RYAN SPECIALTY HOLDINGS, INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on July 16, 2024

RYAN SPECIALTY HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 07:21:03 EST.


10-K filed on 2024-02-28

RYAN SPECIALTY HOLDINGS, INC. filed a 10-K at 2024-02-28 07:21:03 EST
Accession Number: 0000950170-24-021657

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity All companies that maintain sensitive or confidential data or utilize technology are subject to the threat of unauthorized persons gaining unapproved access to systems or components of systems. In order to mitigate this threat to our business, we take a comprehensive approach to cybersecurity risk management. We have devoted significant resources to implement and maintain cybersecurity measures to meet regulatory requirements and the expectations of our clients, trading partners, and other stakeholders. We intend to continue to evolve our cybersecurity defenses and strategy and to make significant investments to maintain the security of our data and cybersecurity infrastructure. We face a number of cybersecurity risks in connection with our business. As of the date of this report, we are not aware of any cybersecurity incidents that materially impacted the Company in the last three years. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition to date, we have, from time to time, experienced threats to and unauthorized persons gaining unapproved access to, including breaches of, our data and systems, including insider threats and phishing attacks. For more information about the cybersecurity risks we face, see " Risk Factors - We rely on the efficient, uninterrupted, and secure operation of complex information technology systems and networks to operate our business. Any significant system or network disruption due to a breach in the security of our information technology systems could have a negative impact on our reputation, regulatory compliance status, operations, sales, and operating results " included elsewhere in this Annual Report Risk Management and Strategy Ryan Specialty’s processes for assessing, identifying, and managing material risks from cybersecurity threats is integrated into our overall enterprise risk management program, which is overseen by our Audit Committee and the Board. We have established comprehensive cybersecurity policies, standards, processes, practices, and controls to mitigate the risk of cyber threats, and we continually invest in prevention and detection technology and employee training to enhance our cybersecurity posture. Our cybersecurity risk management program leverages and strives to align with the U.S. National Institute of Standards and Technology Cybersecurity Framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond, and recover. Collaboration Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, legal, compliance, IT, and business leaders meet regularly to develop strategies for preserving the confidentiality, integrity, and availability of Company, employee, and third-party information provided to us; identifying, preventing, and mitigating cybersecurity threats; and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding legal and regulatory compliance, public disclosure, and reporting of such incidents can be made by management and presented to the Audit Committee of the Board (the “Audit Committee”) and the Board, as necessary, in a timely manner. Risk Assessment and Technical Safeguards Our Information Security Steering Committee (the “Security Committee”), which is led by our Company’s Chief Information Security Officer (“CISO”), meets quarterly to prioritize and align actions with business priorities, manage issues, and respond to changes in regulatory requirements. At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants) and includes a tabletop exercise and external and internal penetration testing. The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our preventive and detective security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to members of management, the Audit Committee, which 52 is comprised solely of independent directors, and the Board. Throughout the year we do vulnerability testing. We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on industry best practices, vulnerability assessments, cybersecurity threat intelligence, input from consultants, and incident response experience. Monitoring and Incident Response Plan Information Security risks are monitored by our security operations center team along with managed services providing 24x7x365 monitoring and response. Ryan Specialty retains third-party resources with a leading cybersecurity company for incident response when needed, including remediation. We apply lessons learned from our defense and monitoring efforts to help manage and prevent future incidents. We have established a comprehensive incident response plan that is regularly tested and evaluated to confirm its effectiveness. In the event our CISO determines a cybersecurity incident needs to be escalated, she engages our critical escalation team who, with the assistance of third-party consultants, will make the determination as to whether the incident is material and whether escalation to senior management, the Audit Committee, and/or the Board is required. Third-Party Risk Assessments We conduct information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and our standard terms and conditions contain contractual provisions requiring certain security protections and require those vendors and providers, that meet certain risk profiles, to meet appropriate security requirements, controls, and responsibilities. Education and Awareness Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of properly handling and protecting Company, employee, and third-party data, including through annual privacy and security training to enhance employee awareness of how to recognize, detect, and respond to cybersecurity threats. In addition to the annual training requirements, we regularly send employees mock phishing emails to test their ability to assess incoming email threats. For companies that we acquire, our integration efforts include, where appropriate, workable timelines for alignment on information security, data privacy, cybersecurity and employee education. Governance Board Oversight The Audit Committee oversees our overall enterprise risk assessment and risk management policies including risks related to cybersecurity. The Board and Audit Committee set the tone at the top by providing oversight and establishing expectations for the overall effectiveness and efficiency of the information security program. Each quarter, our CISO provides a quarterly update to the Audit Committee about our cybersecurity program, including detection, mitigation, and remediation of significant incidents, if any, that occurred during the quarter. Additionally, on an annual basis, the CISO delivers reports to the Board and Audit Committee with an annual cybersecurity risk assessment that includes information concerning the prevention, detection, mitigation, and remediation of cybersecurity incidents, if any, including material security risks and information security vulnerabilities. The Audit Committee provides a quarterly summary of all important issues to the full Board. In addition, if warranted based on our response plan, cyber security incidents will be escalated to the attention of the Audit Committee while such incidents are ongoing. Management’s Role Primary responsibility for assessing and managing our cybersecurity risks rests with our CISO, who reports to our Chief Risk Officer (“CRO”). Both are members of our Security Committee, which is a governing body that drives alignment on security decisions across the Company. The Security Committee includes management across the departments and functions of the organization to enable transparency and alignment with the business’ strategic goals and objectives. The Security Committee responsible for managing and implementing the Company’s 53 cybersecurity programs has many years of valuable business experience managing risks and developing and implementing cybersecurity policies and procedures. Our CISO has extensive experience in information security, managing cybersecurity programs and cybersecurity risks, and has served in various roles in information technology and information security for almost 30 years, including serving as the CISO at another large public company. She holds an undergraduate degree in Information and Decision Sciences. Our CRO has spent his entire career in the area of Enterprise Risk Management, including serving as CRO of multiple financial services companies, as well as in the public sector as a regulator in improving safety and soundness of financial institutions during the 2008 financial crisis. He holds an undergraduate degree in finance and is commissioned by the Federal Reserve as a regulatory examiner.

Company Information

SIC DescriptionInsurance Agents, Brokers & Service
CategoryLarge accelerated filer
Fiscal Year EndDecember 30