BERKLEY W R CORP - (WRB)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Strategy and Risk Management Program
The Company has a documented information security program (the Program) to identify, assess, monitor and manage potential cybersecurity threats and incidents. The Program is designed to protect the confidentiality, integrity and availability of our information systems and assets that store, process, or transmit information. The Program is modeled on the global standard for risk assessment, International Organization for Standardization 27001, and is guided by the six domains of cybersecurity established by the National Institute of Standards and Technology Cybersecurity Framework (i.e., govern, identify, protect, detect, respond, and recovery). The Program seeks to adhere to applicable U.S. and international laws and regulations, including New York State’s cybersecurity regulation applicable to financial services institutions authorized by the New York State Department of Financial Services.
The Program’s security and risk policies and standards, implemented by either the Company or third party assessors or consultants, include:
–information security management tools, such as firewalls, intrusion prevention and detection systems, anti-malware functionality, and access privilege controls;
–vulnerability management, including penetration and control testing and vulnerability scans of information systems;
–incident monitoring, breach notification and escalation, including disaster recovery and incident response plans and resources;
–risk based assessment of third party service providers; and
–annual cybersecurity awareness training for employees and contractors.
The Company has not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, for the period covered by this annual report. For a discussion regarding risks associated with cybersecurity threats, see Risk Factors – Risks Relating to Our Business – “If our information technology, telecommunications or other computer systems become unavailable or unreliable, our ability to conduct our business could be negatively or severely impacted” and “Failure to maintain the security of information technology systems and confidential data may expose us to liability.”
Board Oversight, Governance and Risk Management
The entire Board of Directors has oversight of risks from cybersecurity threats and receives periodic updates on such risks from the Company’s management, including from the Company’s President and CEO and its Vice President, Chief Information Security Officer (CISO).
Our CISO is principally responsible for assessing and managing all aspects of the Program, including the Company’s Regional Information Security Officers (RISOs), third-party consultants, development of industry trends and control testing and tracking by risk level. Our CISO meets periodically with senior executives, including the Company’s President and Chief Executive Officer, to discuss the Company’s cybersecurity strategy, and its monitoring, prevention, detection, mitigation, and remediation of cybersecurity risks. Regular reporting on the Program is also provided to the Company’s Enterprise Risk Management Committee, which is comprised of the President and CEO, Senior Vice President – Enterprise Risk Management, Executive Vice President – Investments, Executive Vice President – Chief Financial Officer, Executive Vice President – Secretary, and the Of Counsel and Assistant Secretary. Collectively, the CISO and RISOs, along with their teams, in collaboration with the technology and business owners, implement the Program. Legal, Compliance, and Internal Audit functions also assess the Program’s adherence to regulatory requirements and internal controls.
In the event of a potentially material cybersecurity incident, the Company’s incident response plans establish escalation protocols for relevant IT leaders and functional leaders within Enterprise Risk Management, Legal, Compliance and Internal Audit to engage management as appropriate.
Our CISO has over 25 years of information security experience and is licensed as a Certified Information Systems Security Professional.
39