Chubb Ltd 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Chubb Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 17:08:16 EST.

Filings

10-K filed on 2024-02-23

Chubb Ltd filed an 10-K at 2024-02-23 17:08:16 EST
Accession Number: 0000896159-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity and Risk Governance Risk management and strategy As detailed in our risk factors included in Item 1A, Chubb recognizes the significant risks posed by cybersecurity and data protection challenges, which could adversely affect our business, financial condition, and results of operations. We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems, and we evaluate changes and enhancements to our technology environment as well as conduct third party assessments to confirm that they meet our information security control requirements. Our cybersecurity program and control environment incorporate appropriate industry standards and best practices, such as the National Institutes of Standards and Technology Cyber Security Framework (NIST CSF), and is designed to comply with numerous U.S. federal and state and international laws, rules and regulations governing the protection of personal and confidential information of our clients and employees. We use various tools and methods to assess, identify and manage cybersecurity risk that are tested regularly, including the following: Technological Tools Chubb uses information security tools designed to protect information and systems. Our Information Security team regularly monitors these tools to discover and respond promptly to anomalous and suspicious patterns. We also participate in information sharing networks (government and private) and deploy system updates and other technologies. Employee Training We endeavor to provide all employees with data protection training. Employees involved with information protection, privacy and other risk management specialties also engage in specialized role-based training as is practicable. We use a variety of training methods, including computer-based training, role-based training, company intranet awareness campaigns and various simulation exercises. Data Protection Culture Chubb actively promotes a data protection culture. We maintain policies and standards designed to protect personal and corporate information. The policies and standards are developed by a multi-disciplinary team, with participation from information security and IT compliance, privacy, IT legal, compliance and business representatives. Risk Assessments and Operational Audit Our information security policies and protocols undergo regular assessments and audits, and we engage with external parties to review our protections, including benchmarking to industry standards and best practices, such as the NIST CSF. In addition, we benchmark our programs against key regulatory frameworks and conduct technical assessments of our controls, which may include penetration testing and other technical testing. These processes are integrated into our established Enterprise Risk Management (ERM) framework, which is led by Chubb’s senior management and overseen by our Board’s Risk & Finance Committee. Refer to Enterprise Risk Management under Item 1 for further description of our ERM function and Board oversight. Chubb uses risk-based processes to oversee and identify cybersecurity risks associated with the use of third-party service providers and third-party hardware. These processes include contractual controls as well as risk-based diligence processes, periodic assessments, and monitoring. Chubb recognizes the growing risk associated with third-party hardware, software, and services, and we have taken steps we believe are appropriate to manage those risks. We review third-party software and hardware in our environment to understand the components used and what impact they could have on our overall cyber risk environment. 34 Table of Contents To our knowledge, and as of the filing date on this annual report, risks from cybersecurity threats, including potential risks arising from previous cybersecurity incidents, have not materially affected, nor are they reasonably likely to materially affect Chubb s business strategy, results of operations, or financial condition. For more detail regarding cybersecurity threats, see our risk factor titled A failure in our operational systems or infrastructure or those of third parties, including due to security breaches or cyber-attacks, could disrupt business, damage our reputation, and cause losses under Item 1A. Board and Management Governance We have cybersecurity and information technology oversight at the Board and management levels. Direct Chubb Board-level oversight is generally within the purview of two of the Board s committees: Audit and Risk & Finance. The Audit Committee is responsible for oversight of our cybersecurity program and related exposures and risks. The Audit Committee periodically reports to the full Board and consults with the Risk & Finance Committee on such matters. The Audit Committee s review and oversight generally encompasses data breach risk and impact, cyber protection and detection controls, privacy matters, third-party risks (including risks from cybersecurity threats associated with any third-party service providers), cyber trends and events, and other topics. The Risk & Finance Committee is responsible for oversight of risk generally and identifying significant risks, which may include risks relating to cybersecurity and privacy, business continuity risk (including the resilience of IT operations and physical infrastructure) and cyber underwriting risk. The oversight responsibilities of the Audit and Risk & Finance Committees with respect to cyber security and information technology risks are each set forth in their respective charters. Members of management, including our Chief Information Security Officer (CISO) and Global Chief Technology Officer (CTO), regularly provide updates to these committees in person and through written reports. The Audit and Risk & Finance Committees also conduct a joint meeting on ERM matters, which includes coverage of strategic risk priorities, as well as Chubb s actions and mitigation efforts in response to such risks. Cybersecurity risk management oversight is led by our CISO and CTO. Prior to joining Chubb in 2015, our CISO was Director of the threat analytics platform for a major cybersecurity incident detection and response company. Prior to that, our CISO was an executive leader within the information security practice and a technical architect with two global accounting firms. Our CTO has extensive experience as a chief technology officer in digital-first environments and was previously the chief technology officer of a large global bank, responsible for the bank s core infrastructure, end-user technology, production support, group architecture, cloud technology, and software license management. Our CTO holds a master s degree in geographical information systems and a bachelor s degree in artificial intelligence and computer science. Chubb management also benefits from the advice provided by a Cyber Advisory Board of external experts. The members of the Cyber Advisory Board have extensive experience and deep expertise on cybersecurity matters, several having served in senior government positions with executive responsibility for identifying and mitigating cyber threats across the globe. Chubb management continues to prioritize investments in cybersecurity to protect the confidentiality, integrity and availability of our data. In accordance with our cybersecurity risk assessment processes, we have deployed a set of cybersecurity controls to protect Chubb. We also maintain a data security incident response plan, applied at an enterprise level, to facilitate our ability to rapidly detect and address data security incidents with the goals of: (i) minimizing risk to data and systems; (ii) quickly recovering and resuming operations; (iii) where applicable, providing timely notice of an incident to regulators and providing timely notice and remediation services to affected individuals; (iv) minimizing potential brand damage; (v) managing litigation, investigations and disputes that may arise in the aftermath of an incident; and (vi) identifying opportunities to enhance Chubb s data security approach. Consistent with our incident response plan, the CISO informs the Chief Privacy Officer, who is a member of our legal team, and they notify other members of management of significant cybersecurity incidents and provide them with regular updates on the status of such incidents, including mitigation, remediation, and steps to avoid recurrence. 35 Table of Contents

Company Information