Page last updated on July 16, 2024
AXIS CAPITAL HOLDINGS LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 17:12:35 EST.
Filings
10-K filed on 2024-02-27
AXIS CAPITAL HOLDINGS LTD filed a 10-K at 2024-02-27 17:12:35 EST
Accession Number: 0001214816-24-000024
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company’s information risk management program is designed to protect the confidentiality of nonpublic, sensitive information and the integrity and availability of our information systems. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. We have designed our enterprise-wide information security program consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program. Key components of our cybersecurity risk management program include: - risk assessments designed to help identify cybersecurity risks to our critical systems, information, and services. - a security team principally responsible for managing (1) our cybersecurity policies & risk assessment processes, (2) our security controls & testing, (3) identifying vulnerabilities and managing remediation, and (4) our cybersecurity monitoring & incident response. - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes. - managing a cybersecurity awareness and training program that covers employees and contractors who access internal systems. - a cybersecurity incident response plan that includes procedures for responding to various types of cybersecurity incidents and tested through periodic tabletop exercises. - a third-party security risk assessment team, which is involved with identifying, assessing, and controlling risks that occur due to interactions with third parties including vendors and procurement. - a cyber risk assessment process to assist in assessing the security posture of third parties. - restricted physical access to critical areas, servers, and network equipment. - business continuity and disaster response plans. Impact of Material Risk We have not experienced a material cybersecurity incident; however, financial institutions face risks from threat actors that focus on attacks of critical information systems infrastructure assets, disruption to operations, and ransomware groups that steal data, encrypt systems, and demand a payment. The Company relies on third-party software, third-party hardware, and third-party vendors to manage critical aspects of our operations which may be at risk of cybersecurity threats. Although the Company has implemented cybersecurity policies, procedures and controls intended to mitigate these risks and the likelihood of these risks occurring may not be high, if these risks are realized the impact could be material, such as in the event of a material cybersecurity incident. Additionally, in Item 1A, ’ Risk Factors ’ we discuss forward-looking cybersecurity risks that could have a material impact on us. Our disclosures in Item 1A should be read in conjunction with this Item 1C. 54 Management & Board Governance With over 30 years of industry cybersecurity experience, the Company’s Chief Information Security Officer (“CISO”) is the member of the Company’s management team with primary responsibility for the development, operation, and maintenance of the Company’s information security program. The CISO supervises the Company’s cybersecurity team, facilitates the incident response plan and acts as the liaison to the Company’s executive management team, including relaying strategies, resource requests and incident updates. The Company’s security event monitoring and detection capabilities are performed by our Cybersecurity team and third parties through the use of processes and tooling. Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Committee, Executive Management, and the Board. The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly. The Board, along with the Risk and Audit Committees of the Board, oversees our information security program. In 2023, our Board and Risk and Audit Committees received periodic updates throughout the year on cybersecurity matters, and these updates are part of their standing agendas. These updates include reports regarding items such as cybersecurity strategies, program effectiveness, key risks and performance metrics related to the Company’s information security program and the Company’s mitigating controls. The Company has an enterprise risk management function that oversees the identification, prioritization, and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company uses governance, risk and compliance tools to assess, identify and manage its cybersecurity risks.
Item 1C. 54 Management & Board Governance With over 30 years of industry cybersecurity experience, the Company’s Chief Information Security Officer (“CISO”) is the member of the Company’s management team with primary responsibility for the development, operation, and maintenance of the Company’s information security program. The CISO supervises the Company’s cybersecurity team, facilitates the incident response plan and acts as the liaison to the Company’s executive management team, including relaying strategies, resource requests and incident updates. The Company’s security event monitoring and detection capabilities are performed by our Cybersecurity team and third parties through the use of processes and tooling. Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Committee, Executive Management, and the Board. The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly. The Board, along with the Risk and Audit Committees of the Board, oversees our information security program. In 2023, our Board and Risk and Audit Committees received periodic updates throughout the year on cybersecurity matters, and these updates are part of their standing agendas. These updates include reports regarding items such as cybersecurity strategies, program effectiveness, key risks and performance metrics related to the Company’s information security program and the Company’s mitigating controls. The Company has an enterprise risk management function that oversees the identification, prioritization, and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company uses governance, risk and compliance tools to assess, identify and manage its cybersecurity risks.
Company Information
Name | AXIS CAPITAL HOLDINGS LTD |
CIK | 0001214816 |
SIC Description | Fire, Marine & Casualty Insurance |
Ticker | AXS - NYSEAXS-PE - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |