SiriusPoint Ltd 10-K Cybersecurity GRC - 2024-02-29

Page last updated on July 16, 2024

SiriusPoint Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:18:48 EST.


10-K filed on 2024-02-29

SiriusPoint Ltd filed a 10-K at 2024-02-29 16:18:48 EST
Accession Number: 0001576018-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company is subject to several cybersecurity and data privacy laws and regulations promulgated by the BMA, New York State Department of Financial Services (“NYDFS”) and EU. The Company’s risk management program is designed to comply with these laws and regulations. The Board is responsible for overseeing the Company’s risk management program and cybersecurity is a critical element of this program. Management is responsible for the day-to-day administration of the Company’s risk management program and its cybersecurity policies, processes, and practices. The Company’s cybersecurity policies, standards, processes, and practices are based on the framework established by the National Institute of Standards and Technology, and are integrated into the Company’s overall risk management system and processes. In general, the Company seeks to address material cybersecurity threats through a company-wide approach that addresses the confidentiality, integrity, and availability of the Company’s information systems or the information that the Company collects and stores, by assessing, identifying and managing cybersecurity issues as they occur. Cybersecurity Risk Management and Strategy The Company’s cybersecurity risk management strategy focuses on several areas: - Identification, Mitigation and Monitoring: The Company has implemented a comprehensive, cross-functional approach to assessing, identifying and managing material cybersecurity threats and applies a security-first mindset to our practices across the Company. The Company’s program is comprised of internal resources and external security consultants to provide guidance, oversight and support. - Technical Safeguards: The Company implements technical safeguards through a layered security approach and third-party platforms that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, data loss prevention and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence, as well as outside audits and certifications. - Incident Response and Recovery Planning: The Company’s program includes controls and procedures to properly identify, classify and escalate certain cybersecurity incidents to provide management visibility and obtain direction from management as to the public disclosure and reporting of material incidents in a timely manner. The Company has established and maintains comprehensive incident response and disaster recovery plans designed to address the Company’s response to a cybersecurity incident. The Company conducts periodic tabletop exercises to test these plans and ensure personnel are familiar with their roles in a response scenario. 61 - Third-Party Risk Management: The Company maintains a risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties, including our MGA and TPA partners, that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems. - Education and Awareness: The Company conducts regular, mandatory training and simulated phishing campaigns for all levels of employees regarding cybersecurity threats as a means to equip the Company’s employees with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes, and practices. The Company conducts periodic assessment and testing of the Company’s policies, standards, processes, and practices in a manner intended to address cybersecurity threats and events. For example, the Company performs internal and external penetration tests and cyber red team and tabletop exercises. A cyber red team exercise is a simulated attack on an organization’s computer systems and network, conducted by a team of security professionals who play the role of attackers (“the red team”). The goal of the red team is to find and exploit vulnerabilities in the organization’s defenses like real attackers would. This helps the organization to identify and fix weaknesses in their security before they can be exploited by real attackers. A tabletop exercise is a discussion-based simulation where participants walk through a hypothetical scenario, typically related to an emergency or crisis, focused on preparedness and response. The results of such assessments, audits, and reviews are evaluated by management and reported to the Risk Capital Management Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. Governance The Board, in coordination with the Risk Capital Management Committee, oversees the Company’s risk management program, including the management of cybersecurity threats. The Board and the Risk Capital Management Committee each receive regular presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by the Company’s peers and third parties. The Board and the Risk Capital Management Committee also receive prompt and timely information regarding any cybersecurity risk, as well as ongoing updates regarding any such risk. On a quarterly basis, the Board and the Risk Capital Management Committee discuss the Company’s approach to overseeing cybersecurity threats with the Company’s Chief Information Security Officer (“CISO”) and other members of senior management. The CISO, in coordination with senior management including the Chief Executive Officer, Chief Financial Officer, Chief Information and Technology Officer (“CITO”) and Chief Legal Officer, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity program, cross-functional teams throughout the Company address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real-time, and report such threats and incidents to the Risk Capital Management Committee when appropriate. The CISO has served in various roles in information technology and information security for over 20 years. The CISO holds undergraduate and graduate degrees in computer information systems and has attained the Certified Information Systems Security Professional certification. The CITO has served in various roles in information technology for over 20 years, including serving as Chief Information Officer and providing cybersecurity oversight at private and public sector companies. Material Effects of Cybersecurity Incidents Risks as a result of any previous cybersecurity threats and incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Company Information

NameSiriusPoint Ltd
SIC DescriptionFire, Marine & Casualty Insurance
CategoryAccelerated filer
Fiscal Year EndDecember 30