MARKEL GROUP INC. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

MARKEL GROUP INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:32:41 EST.

Filings

10-K filed on 2024-02-23

MARKEL GROUP INC. filed an 10-K at 2024-02-23 16:32:41 EST
Accession Number: 0001096343-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Markel Group is a holding company comprised of a diverse group of companies and investments. Our specialty insurance business, Markel, sits at the core of our company. Markel Group utilizes information technology systems and services, including cybersecurity, provided and/or administered by Markel. Through Markel Group’s wholly owned subsidiary, Markel Ventures, Inc. (Markel Ventures), Markel Group owns controlling interests in businesses that operate in a variety of industries. The Markel Ventures businesses are independently managed with respect to their information security and data protection programs. Insurance In order to maintain a strong cybersecurity program, Markel uses a variety of controls and technology tools designed to identify, detect, prevent, respond to, and recover from security threats. Markel undergoes regular security audits including a System and Organization Controls (SOC) audit for Cybersecurity conducted annually by independent auditors in which cybersecurity threats are identified and assessed. Markel regularly tests aspects of its internal security and conducts security risk interviews and assessments on third parties with whom it does business, depending on the nature of the relationship. Markel has invested in technology that assists its risk management teams in measuring and addressing weaknesses in its third-party and supply chain community. Markel performs continuous monitoring of all its third parties to ensure they are maintaining acceptable levels of security controls and remediating any known weaknesses. 10K - 34 Markel participates in the Financial Services Information Sharing and Analysis Center to share information about the latest cyber threats and preparedness measures. Markel also shares threat intelligence information with other partners. Markel has a cybersecurity incident response plan, as well as a crisis management plan, that cover cyber events, including a process for determining the materiality of cyber events that includes evaluation by a cross functional crisis management group including security, information technology, finance, legal and business and escalation to Markel Group senior management as warranted by the severity of the situation. An internal team engages in tabletop exercises several times each year to enhance preparedness for such situations. Information security and data protection risks are the responsibility of all employees. Markel has a mandatory training program covering a variety of security and data protection disciplines. In addition, all Markel employees are required to acknowledge annually policies on acceptable use of Markel’s technology resources and enterprise information security. Contractors are required to provide certain representations and certifications relating to information security. The Markel information security and data protection program is led by a Chief Information Security Officer (CISO) who supervises a team of security and data protection professionals across the globe. Markel’s global information security and data protection program leverages the Cybersecurity Framework from the National Institutes of Standards and Technology as well as industry best practices. Markel also is able to map to both ISO (International Organization for Standardization) and BSI (British Standards Institution) among other cybersecurity standards. Markel’s CISO has been with Markel 13 years and has 22 years’ experience in information technology, with 17 years in information technology security, and is a certified Information Systems Security Professional (CISSP). Markel Ventures Each of our Markel Ventures businesses maintains its own, separate IT infrastructure, that often includes third-party providers, to support the needs of its business. As a result, cybersecurity risk for the Markel Ventures businesses is not concentrated in one system or service provider. Further, given the disparate nature of the businesses, systems, and providers, there is no single, uniform approach to managing cybersecurity risk at the Markel Ventures businesses each is tailored to its unique needs. As is the case with all risks, management for each Markel Ventures business is responsible for evaluating and managing cybersecurity risks for its business. Therefore, each business determines the appropriate IT systems and providers needed to do so. Management for each business shares information on material risks from cybersecurity incidents with Markel Ventures management. Markel Ventures has established processes for the Markel Ventures businesses to share information about how they assess, identify, and manage cybersecurity risk and shares information on material risks from cybersecurity incidents with Markel Group management, as appropriate. Each Markel Ventures business has a board that meets quarterly. Material matters regarding cybersecurity risk management and cybersecurity incidents are discussed at these meetings. In addition, Markel Ventures management regularly meets with the businesses to discuss their risk identification, assessment, and management approach. These discussions include how the business assesses, identifies, and manages key risks, including cybersecurity risks. Markel Ventures requires real-time reporting of material cybersecurity incidents to understand how the matters are being managed, assess whether public disclosure is required and inform Markel Group senior management of relevant matters. Depending on the cybersecurity incident, third parties may be engaged by the Markel Ventures businesses to assist them in understanding and managing the event. Given the varying size and complexity of the Markel Ventures businesses, a diverse array of individuals assume responsibility for managing cybersecurity risks within them. In some instances, primary responsibility may be with a member of the executive management team. In other instances, primary responsibility may land with information technology professionals. In all instances, however, ultimate responsibility rests with each business’ Chief Executive Officer. Markel Group Board Oversight The Markel Group Board of Directors oversees Markel Group’s risk management framework on an enterprise-wide basis, which includes cybersecurity risks. Periodic reports are provided to the Markel Group Board of Directors by members of management which, among other things, seek to systematically identify the principal risks facing our businesses and the manner in which such risks are addressed. For cybersecurity, this includes a review of the cybersecurity program and its governance, active and planned initiatives, protection and prevention matters, detection and response measures, and the threat landscape. 10K - 35 Cybersecurity Risks No previous cybersecurity incident has had, or is reasonably likely to have, a material adverse effect on Markel Group, its business strategy, results of operations, or financial condition. For risks related to cybersecurity threats, see Item 1A Risk Factors, including under “Information technology systems that we use could fail or suffer a security breach or cyberattack, which could have a material adverse effect on us or result in the loss of regulated or sensitive information.”

Company Information