BERKLEY W R CORP 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

BERKLEY W R CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:09:29 EST.

Filings

10-K filed on 2024-02-23

BERKLEY W R CORP filed an 10-K at 2024-02-23 16:09:29 EST
Accession Number: 0000011544-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Strategy and Risk Management Program The Company has a documented information security program (the Program) to identify, assess, monitor and manage potential cybersecurity threats and incidents. The Program is designed to protect the confidentiality, integrity and availability of our information systems and assets that store, process, or transmit information. The Program is modeled on the global standard for risk assessment, International Organization for Standardization 27001, and is guided by the six domains of cybersecurity established by the National Institute of Standards and Technology Cybersecurity Framework (i.e., govern, identify, protect, detect, respond, and recovery). The Program seeks to adhere to applicable U.S. and international laws and regulations, including New York State s cybersecurity regulation applicable to financial services institutions authorized by the New York State Department of Financial Services. The Program s security and risk policies and standards, implemented by either the Company or third party assessors or consultants, include: information security management tools, such as firewalls, intrusion prevention and detection systems, anti-malware functionality, and access privilege controls; vulnerability management, including penetration and control testing and vulnerability scans of information systems; incident monitoring, breach notification and escalation, including disaster recovery and incident response plans and resources; risk based assessment of third party service providers; and annual cybersecurity awareness training for employees and contractors. The Company has not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, for the period covered by this annual report. For a discussion regarding risks associated with cybersecurity threats, see Risk Factors Risks Relating to Our Business If our information technology, telecommunications or other computer systems become unavailable or unreliable, our ability to conduct our business could be negatively or severely impacted and Failure to maintain the security of information technology systems and confidential data may expose us to liability. Board Oversight, Governance and Risk Management The entire Board of Directors has oversight of risks from cybersecurity threats and receives periodic updates on such risks from the Company s management, including from the Company s President and CEO and its Vice President, Chief Information Security Officer (CISO). Our CISO is principally responsible for assessing and managing all aspects of the Program, including the Company s Regional Information Security Officers (RISOs), third-party consultants, development of industry trends and control testing and tracking by risk level. Our CISO meets periodically with senior executives, including the Company s President and Chief Executive Officer, to discuss the Company s cybersecurity strategy, and its monitoring, prevention, detection, mitigation, and remediation of cybersecurity risks. Regular reporting on the Program is also provided to the Company s Enterprise Risk Management Committee, which is comprised of the President and CEO, Senior Vice President Enterprise Risk Management, Executive Vice President Investments, Executive Vice President Chief Financial Officer, Executive Vice President Secretary, and the Of Counsel and Assistant Secretary. Collectively, the CISO and RISOs, along with their teams, in collaboration with the technology and business owners, implement the Program. Legal, Compliance, and Internal Audit functions also assess the Program s adherence to regulatory requirements and internal controls. In the event of a potentially material cybersecurity incident, the Company s incident response plans establish escalation protocols for relevant IT leaders and functional leaders within Enterprise Risk Management, Legal, Compliance and Internal Audit to engage management as appropriate. Our CISO has over 25 years of information security experience and is licensed as a Certified Information Systems Security Professional. 39

Company Information