James River Group Holdings, Ltd. - (JRVR)
10-K Filing Date: February 29, 2024
Item 1C. CYBERSECURITY
The Company utilizes widely-recognized frameworks based on practices believed to be effective for managing cybersecurity risk, including the development of an organizational understanding of systems, assets, data and capabilities, and the development and implementation of safeguards and processes designed to ensure delivery of services and to detect, respond to and recover from cybersecurity events. Significant time and resources are devoted to the protection of the Company’s systems and data, including the staffing of an experienced internal cybersecurity team, the use of a variety of preventative, detective and recovery tools, and engagement with external service providers to bolster the Company’s cyber defense and response capabilities. Our Chief Information Officer (CIO) has over 30 years of information technology and cybersecurity experience and our Chief Information Security Officer (CISO) has more than 15 years of direct cybersecurity experience. In addition, the Company’s Internal Audit team includes members with information technology and cybersecurity expertise and training.
In the last three fiscal years, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. The Company maintains cyber liability insurance coverage to minimize any potential financial impacts from cybersecurity incidents that may occur.
Board Oversight
The Company’s Board of Directors provides oversight of the Company’s cybersecurity risks through its Audit Committee. Four of the eight members of the Board of Directors, and three of the four Audit Committee members, possess skills related to information technology and cybersecurity. The Audit Committee reviews the Internal Audit team’s cyber-related control audits to confirm that cyber risks are being appropriately managed and also reviews a periodic report produced by the CIO and CISO on the performance of the Company’s cybersecurity program. In addition, the CIO and CISO present a comprehensive cybersecurity update to the full Board of Directors on at least an annual basis.
Risk Identification & Mitigation
Cyber risk is incorporated into the Company’s larger enterprise risk management practices, which include efforts to identify, assess, rank, treat, monitor and review risks. Cyber risks are assessed no less than annually by the CIO and CISO. Significant findings from these internal assessments are presented to management for incorporation into the enterprise risk management framework, and appropriate measures to mitigate and monitor the identified risks are developed and implemented. Strategic and emergent cyber-related efforts are shared with the wider information technology team and other stakeholders within the business for both informational and execution purposes.
The Company assesses and monitors third-party risks and closely tracks cyber threats such as ransomware and emergent web-based vulnerabilities. A variety of controls exist to minimize the impact of these risks and ensure each is managed within organizational tolerances, which controls are monitored by management for effectiveness. In addition, James River's Information Security Office conducts cybersecurity risk reviews on new and existing third-party vendors and business partners, which are presented to management so that either appropriate risk mitigation controls can be established with respect to such third-party or the Company can avoid engaging with such third-party if they are deemed to present an unacceptable level of risk.
Independent cybersecurity testing is performed by outside parties on at least an annual basis to identify opportunities for cyber control strengthening in the face of applicable threats. The results of these evaluations are reviewed and prioritized by the CIO and CISO based on their applicability and urgency to address gaps and drive continuous improvement. These findings, along with resultant enhancement and remediation efforts, are communicated with the Company’s Board of Directors.
Training
The Information Security Office conducts company-wide cybersecurity training, including through an annually required course of online training modules and a continuous email phishing test campaign. In addition, the CISO leads an annual cybersecurity tabletop exercise with company leadership to continually improve the organization’s preparedness for cyber incidents. These exercises consider real-world events that could impact the business and seek to fine-tune response activities in an effort to minimize future cybersecurity incident impacts.
See Item 1A. Risk Factors - "We rely on our systems and employees, and those of certain third-party vendors and service providers in conducting our operations, and certain failures, including internal or external fraud, operational errors, systems malfunctions, or cyber-security incidents, could materially adversely affect our operations" for additional discussion.
67