EVEREST GROUP, LTD. - (EG)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Everest has aligned and operationalized its cybersecurity program and controls to the National Institute of Standards and Technology (“NIST”) Cybersecurity Incident Response Framework to provide preventative, detective and responsive measures that are timely, comprehensive, systematic, and in alignment with industry standards, regulatory requirements, and the Company’s risk management framework. As part of the Company’s cybersecurity program, Everest has established cross-functional teams with roles and responsibilities for cybersecurity incident response. The Company has a formal incident response escalation process, which involves a dedicated Security Operation Center (“SOC”) as well as a cybersecurity incident response team (“CSIRT”), to further escalate to senior management and the Board, as appropriate. While the actual methods of incident response employed may differ based on the type and nature of the incident, our approach uses a combination of internal teams, external advisors and vendors with specialized skills to support the response and recovery efforts, including a process for escalating issues as needed to senior management and providing timely notification of cybersecurity incidents to law enforcement and regulatory bodies, as appropriate.
Everest uses a multi-layered process for assessing, identifying and managing material risks from cybersecurity threats and manages its systems and processes both internally and with the assistance of specialized third-party service providers. The Company obtains timely cyber-threat intelligence from various sources and maintains intrusion detection, network firewall protections, advanced threat protection, endpoint detection and response, email filtering, DDoS and other protections to secure the company’s critical infrastructure. The SOC provides enhanced early detection of threat intelligence services, actively manages security tools, and monitors and responds to security alerts. The SOC also initiates incident response protocols, including escalating threats as needed to the CSIRT, including the Chief Information Security Officer (“CISO“), who can further escalate to other members of senior management and the Board, as may be appropriate. Various processes, including compiling security metrics, vulnerability scans, regular patching of software and hardware vulnerabilities, external penetration testing, internal phishing tests, red team exercises, and cyber incident response exercises are used to test the effectiveness of the overall cybersecurity control environment. In addition to periodic self-assessment of various cybersecurity controls, the Company conducts annual independent NIST assessments to review its cybersecurity posture and to identify opportunities to enhance its cybersecurity controls and mitigate cybersecurity risk.
Everest outsources certain business, technological and administrative functions and relies on third-party vendors to perform certain functions or provide certain services on its behalf. The Company negotiates contractual provisions to address identified cybersecurity risk(s) with third-party vendors. Third party security assessments of these vendors are also performed as part of the Company’s third-party vendor management processes. The Company also maintains processes to oversee and manage material risks from cybersecurity threats associated with its use of third-party service providers.
32
Everest provides resources and learning opportunities to educate all of our colleagues on how to identify, report, and be vigilant against cybersecurity threats in the workplace. In addition, we conduct cybersecurity incident simulation exercises with business, information technology, management, and other key stakeholders to practice and test response processes. Furthermore, the Company collaborates with industry associations, government and regulatory authorities, peer companies and external advisors to monitor the threat environment and to inform its cybersecurity practices.
For the year ended December 31, 2023, Everest has not experienced any cybersecurity incident that materially affected the Company, including its business strategy, results of operations or financial conditions.
Governance
Cybersecurity threats present a persistent and dynamic threat to our entire industry. The Company views cybersecurity risk as an enterprise-wide concern that involves people, processes and technology. Accordingly, the Company’s Board, through the RMC, referenced above in ITEM 1 “Business” - Enterprise Risk Management, has ultimate responsibility for risk oversight, as described more fully in our Proxy Statement, while management is tasked with the day-to-day management of the Company’s cybersecurity risks. The Company’s Board has a practical understanding of information systems and technology use in our business operations and processes, as well as a recognition of the risk management aspects of cyber risks and cybersecurity. The RMC, which oversees controls for the Company's major risk exposures, has principal responsibility for oversight of cybersecurity risk.
The Company also appointed a certified Chief Information Security Officer (“CISO”) with significant public and private cybersecurity experience. The CISO is dedicated to assessing the Company’s data security risk, monitoring cyber threat intelligence and taking the steps necessary to implement pertinent safeguards and protocols to manage the risk. In addition, the Executive Risk Committee or ERC, referenced above in ITEM 1 “Business” - Enterprise Risk Management, annually reviews the Company’s cyber exposure across all lines of business and security safeguards for privacy-protected data held by the Company. The ERC, through its sub-committees, including the Operational Risk Committee and the Global IT and Cyber Risk Management Committee, works in conjunction with the Company’s CISO to assess the Company’s vulnerabilities to cybersecurity threats, including the operational risk of such threats to our business, as continuous dialogue throughout the year is essential in assessing the operational risk to our business of cybersecurity threats. The Operational Risk Committee and the Global IT and Cyber Risk Management Committee sub-committees meet quarterly in advance of the quarterly ERC meetings to, among other things, report on material cybersecurity risks.
From a governance perspective, in addition to the CISO, senior members of Information Technology provide briefs on cybersecurity matters, the overall cyber resiliency posture of the Company, and the effectiveness of the Company’s cybersecurity program to the RMC. The topics covered by these updates include the Company's activities, policies and procedures to prevent, detect and respond to cybersecurity incidents, as well as lessons learned from cybersecurity incidents and internal and external testing of our cyber defenses.