WILLIS TOWERS WATSON PLC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

WILLIS TOWERS WATSON PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 12:52:57 EST.

Filings

10-K filed on 2024-02-22

WILLIS TOWERS WATSON PLC filed an 10-K at 2024-02-22 12:52:57 EST
Accession Number: 0000950170-24-018575

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY WTW s management is responsible for the day-to-day management of risks, and the board, including through its committees, is responsible for understanding and overseeing the various risks facing WTW. Cybersecurity Risk Management and Strategy Increased global cybersecurity vulnerabilities, threats and more sophisticated and targeted cyber-related attacks pose an ongoing risk to the security of our information systems and networks. WTW seeks to manage cybersecurity risks consistent with its general approach to enterprise risk management ( ERM ). Technology and cyber risks that meet certain thresholds are escalated and tracked by the ERM team within the Risk function. WTW engages third parties to conduct assessments to help it identify, categorize and manage cyber risks including SOC 2 - Type 2, ISO 27001 and a National Institute of Standards and Technology ( NIST ) cybersecurity maturity assessment. Additionally, management and third parties from time to time conduct penetration testing and vulnerability scanning to help WTW identify and reduce the threat of known and emerging cybersecurity risks. Board Oversight and Governance WTW s board of directors has delegated the oversight of risks to the Audit and Risk Committee through its charter. The Audit and Risk Committee assists the board of directors in its oversight of the ERM framework, policies and practices used by WTW to identify, assess and manage key risks facing WTW, including financial and strategic risks as well as risks relating to matters of compliance and internal control, tax and pension, among other matters. The Operational Transformation Committee (the OT Committee ) oversees risks arising out of WTW s operations related to cybersecurity and other risks. WTW s Chief Information Security Officer ( CISO ) and Chief Information Officer ( CIO ) report to the OT Committee on cybersecurity matters, including key risks. The OT Committee reports to the board of directors at each formal board meeting and the board of directors discusses those reports. Management Oversight and Governance Management plays an important role in assessing and managing WTW s material risks from cybersecurity threats. The CISO is responsible for designing and implementing a security program and strategy. WTW’s CISO has served in various roles in information technology and information security for over 32 years, including serving as CISO of several public companies. The CISO holds undergraduate and graduate degrees in mathematics and strategic information systems and has attained the professional certification of 40 Certified Information Systems Security Professional. The CISO reports to the CIO. WTW’s CIO has served in various roles in information technology for over 36 years. As part of the WTW cybersecurity program, cross-functional teams throughout WTW address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and escalate such threats and incidents as appropriate through the processes described in more detail below. Management s cybersecurity risk management strategy and processes focus on several key areas, including: Incident Response Planning : WTW has a global Information and Cyber Security Incident Response Plan ( ICSIRP or Plan ) for identifying and managing cyber and data security threats. The ICSIRP defines the roles and responsibilities of WTW stakeholders involved in responding to cyber and data security events, severity levels and incident categories, and it outlines a process for incident management, including escalation and communication procedures. Technical Safeguards : WTW seeks to continuously improve implemented technical safeguards that are designed to protect WTW s information systems. Standards include controls for access management, cyber threat and incident management, data security, encryption, human resource security, network and device security, secure asset management, secure system development, security operations and third-party security. While WTW seeks to maintain adequate controls, they may not always be effective. See Part I, Item 1A Risk Factors under the heading Data and cybersecurity breaches or improper disclosure of confidential company or personal data could result in material financial loss, regulatory actions, reputational harm, and/or legal liability for more information about WTW s technical controls, management, mitigation, and security practices as well as the risks related thereto. Education and Awareness : WTW s policy is that all WTW colleagues are required to receive annual, mandatory privacy and information security training. Third-Party Risk Management : WTW s risk management strategy includes a third-party risk management process that is intended to be aligned to the technology security key controls across the organization. Threat Intelligence : WTW seeks to obtain threat intelligence on cyber threats to WTW at the strategic, operational and tactical levels. Material Effects of Cybersecurity Incidents We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected our business strategy, results of operations, or financial condition. However, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. To learn more about risks from cybersecurity threats, review the risk factors included in Part I, Item 1A Risk Factors in this Annual Report on Form 10-K, as updated by WTW s subsequent SEC filings. The risks described in such filings are not the only risks facing WTW. Additional risks and uncertainties not currently known or that may currently be deemed to be immaterial also may materially adversely affect WTW s business, financial condition or results of operations.

Company Information