Arthur J. Gallagher & Co. - (AJG)
10-K Filing Date: February 09, 2024
We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that could adversely and materially affect the confidentiality, integrity, and availability of our information and information systems. We maintain administrative, technical, and physical safeguards designed to protect the security and privacy of confidential, personal and proprietary information. Our cybersecurity program is aligned with notable control frameworks such as the NIST CSF (National Institute of Standard and Technology Cybersecurity Framework) and ISO (International Organization for Standardization) 27001.
Our cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats. We have a global incident response capability. We also have established a dedicated vendor assessment team, which employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use, as well as a global training and awareness program. We also continuously test and assess our cybersecurity posture, including through annual third-party risk assessments performed by reputable assessors, consultants and auditors. A global FAIR (Factor Analysis of Information Risk) assessment is conducted at least annually to update our cybersecurity risks and corresponding mitigations.
Our Chief Information Security Officer (CISO), working together with our Chief Information Officer (CIO), oversees a team of employees dedicated to cybersecurity. Our CISO receives ongoing updates from the cybersecurity team regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and regularly reports to the CIO. Our CISO is an active member of our management-level enterprise risk management committee, which has broad oversight of the company’s enterprise risks, including cybersecurity risks. In addition, our CIO and CISO both attend regular meetings of the executive officer team, including our Chief Executive Officer, Chief Financial Officer and other senior executive officers, dedicated to compliance and risk, and report on cybersecurity matters as appropriate. Our Board of Directors has delegated primary responsibility for the oversight of cybersecurity matters to the Risk and Compliance Committee; however, the full board reviews significant cybersecurity matters as appropriate. Our CIO and CISO report on cybersecurity and information security at each meeting of the Risk and Compliance Committee.
Our CIO has more than 30 years of experience, including from his prior business and technology leadership roles at Aegon N.V., Citigroup, Inc. and JP Morgan Chase & Company. Our CISO has more than 20 years of cybersecurity experience. Prior to joining us he was Senior Vice President, Chief Information Security Officer at Brighthouse Financial, served as Technology Vice President & Chief Information Security Officer for GE Healthcare and started his career at Allstate Insurance Company. He also holds security, privacy and risk certifications, including Certified Information Systems Auditor, Certified Information Security Manager and Certified Information Systems Security Professional.
To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. However, due to evolving cybersecurity threats, we may not be able to protect all information systems and, as an acquisitive organization, integrating information systems as we acquire new businesses may expose us to unexpected liabilities or increase our vulnerability. Additional information on cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” which should be read in conjunction with the foregoing information.