RLI CORP 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

RLI CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 11:54:09 EST.

Filings

10-K filed on 2024-02-23

RLI CORP filed an 10-K at 2024-02-23 11:54:09 EST
Accession Number: 0001558370-24-001599

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersec urity Risks from cybersecurity threats or incidents (cybersecurity risks) are assessed, identified and managed by the Company in a manner that is consistent with leading cybersecurity frameworks, including the National Institute of Standards and Technology Cybersecurity Framework (NIST Framework). The Company s approach to cybersecurity risk management is generally based on the five core functions contained within the NIST Framework organizing structure: identify, protect, detect, respond and recover. As of the date of this report, risks from cybersecurity threats or incidents have not materially affected, nor are they reasonably likely to materially affect, the Company s business strategy, results of operations or financial condition. However, in light of emerging and changing cybersecurity threats and vulnerabilities, the Company cannot guarantee that it will not be a victim of a cybersecurity attack in the future that could materially affect the Company. See Item 1A, Risk Factors for more information. The RLI Corp. Board of Directors provides oversight for cybersecurity risks primarily through its audit committee. The Company s chief information officer (CIO), who also serves as the Company s chief information security officer (CISO), along with the head of the Company s IT security department, present quarterly to the audit committee on cybersecurity risks and the Company s strategies and actions to assess and manage those risks. Additionally, the board receives periodic updates on emerging cybersecurity issues and developments through director education provided by the Company and third-party experts, detailed reviews provided by the CIO/CISO and the Company s head of IT security on select cyber security topics, and table top simulations of a cybersecurity event. Management oversight of cybersecurity risks is provided through the Company s risk committee, which is chaired by the chief executive officer and comprised of members of senior management. Among its responsibilities, the risk committee identifies the Company s material risks and reviews the strategies, processes and controls in place to facilitate the understanding, identification, prevention, measurement, reporting and mitigation of those risks. The risk committee meets quarterly and reviews the Company s 24 Table of Contents current assessment of cybersecurity risks conducted by the Company s CIO/CISO and IT security department based on leading cybersecurity frameworks. The risk committee also periodically conducts a detailed review of cybersecurity risks. The Company s IT security department, which operates under general oversight of the Company s CIO/CISO, is responsible for day-to-day assessment and management of cybersecurity risks, including efforts to prevent and, if necessary, mitigate the effects of a cybersecurity incident. The Company s CIO/CISO has 25 years of technology and technology leadership experience, including 13 years serving as a CISO in the insurance industry. The Company maintains a Cybersecurity Incident Response Plan (CIRP) providing a framework for identifying, evaluating and escalating potential or actual cybersecurity events. The CIRP assigns responsibilities and provides a workflow between the Company s IT security department; members of an Executive Cybersecurity Committee comprised of the chief executive officer and senior management; and the board of directors regarding the detection, assessment and response to a cybersecurity event. The Company s internal audit department routinely engages third-party cybersecurity consultants to conduct network security audits. The Company also engages other third-party consultants in a number of areas to support the assessment, identification and management of cybersecurity risks, including risk assessments, log monitoring, threat intelligence, system penetration testing, training and incident response, among others. The Company performs cybersecurity due diligence and monitoring of third-party vendors, which may include the review of System and Organization Control (SOC) reports or the results of a security questionnaire to identify the cybersecurity controls and protections maintained by a third party.

Company Information