WHITE MOUNTAINS INSURANCE GROUP LTD 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

WHITE MOUNTAINS INSURANCE GROUP LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 08:58:07 EST.

Filings

10-K filed on 2024-02-26

WHITE MOUNTAINS INSURANCE GROUP LTD filed an 10-K at 2024-02-26 08:58:07 EST
Accession Number: 0000776867-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Identifying, assessing and managing cybersecurity risks is an important component of White Mountains s overall enterprise risk management program. As with the management of risks generally, given our holding company structure, the management of cybersecurity risks involves coordination between the Company and its consolidated subsidiaries/affiliates. The Company and each of its consolidated subsidiaries/affiliates are responsible for developing a cybersecurity program appropriate for their respective businesses. The design of these cybersecurity programs is informed by the ISO 27001 standards and the Center for Internet Security Critical Security Controls framework ( CISCSC ). This does not imply that these programs meet all specifications of ISO 27001 and CISCSC, but rather that we use them as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. The cybersecurity programs developed by the Company and its consolidated subsidiaries/affiliates include, among other things, (i) advanced threat protection and detection systems; (ii) vulnerability scanning and testing of network defenses; (iii) user authentication, role-based access, and privileged access management; (iv) data encryption, loss prevention, backup and recovery mechanisms; (v) employee testing and training; (vi) technical and business team-focused incident response tabletop exercises; (vii) disaster recovery testing and (viii) security assessments of third-party service providers. White Mountains engages both its internal auditors and third-party information security experts to assist management in assessing the effectiveness of these cybersecurity programs. Risks from cybersecurity threats may cause material disruptions to our operations and reputational harm, which could materially adversely affect our results of operations and financial condition. See Item 1.A Risk Factors, We may be unable to adequately maintain our systems and safeguard the security of our data, which could adversely impact our ability to operate our business and cause reputational harm and, consequently, could materially adversely affect our results of operations and financial condition. on page 38 for more information about these risks. Governance White Mountains s Board of Directors has assigned oversight of the Company s cybersecurity risk management to the Audit Committee. The Audit Committee receives periodic reports on White Mountains s cybersecurity risks and any material cybersecurity incidents at the direction of White Mountains s senior management. In addition, the Audit Committee receives reports addressing cybersecurity risks as part of the Company s overall enterprise risk management program. White Mountains s Information Technology ( IT ) Steering Committee, which includes its Chief Information Security Officer, Chief Technology Officer and various members of senior management, as well as the senior IT leadership at each of its consolidated subsidiaries/affiliates are responsible for assessing and managing White Mountains s cybersecurity risk. These individuals include IT and cybersecurity professionals with relevant education, including degrees and/or certifications, and prior work experience. These individuals also monitor the prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above. Senior IT leadership at our consolidated subsidiaries/affiliates communicate information regarding cybersecurity risks to Company personnel through a variety of channels, including discussions between or among subsidiary/affiliate management and the Company, reports made to subsidiary/affiliate boards and direct updates to the Company s senior management and/or IT Steering Committee.

Company Information