RENAISSANCERE HOLDINGS LTD - (RNR)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
INFORMATION TECHNOLOGY AND CYBERSECURITY
Our business and support functions utilize information systems that provide critical services to both our employees and our customers. We have an integrated team of professionals who manage and support our communication platforms, transaction-management systems, and analytics and reporting capabilities, including the development of proprietary solutions like REMS©. We use both cloud-based platforms and services and off-site, secure data centers in North America and Europe for our core applications.
Information security and privacy are important concerns, with an escalating cyber-threat environment and evolving regulatory requirements driving continued investment in this area. Our information security program is designed to meet or exceed industry best practices, and is integrated into our broader ERM framework. We are subject to a number of cybersecurity and data privacy laws and regulations, such as those promulgated by the BMA, NYDFS and EU. Pursuant to applicable regulations, we have established and maintain a cybersecurity program designed to protect our information technology systems and customer data. Our program is designed to comply with all applicable cybersecurity regulatory requirements, including disclosure requirements, and we continue to evaluate and assess our compliance in the changing regulatory environment. It is likely that we will be subject to new regulations that could adversely affect our operations or ability to write business profitably in one or more jurisdictions. We cannot
47
predict what, if any, regulatory actions may be taken with regard to “big data” or other emerging technologies, but any actions could have a material impact on our business, business processes, financial condition, and results of operations.
We have in place, and seek to continuously improve, a comprehensive system of security controls, managed by a dedicated staff. From time to time, we engage reputable third parties to perform a variety of services, including managed network security services, incident response or management services, cyber-forensic investigation services, and periodic security penetration testing which we utilize to update our security controls based on any findings. In addition, we are subject to independent assessment and review by regulators, as well as an annual audit of our security controls by our independent internal audit team. We also provide regular security risk education awareness and training sessions for all staff. Additionally, we maintain an ongoing internal third-party cybersecurity risk assessment program to oversee and identify potential cybersecurity threats associated with our use of third-party service providers, and consider these assessments when selecting and engaging service providers.
Our Board is responsible for overseeing enterprise-wide risk management and is actively involved in the monitoring of risks that could affect us, including cybersecurity risks. Pursuant to its charter, one of the key responsibilities of the Audit Committee of our Board is oversight of our information and cybersecurity programs and it receives regular reports on cybersecurity, information security, technology and other related matters and risks. The Audit Committee regularly briefs the Board on matters relating to its information technology and cybersecurity risk oversight.
Our Board and its Audit Committee are supported in their oversight of information technology and cybersecurity matters and risks by two management committees, the Operational Risk and Resilience Committee, which regularly reports to the Audit Committee, and the Information Security Steering Committee (the “ISSC”). The ISSC is responsible for providing management oversight for our cybersecurity risk management program, and its membership includes our Chief Technology Officer and Corporate Information Security Officer, among other members of senior management. Our Chief Technology Officer and Corporate Information Security Officer have each served in various roles in information technology and/or information security for many years, and have extensive information technology and cybersecurity experience.The Chief Technology Officer, and Corporate Information Security Officer, alongside other multidisciplinary teams across the Company, work to monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The broad, cross-functional management team leverages significant experience and expertise across a range of areas, including in managing risk, technology, and legal and regulatory affairs, among others, for assessing and managing cybersecurity risks.
We have implemented incident response and business continuity plans for our operations, which are regularly tested with respect to our business-critical infrastructure and systems. We employ data backup procedures that seek to ensure that our key business systems and data are regularly backed up, and can be restored promptly if, and as needed. In addition, we generally store backup information at off-site locations, in order to seek to minimize our risk of loss of key data in the event of a disaster. Our recovery plans involve arrangements with our off-site, secure data centers and cloud infrastructure. We believe we will be able to utilize these plans to efficiently recover key system functionality in the event that our primary systems are unavailable due to various scenarios, such as natural disasters.