’s cybersecurity risks rests with the CISO. The CISO has obtained cybersecurity credentials for the role, possesses expertise in the technical domain, and receives assistance from industry experts in decision-making. The CISO oversees the information security policies and data protection programs, implementation of protective and detective tools, tests the Company’s compliance with standards, and remediates known risks. These initiatives include phishing simulations, semi-annual cybersecurity education to employees, and competency assessments. Additionally, the Company conducts table-top incident response practices and other measures to enhance overall cybersecurity preparedness. These efforts underscore the organization's commitment to addressing a wide range of potential threats and cybersecurity challenges.

 

Monitoring Cybersecurity Incidents

 

The CISO is informed about the developments in cybersecurity, including potential threats and risk management techniques. This ongoing knowledge acquisition is crucial for the prevention, detection, mitigation, and remediation of cybersecurity incidents. In the event of a cybersecurity incident, the CISO is equipped with a cyber incident response plan (“CIRP”) supported by a cross-functional cyber incident response team (“CIRT”). The CIRT oversees and responds to cybersecurity incidents. Its core objectives encompasses detection and response, conducting incident analysis and investigation, implementing containment and eradication measures, and facilitating recovery processes. It also entails coordinating and communicating with the Company's management, regulators, affected parties, and external security experts. The CIRT determines the materiality of the incident, maintains documentation and reporting practices, and fosters a culture of improvement.

36


 

 

Reporting to Board of Directors

 

The ERM Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this area. The CISO, in his capacity, informs the Chief Executive Officer, the Chief Financial Officer, the Chief Audit Executive, the Chief Information Officer, and the Legal Department of aspects related to cybersecurity risks and incidents. Furthermore, the CISO escalates significant cybersecurity matters to the ERM Committee.

The Board has established oversight mechanisms to govern risks associated with cybersecurity threats because they recognize the significance of these threats to the Company’s operational integrity and stakeholder confidence.