ASSURED GUARANTY LTD 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

ASSURED GUARANTY LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 08:50:39 EST.

Filings

10-K filed on 2024-02-28

ASSURED GUARANTY LTD filed an 10-K at 2024-02-28 08:50:39 EST
Accession Number: 0001273813-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes. The Company regularly assesses risks from cybersecurity threats and monitors its computer networks for vulnerabilities. To defend the Company s computer systems from cyberattacks, the Company uses various security tools that are designed to help the Company protect against, identify, monitor, escalate, investigate, resolve, and recover from security incidents in a timely manner. The Company maintains an Information Security Policy and Standards that details how material risks from cybersecurity threats are assessed, identified, and managed: Risk assessment a periodic risk assessment is performed by the Chief Information Security Officer using the National Institute of Standards and Technology cybersecurity framework and rates risks by criticality. Risk identification vulnerabilities and risks are identified through functions performed by the Chief Information Security Officer which includes assessments using automated tools, monitoring activities, reviewing threat intelligence, and responding to incidents. Risks are also identified through independent assessments performed by third-party consultants and the internal audit function. Risk management the Chief Technology Officer oversees a process designed to protect against and remediate risks according to their criticality and presents to the Risk Oversight and Audit Committees of the Board of Directors and management at least semi-annually. The Chief Information Security Officer also presents to the Board of Directors and Risk Oversight Committee on cybersecurity and data privacy matters at least annually. The Company s Information Security Policy and Standards details a process for responding to cybersecurity events. Awareness and alertness are important components of the Company s cybersecurity program; each year employees are required to take the cybersecurity training and the Company conducts regular exercises to educate employees about best practices and help them identify and avoid potential threats. The Company engages third-party consultants to conduct periodic penetration testing designed to identify potential security vulnerabilities. The Company s internal audit function, which has been outsourced to an international accounting firm, conducts periodic audits of cybersecurity and reports on such matters to the Audit Committee of the Board of Directors. The Company takes measures designed to mitigate risks associated with third-party vendors that have access to confidential information or provide business critical functions. Through its vendor management program, the Company screens these third-party vendors to assess their data security protocols both prior to initial engagement and periodically thereafter for compliance with the program standards. The Company has not experienced any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected, or that it believes are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition. Governance The Board of Directors oversees the risk management process, including overall responsibility for overseeing management s establishment and operation of a cybersecurity program. The Board of Directors delegates certain cybersecurity oversight responsibilities to the Risk Oversight Committee, which oversees enterprise risk, vendor management, and information technology risks, and to the Audit Committee, whose oversight responsibility includes cybersecurity risks, data privacy and risk management related to the Company s financial systems. The Risk Oversight Committee has specific responsibility for overseeing information technology processes and controls, including for cybersecurity, data privacy, compliance with related policies, and the process to monitor risks to the Company arising from changing technology trends, and coordinates with the Audit Committee, as needed. The security of the Company s products, services and corporate network is a key priority both for the growth of the Company s business and its responsibilities as the leading financial guaranty insurance company. The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations. 66 To that end, the Company has implemented a cybersecurity governance structure. The Board of Directors, some of whose members have broad-based skills in risk and management oversight and/or cybersecurity oversight certifications, oversees the risk management process. The Board of Directors employs an enterprise-wide approach to risk management that supports the Company s business plans within a reasonable level of risk. In the Company s view, risk assessment and risk management entail not only understanding the risks a company faces and what steps management is taking to manage those risks, but also understanding what level of risk is appropriate for that company. The Board of Directors annually approves the Company s business plan, factoring in risk management. It also approves the Company s risk appetite statement, which articulates the Company s tolerance for risk and describes the general types of risk that the Company accepts or attempts to avoid. The involvement of the Board of Directors in setting the Company s business strategy is a key part of its assessment of management s risk tolerance and a determinant of what constitutes an appropriate level of risk for the Company. While the Board of Directors has the ultimate oversight responsibility for the risk management process, various committees of the Board of Directors also have responsibility for overseeing the Company s risk assessment and risk management process. The Risk Oversight Committee has specific responsibility for overseeing information technology matters, including assessing and managing cybersecurity and data privacy risks, and coordinates with the Audit Committee, which assesses and manages financial risk exposures, including cybersecurity and data privacy risks, as part of its oversight of the Company s system of internal control over financial reporting. As described above in Cybersecurity Risk Management and Strategy, the Company s Chief Technology Officer has management responsibility for overseeing a process designed to remediate cybersecurity risks, and reports to the Board of Directors, Risk Oversight Committee, Audit Committee and management at least semi-annually. The Chief Technology Officer reported to the Board of Directors, Risk Oversight Committee and Audit Committee four times in 2023. The Chief Technology Officer has over 25 years of experience in information technology, technology research and security and operations management, with over 15 of those years focused in financial services and insurance. The Chief Technology Officer holds a Master of Science in Information Systems and a Master of Business Administration with a focus in Management and Operations. The Company has appointed a Chief Information Security Officer, who is responsible for leading the assessment and management of cybersecurity risk. In 2023, the Chief Information Security Officer made an annual report on information technology and cybersecurity risks to the Board of Directors and Risk Oversight Committee and made four quarterly reports to the Audit Committee. The Chief Information Security Officer has over 25 years of experience in information security and is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA). The Chief Information Security Officer reports to the Board of Directors, its committees, and management on cybersecurity threats on a regular basis. The Company uses various tools to prevent, detect, and mitigate cybersecurity incidents. The Company has procedures in place to respond to cybersecurity incidents, which include prompt meeting of the Cybersecurity Incident Disclosure Committee, a Company management committee, to assess cybersecurity incidents and determine materiality requiring disclosure on Form 8-K, notification of the Board of Directors of any material cybersecurity incidents, quarterly reporting by the Chief Information Security Officer of material and non-material incidents to the Risk Oversight Committee and management, and to the Audit Committee of such incidents related to the Company s financial systems.

Company Information