ARCH CAPITAL GROUP LTD. - (ACGL)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Risk management and strategy
We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. For example, to identify and assess risks from cybersecurity threats, our enterprise risk management program considers cybersecurity as part of the Company’s risk assessment process, and our risk management framework requires risk owners to monitor key risks such as cybersecurity on a continuous basis. See Item 1, “Business—Enterprise Risk Management” for additional information.
As a foundation of our approach to cybersecurity risk, we have implemented processes at several levels across our enterprise to help assess, identify and manage cybersecurity risks. Our privacy and information security policies and standards govern our business lines and subsidiaries and encompass incident response, access control, and vendor management, among others. In order to develop these policies and procedures, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do business. See Item 1, “Business—Regulation—Cybersecurity and Privacy” for additional details.
We annually undergo an external evaluation by a third party cybersecurity firm with a specialty in penetration testing. Our vendor management group performs information security risk assessments on our third party service providers with respect to their ability to protect data from unauthorized access, and on a risk weighted basis, we perform re-assessments routinely. The Company also requires these vendors to adhere to privacy and cybersecurity measures and has a third party service provider monitoring program in place that reviews changes to the security posture of certain higher risk third party service providers. In addition, the Company negotiates appropriately protective terms in its legal agreements with these providers.
Our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers,
employee or vendor error or misconduct, and other external hazards could expose our information systems and those of our vendors to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our ability to conduct our business. While we and third parties with which we do business have experienced cybersecurity incidents, to date, the Company does not believe that any previous cybersecurity incidents have materially affected the Company.
The sophistication of cybersecurity threats, including through the use of AI, continues to increase, and the controls and preventative actions that we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency such as AI may further expose our information systems to the risk of cybersecurity incidents. See Item 1A, “Risk FactorsRisk Relating to Our Industry, Business & Operations—Technology failures and cyber attacks, including, but not limited to, ransomware, exploitation in software or code with malicious intent, state-sponsored cyber attacks, as well as vulnerabilities relating to new technologies, such as generative AI, may impact us or our business partners and service providers, causing a disruption in service and operations which could materially and negatively impact our business and/or expose us to litigation.”
Governance
As part of our overall risk management approach, we recognize the importance of identifying and managing cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Our Audit Committee, comprised of independent directors from our Board, oversees the Board’s responsibilities relating to the operational (including information technology (“IT”) risks, business continuity and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through quarterly reports from our Chief Information Officer (“CIO”) and Chief Operations Officer (“COO”), with input from our Chief Information Security Officer (“CISO”).
Our cybersecurity and IT executives include our CIO, who has 33 years of experience in Information Technology,

ARCH CAPITAL
60
2023 FORM 10-K


including 20 years in the financial services space. His responsibilities as the CIO include information security oversight, and board reporting. Our CISO, has 18 years of experience in Information Security. The CISO holds certifications from leading security associations. The CISO, reporting to the CIO, oversees the implementation and compliance of our information security standards and mitigation of related risks. We also have three management level committees and a team that supports our processes to assess and manage cybersecurity risk.
The Privacy and Security Committee (“P&S Committee”), co-chaired by the CISO and our Deputy General Counsel, brings together Information Security, legal, compliance, human resources and other function leads. The P&S Committee provides a forum for these cross-functional members of management to: consider new laws and regulations relating to privacy and security; consider emerging risks relating to cybersecurity and data protection; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise.
The Operational Risk Committee (“ORC”), comprised of senior IT, operations, risk, legal and compliance leaders across business segments, manages risks from matters related to business continuity including risks posed by cybersecurity threats, and implements controls to mitigate such operational risks. Among other processes, the ORC reviews the Company’s programs and processes related to business operations and resiliency, including crisis incident management and cyber risk response, third party risk, vendor management, facilities, unplanned downtime,
business disruption, business continuity and disaster recovery. Key information reviewed by the ORC, including as it relates to cybersecurity, are included in the COO’s quarterly report to the Audit Committee.
The Crisis Incident Management Team (“CIMT”), which includes senior executives across the Company, is alerted as appropriate to cybersecurity incidents, natural disasters and business outages. Each quarter, the CIMT exercises its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options.
The IT Steering Committee (“IT Committee”, which includes our CIO, CISO, COO and members of executive leadership, oversees IT initiatives while considering cybersecurity risk mitigation with respect to these initiatives.
The P&S Committee, ORC, CIMT and IT Committee are comprised of executives with reporting lines to the CIO and/or the COO.
At the employee level, we maintain an experienced IT security team tasked with ongoing reviews of our technology systems, implementation of our privacy and cybersecurity program and support for the CIO and CISO in carrying out their reporting, security and mitigation functions. We also hold employee training on privacy and cybersecurity, records and information management, conduct regular phishing tests and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population.