AXIS CAPITAL HOLDINGS LTD 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 18, 2025

AXIS CAPITAL HOLDINGS LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:17:40 EST.

Filings

10-K filed on 2025-02-26

AXIS CAPITAL HOLDINGS LTD filed a 10-K at 2025-02-26 16:17:40 EST
Accession Number: 0001214816-25-000056

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company’s information risk management program is designed to protect the confidentiality of nonpublic, sensitive information and the integrity and availability of our information systems. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. We have designed our enterprise-wide information security program consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Risk assessment, risk-based analysis, and judgment are used to select security controls to address risks. Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program. Key components of our cybersecurity risk management program include: - risk assessments designed to help identify cybersecurity risks to our critical systems, information, and services. - a security team principally responsible for managing (1) our cybersecurity policies & risk assessment processes, (2) security architecture and engineering, (3) identifying vulnerabilities, managing remediation, and testing of our security controls, and (4) our cybersecurity monitoring & incident response. - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes. - managing a cybersecurity awareness and training program that covers employees and contractors who access internal systems. - a cybersecurity incident response plan that includes procedures for responding to various types of cybersecurity incidents and tested through periodic tabletop exercises. - a third-party security risk assessment team , which is involved with identifying, assessing, and controlling risks that occur due to interactions with third parties including vendors and procurement. - restricted physical access to critical areas, servers, and network equipment. - support of our business continuity and disaster response plans. Impact of Material Risk To date, no cybersecurity incidents have materially impacted the Company, including the Company’s business strategy, results of operations, or financial conditions. However, financial institutions face risks from threat actors that focus on attacks of critical information systems infrastructure assets, disruption to operations, and ransomware groups that steal data, encrypt systems, and demand a payment. The Company relies on third-party software, third-party hardware, and third-party vendors to manage critical aspects of our operations which may be at risk of cybersecurity threats. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement, and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks and events, and when detected by security tools or third parties, may not always be immediately understood or acted upon. Although the Company has implemented cybersecurity policies, procedures and controls intended to mitigate these risks and the likelihood of these risks occurring may not be high, if these risks are realized the impact could be material, such as in the event of a material cybersecurity incident. Additionally, in Item 1A, ’ Risk Factors ’ we discuss forward-looking cybersecurity risks that could have a material impact on us. Our disclosures in Item 1A should be read in conjunction with this Item 1C. 54 Management & Board Governance With over 30 years of industry cybersecurity experience, the Company’s Chief Information Security Officer (“CISO”) is the member of the Company’s management team with primary responsibility for the development, operation, and maintenance of the Company’s information security program. The CISO supervises the Company’s cybersecurity team, facilitates the incident response plan and acts as the liaison to the Company’s executive management team, including relaying strategies, resource requests and incident updates. The Company’s security event monitoring and detection capabilities are performed by our Cybersecurity team and third parties through the use of processes and tooling. Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Subcommittee, Executive Management, and the Board . The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly. The Board, along with the Risk and Audit Committees of the Board, oversees our information security program. In 2024, our Board and Risk and Audit Committees received periodic updates throughout the year on cybersecurity matters , and these updates are part of their standing agendas. These updates include reports regarding items such as cybersecurity strategies, program effectiveness, key risks and performance metrics related to the Company’s information security program and the Company’s mitigating controls. The Company has an enterprise risk management function that oversees the identification, prioritization, and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company uses governance, risk and compliance tools to assess, identify and manage its cybersecurity risks.
Item 1C. 54 Management & Board Governance With over 30 years of industry cybersecurity experience, the Company’s Chief Information Security Officer (“CISO”) is the member of the Company’s management team with primary responsibility for the development, operation, and maintenance of the Company’s information security program. The CISO supervises the Company’s cybersecurity team, facilitates the incident response plan and acts as the liaison to the Company’s executive management team, including relaying strategies, resource requests and incident updates. The Company’s security event monitoring and detection capabilities are performed by our Cybersecurity team and third parties through the use of processes and tooling. Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Subcommittee, Executive Management, and the Board . The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly. The Board, along with the Risk and Audit Committees of the Board, oversees our information security program. In 2024, our Board and Risk and Audit Committees received periodic updates throughout the year on cybersecurity matters , and these updates are part of their standing agendas. These updates include reports regarding items such as cybersecurity strategies, program effectiveness, key risks and performance metrics related to the Company’s information security program and the Company’s mitigating controls. The Company has an enterprise risk management function that oversees the identification, prioritization, and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company uses governance, risk and compliance tools to assess, identify and manage its cybersecurity risks.

Company Information