Enstar Group LTD 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Enstar Group LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:48:38 EST.

Filings

10-K filed on 2024-02-22

Enstar Group LTD filed an 10-K at 2024-02-22 16:48:38 EST
Accession Number: 0001363829-24-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK DISCLOSURES We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on both our own systems, networks and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a comprehensive information security program for assessing, identifying and managing material risks from threats to our information security. Our information security program is based on industry standards and best practices, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework. As part of our information security program, we also require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. We also train employees on how to identify potential cybersecurity risks and protect our information and resources. This training is mandatory for all employees globally upon hire and on an annual basis. We use the Three Lines Model in order to ensure our information security program s effectiveness and readiness. Our first line is our IT Security Operations, which implements and executes upon a robust control framework, while our Information Security Assurance function maintains an information security assurance program that includes external penetration management. Our second line is our Risk and Compliance functions. Our Risk function performs table top exercises, red team testing and stress testing, while our Compliance function ensures regulatory requirements are identified proactively and monitors compliance with our internal policies and procedures. Our third line consists of our Internal Audit function, which provides objective assurance and testing over internal policies and procedures related to our information security program. Governance Management Oversight Our management plays an active role in assessing and managing the risks posed to us by cybersecurity threats. Our strategy for managing cybersecurity risk is embedded within the IT function, which reports to our Chief of Business Operations (CBO) and our Information Security function, which reports to our CRO. The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Global Chief Information Officer (CIO) and our Global Head of Information Security (GHIS). Our CIO has over 24 years of experience in the area of information technology. He previously served in related roles, including IT strategy and delivery roles at Arthur Andersen Consulting and Deloitte Consulting, and has served in his current role since joining us in 2017. Our GHIS has over 18 years of information security experience. His experience includes driving our information security strategy, awareness and training, third party cyber risk management, compliance, and providing assurance of the security activities conducted by the IT Security Operations team. He has served in his current role since joining us in 2006. Our CIO and GHIS are responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Board Oversight The Board of Directors actively oversees the Company s management of cybersecurity risk. Primary responsibility for the Board s role in oversight of the Company s management of cybersecurity risk is delegated to the Risk Committee of the Board. The Risk Committee is responsible for reviewing, discussing with management, and overseeing the Company s data privacy, information technology and security and cybersecurity risk exposures. Our CIO and GHIS provide regular updates on cybersecurity risk and our information security program to the Risk Committee. These reports typically occur on a quarterly basis and include updates on current cyber risks, cybersecurity strategies and initiatives, event preparedness, the status of projects to strengthen our information security program, and the emerging cybersecurity threat landscape. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a breach, we have a comprehensive plan in place for assessing and addressing any potential threats to our information security. We maintain a Cyber and Data Incident Response Plan and Framework, which identifies and describes the roles and responsibilities of the Cyber Incident and Response Team and the Cyber Incident Enstar Group Limited | 2023 Form 10-K 44 Table of Contents Oversight Committee. The Cyber Incident Response Team is responsible for receiving information relating to possible incidents, investigating and analyzing them, and taking action to avoid and mitigate the damage caused by such incidents. The Crisis Oversight Committee, chaired by our CBO, is responsible for support and oversight of the Cyber and Data Incident Response Plan and Framework and oversight of the Cyber Incident Response Team s execution of the plan in the event of a cyber incident. We also maintain a Cyber and Data Incident Reporting Portal, which allows employees to notify our cybersecurity and data protection teams if they believe they have been the victim of a cyber incident or data breach, or have become aware that a third party service provider has suffered a cyber incident or data breach. Cybersecurity Risks Our cybersecurity risk management processes are integrated into our overall Enterprise Risk Management ( ERM ) Framework. As part of our ERM Framework, we maintain the traditional Three Lines Model (Management, Risk & Compliance and Internal Audit) to delineate accountabilities and establish a check and balance management of risks. For additional information on our ERM Framework, refer to Item 1. Business - Enterprise Risk Management. Although our information security program is designed to attempt to prevent, detect and respond to a cybersecurity incident, there can be no assurance that such an incident will not occur. A cybersecurity incident could cause the failure of our information security systems or those of our third-party service providers, which could materially impact our ability to perform certain critical functions, affect the confidentiality, availability or integrity of our proprietary information and expose us to litigation and increase our administrative expenses. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. However, evolving cybersecurity threats make it increasingly challenging to anticipate, detect, and defend against cybersecurity threats and incidents. For additional information on the risks we face from cybersecurity threats, refer to Item 1A. Risk Factors - Risks Relating to Our Operation.

Company Information