Arthur J. Gallagher & Co. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

Arthur J. Gallagher & Co. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 06:04:58 EST.

Filings

10-K filed on 2025-02-18

Arthur J. Gallagher & Co. filed a 10-K at 2025-02-18 06:04:58 EST
Accession Number: 0000950170-25-021775

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that could adversely and materially affect the confidentiality, integrity, and availability of our information and information systems. We maintain administrative, technical, and physical safeguards designed to protect the security and privacy of confidential, personal and proprietary information. Our cybersecurity program is aligned with notable control frameworks such as the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization) 27001. Our cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats. We have a global incident response capability supported by our Security Operations Center (which we refer to as SOC) team, a managed security service provider (MSSP) and our global Cybersecurity Incident Response Team (which we refer to as CSIRT), which provides threat detection and incident response. We maintain a global cybersecurity incident response plan and related playbooks, for execution by the SOC team and CSIRT, in coordination with internal and external stakeholders, as applicable. Significant incidents are escalated to a cross-departmental team to assess materiality based on qualitative and quantitative factors. This team consists of executives representing core business functions, including, among others, information technology, legal, finance, accounting, data protection and business divisions, in consultation with third-party advisors, as applicable. We undertake periodic leadership tabletop exercises and periodic adversarial (“red team”) exercises simulating incident response under common risk scenarios. As an acquisitive organization, we have also established a program to increase our visibility into the cybersecurity environment of acquisition targets prior to closing. We have established a dedicated vendor assessment team, which employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or that otherwise implicates the third-party technology and systems we use. We also require cybersecurity insurance coverage for vendors whose services or products may present a cybersecurity risk. We continuously test and assess our cybersecurity posture, including through annual third-party risk assessments performed by reputable assessors, consultants and auditors. A global FAIR (Factor Analysis of Information Risk) assessment is conducted at least annually to update our cybersecurity risks and corresponding mitigations. Our employees complete training on data security and our policies when they join us and annually thereafter. We review the content of our mandatory training annually, and provide access to a comprehensive set of supplemental training. Our Chief Information Security Officer (CISO), working together with our Chief Information Officer (CIO), oversees a team of employees dedicated to cybersecurity. Our CISO receives ongoing updates from the cybersecurity team regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and regularly reports to the CIO. Our CISO is an active member of our management-level enterprise risk management committee , which has broad oversight of the company’s enterprise risks, including cybersecurity risks. In addition, our CIO and CISO both attend regular meetings of the executive officer team, including our Chief Executive Officer, Chief Financial Officer, General Counsel and other senior executive officers, dedicated to compliance and risk, and report on cybersecurity matters as appropriate. Our Board of Directors has delegated primary responsibility for the oversight of cybersecurity matters to its Risk and Compliance Committee ; however, the full board reviews significant cybersecurity matters as appropriate. Our CIO and CISO report on cybersecurity and information security at each quarterly meeting of the Risk and Compliance Committee. Our CIO has more than 30 years of experience, including from his prior business and technology leadership roles at Aegon N.V., Citigroup, Inc. and JP Morgan Chase & Company. Our CISO has more than 20 years of cybersecurity experience. Prior to joining us, he was Senior Vice President, Chief Information Security Officer at Brighthouse Financial. Before then, he served as Technology Vice President & Chief Information Security Officer for GE Healthcare. He started his career at Allstate Insurance Company. He also holds security, privacy and risk certifications, including Certified Information Systems Auditor, Certified Information Security Manager and Certified Information Systems Security Professional. We, including our third-party vendors, have experienced cybersecurity incidents and threats and may continue to experience them in the future. Based on the information available as of the date of this Annual Report on Form 10-K, we believe that during the last three fiscal years risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and as of the date of this 31 Annual Report on Form 10-K, the Company is not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that the Company will not be materially affected by such risks in the future. Due to evolving cybersecurity threats, we may not be able to protect all information systems and, as an acquisitive organization, integrating information systems as we acquire new businesses may expose us to unexpected liabilities or increase our vulnerability. There can be no guarantee that our policies, programs and controls, and those of our third-party vendors, including those described in this section, will be sufficient to protect our information, information systems or other property. Additional information on cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” which should be read in conjunction with the foregoing information.

Company Information