MARKEL GROUP INC. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

MARKEL GROUP INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:51:30 EST.

Filings

10-K filed on 2026-02-26

MARKEL GROUP INC. filed a 10-K at 2026-02-26 16:51:30 EST
Accession Number: 0001096343-26-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Markel Group is a holding company comprised of a diverse group of businesses and investments. Our specialty insurance business, Markel Insurance, sits at the core of our company. Markel Group also owns controlling interests in a diverse portfolio of businesses that operate in a variety of other industries. Each of our businesses is required to maintain cybersecurity insurance coverage and has its own independently managed cybersecurity and data protection program that is tailored to its operations and risk profile. Markel Insurance In order to maintain a strong cybersecurity program, Markel Insurance uses a variety of controls and technology tools designed to identify, detect, prevent, respond to, and recover from security threats. Markel Insurance undergoes regular security audits including a System and Organization Controls, or SOC, audit for cybersecurity conducted annually by independent auditors in which cybersecurity threats are identified and assessed. Markel Insurance regularly tests aspects of its internal security and conducts security risk interviews and assessments on third parties with whom it does business, depending on the nature of the relationship. Markel Insurance has invested in technology that assists its risk management teams in measuring and addressing weaknesses in its third-party and supply chain community. Markel Insurance performs continuous monitoring of all its critical third parties to ensure they are maintaining acceptable levels of security controls and remediating any known weaknesses. Markel Insurance participates in the Financial Services Information Sharing and Analysis Center to share information about the latest cyber threats and preparedness measures. Markel Insurance also shares threat intelligence information with other partners. Markel Insurance has a cybersecurity incident response plan, as well as a crisis management plan, that cover cyber events, including a process for determining the materiality of cyber events that includes evaluation by a cross functional crisis management group including security, information technology, finance, legal, and business and escalation to Markel Group 10K - 30 senior management as warranted by the severity of the situation. An internal team engages in tabletop exercises on a regular basis to enhance preparedness for such situations. Information security and data protection risks are the responsibility of all employees. Markel Insurance has a mandatory training program covering a variety of security and data protection disciplines. In addition, all Markel Insurance employees are required to acknowledge annually policies on acceptable use of Markel Insurance's technology resources and enterprise information security. Contractors are required to provide certain representations and certifications relating to information security. The Markel Insurance information security and data protection program is led by a Chief Information Security Officer (CISO) who supervises a team of security and data protection professionals across the globe. The Markel Insurance global information security and data protection program leverages the Cybersecurity Framework from the National Institutes of Standards and Technology as well as industry best practices. The program also is able to map to both ISO (International Organization for Standardization) and BSI (British Standards Institution) among other cybersecurity standards. Markel Insurance's CISO has been with Markel Insurance 15 years and has 24 years' experience in information technology, with 19 years in information technology security, and is a certified Information Systems Security Professional (CISSP). Markel Group, State National, and Nephila Information technology systems and services, including cybersecurity, used by the small team of individuals at the Markel Group holding company are provided and/or administered by teams within Markel Insurance, consistent with the practices outlined above. State National and Nephila each manage their own cybersecurity programs, with incident management support available from Markel Insurance. Other Operating Businesses Each of our other operating businesses maintains its own IT infrastructure, often supported by third-party providers, to meet its specific business needs. As a result, cybersecurity risk is decentralized and not concentrated in a single system or service provider. Given the diversity of these businesses, systems, and providers, each business tailors its program to its unique risks and operations. Management at each business is responsible for assessing and managing its cybersecurity risks, including selecting appropriate IT systems and service providers. Markel Group has established processes for these businesses to share information about how they assess, identify, and manage cybersecurity risk, including material cybersecurity incidents, with Markel Group management. For example, Markel Group requires real-time reporting of cybersecurity incidents by these businesses to understand how the matters are being managed, assess whether public disclosure is required, with escalation to Markel Group senior management as warranted by the severity of the situation. Depending on the cybersecurity incident, third parties may be engaged by these businesses to assist in understanding and managing the event. Given each business varies in size and complexity, the individual or individuals responsible for managing cybersecurity risks varies by business. In all instances, ultimate responsibility rests with the Chief Executive Officer of each business . Markel Group Board Oversight The Markel Group Board of Directors oversees Markel Group's risk management framework on an enterprise-wide basis, which includes cybersecurity risks. Periodic reports are provided to the Markel Group Board of Directors by members of management which, among other things, seek to systematically identify the principal risks facing our businesses and the manner in which such risks are addressed. For cybersecurity, this includes a review of the cybersecurity program and its governance, active and planned initiatives, protection and prevention matters, detection and response measures, and the threat landscape. Cybersecurity Risks No previous cybersecurity incident has had, or is reasonably likely to have, a material adverse effect on Markel Group, its business strategy, results of operations, or financial condition. For risks related to cybersecurity threats, see Item 1A Risk Factors, including under "Information technology systems that we use could fail or suffer a security breach or cyberattack, which could have a material adverse effect on us or result in the loss of regulated or sensitive information." 10K - 31

Company Information