Arthur J. Gallagher & Co. 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

Arthur J. Gallagher & Co. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 17:10:25 EST.

Filings

10-K filed on 2026-02-17

Arthur J. Gallagher & Co. filed a 10-K at 2026-02-17 17:10:25 EST
Accession Number: 0001628280-26-008662

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that could adversely and materially affect the confidentiality, integrity, and availability of our information and information systems. We maintain administrative, technical, and physical safeguards designed to protect the security and privacy of confidential, personal and proprietary information. Our cybersecurity program is aligned with notable control frameworks such as the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization) 27001. Our Chief Information Security Officer (which we refer to as our CISO) , working together with our Chief Information Officer (which we refer to as our CIO), oversees a team of employees dedicated to cybersecurity. Our cybersecurity team includes Business Information Security Officers (which we refer to as BISOs) in each region to lead the cybersecurity program, and to communicate ongoing updates from the cybersecurity team regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CISO regularly reports to the CIO and is an active member of our management-level enterprise risk management committee, which has broad oversight of the company's enterprise risks, including cybersecurity risks. In addition, our CIO and CISO both attend regular meetings of the executive officer team, including our Chief Executive Officer, Chief Financial Officer, General Counsel and other senior executive officers, dedicated to compliance and risk, and report on cybersecurity matters as appropriate. Our Board of Directors has delegated primary responsibility for the oversight of cybersecurity matters to its Risk and Compliance Committee; however, the full board reviews significant cybersecurity matters as appropriate. Our CIO and CISO report on cybersecurity and information security at each quarterly meeting of the Risk and Compliance Committee. Our cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats. We have a global incident response capability supported by our Security Operations Center (which we refer to as SOC) team, a managed security service provider (MSSP), ReliaQuest, and our global Cybersecurity Incident Response Team (which we refer to as CSIRT), which provides threat detection and incident response. ReliaQuest supports the operation of Gallagher's SOC, and performs triage and escalation of event data from the security information and event management (which we refer to as SIEM) solution. This support enables 24x7 monitoring and allows Gallagher to address threats and/or detections with urgency. We have rolled out additional security technologies for new acquisitions and extended our SOC to monitor acquisitions prior to integration. We have bolstered our internal cyber forensics capability to augment our Security Operations capability to strengthen our ability to detect incidents, as well as to accelerate our response in parallel with our external partners. We maintain a global cybersecurity incident response plan and related playbooks, for execution by the SOC team and CSIRT, in coordination with internal and external stakeholders, as applicable. Significant incidents are escalated to a cross-departmental team to assess materiality based on qualitative and quantitative factors. This team consists of executives representing core business functions, including, among others, information technology, legal, finance, accounting, data protection and business divisions, in consultation with third-party advisors , as applicable. We undertake periodic leadership tabletop exercises and periodic adversarial ("red team") exercises simulating incident response under common risk scenarios. As an acquisitive organization, we have also established a program to increase our visibility into the cybersecurity environment of acquisition targets prior to closing. Other technology partners provide additional solutions and services, including endpoint detection and response, data loss prevention, dark web monitoring, vulnerability management, next-generation firewalls, advanced web proxy, and other solutions. We have also partnered with a strategic vendor to enable acceleration of our efforts to build the cyber team and mitigate risk across the company. The relationship has brought both talent and flexibility to the team and has enabled acceleration of build-outs and integrations. Identity management is a core component of our cyber program and solutions from Ping and Microsoft are in-place. We have also deployed a global Privileged Access Management solution, which resulted in the vaulting of all elevated user accounts that are subject to a more stringent set of controls tied to account use and duration. Additionally, we have implemented a cloud-based password reset tool offering users a highly secure and easy-to-use interface to reset passwords, regardless of device location, or browser. Email security is a top priority for Gallagher, and we have implemented email threat detection and response services as well as capabilities to protect against phishing attacks and malicious links. Concurrently, we have rolled out phishing simulations targeted at increasing user awareness of common indicators of malicious messages. We have additionally implemented and are expanding coverage of advanced messaging features to prevent email compromise and data exfiltration, including deepfake detection and prevention. We have established a dedicated vendor assessment team, which employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or that otherwise implicates the third-party technology and systems we use. We also require cybersecurity insurance coverage for vendors whose services or products may present a cybersecurity risk. We continuously test and assess our cybersecurity posture, including through annual third-party risk assessments performed by reputable assessors, consultants and auditors. A global FAIR (Factor Analysis of Information Risk) assessment is conducted at least annually to update our cybersecurity risks and corresponding mitigations strategies. This process results in a quantitative understanding of our top cyber risks based on annualized loss expectancy. Our top risks, in turn, guide our prioritization of cybersecurity program maturation efforts to focus on initiatives offering Gallagher the greatest residual risk reduction. Penetration testing is performed globally at least quarterly by our professional partners in cooperation with internal Gallagher teams. We also support leadership tabletop exercises and periodic adversarial ("red team") exercises simulating incident response under common risk scenarios. These scenarios are updated regularly to resemble threat actor behavior trends revealed by our threat intelligence sources. Our employees complete training on data security and our policies when they join us and annually thereafter. We review the content of our mandatory training annually and provide access to a comprehensive set of supplemental training to meet individual and role-specific needs. As a global organization, Gallagher's operational approach to data security and sensitive data such as PHI and PII ties to least privilege - limiting access to data, systems and applications that only align to a user's role and responsibility. Identity management solutions and processes, such as regular user access reviews, govern the principle of least privilege. Policies inclusive of data classification and regulatory requirements for sensitive data handling mandate secure device and data handling practices, as well as controls such as an encryption and data loss prevention. Of note, Data Loss Prevention tooling has been implemented globally to monitor, prevent and detect data leakage. Our CIO has more than 30 years of experience, including from his prior business and technology leadership roles at Aegon N.V., Citigroup, Inc. and JP Morgan Chase & Company. Our CISO has more than 20 years of cybersecurity experience. Prior to joining us, he was Senior Vice President, Chief Information Security Officer at Brighthouse Financial. Before then, he served as Technology Vice President & Chief Information Security Officer for GE Healthcare. He started his career at Allstate Insurance Company. He also holds security, privacy and risk certifications, including Certified Information Systems Auditor, Certified Information Security Manager and Certified Information Systems Security Professional. Gallagher remains committed to maintaining and improving our existing security posture. We regularly monitor and assess the policies and procedures in place and continue to work with leading global cybersecurity investigation firms with expertise in data privacy incident response and containment. We, including our third-party vendors, have experienced cybersecurity incidents and threats and may continue to experience them in the future. Based on the information available as of the date of this Annual Report on Form 10-K, we believe that during the last three fiscal years risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and as of the date of this Annual Report on Form 10-K, the Company is not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that the Company will not be materially affected by such risks in the future. Due to evolving cybersecurity threats, we may not be able to protect all information systems and, as an acquisitive organization, integrating information systems as we acquire new businesses may expose us to unexpected liabilities or increase our vulnerability. There can be no guarantee that our policies, programs and controls, and those of our third-party vendors, including those described in this section, will be sufficient to protect our information, information systems or other property. Additional information on cybersecurity risks we face is discussed in Item 1A of Part I, "Risk Factors," which should be read in conjunction with the foregoing information.

Company Information