RLI CORP 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

RLI CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 15:46:56 EST.

Filings

10-K filed on 2025-02-21

RLI CORP filed a 10-K at 2025-02-21 15:46:56 EST
Accession Number: 0001558370-25-001301

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersec urity Risks from cybersecurity threats or incidents (cybersecurity risks) are assessed, identified and managed by the Company in a manner that is consistent with leading cybersecurity frameworks , including the National Institute of Standards and Technology Cybersecurity Framework (NIST Framework). The Company’s approach to cybersecurity risk management is generally based on the six core functions contained within the NIST Framework organizing structure: identify, protect, detect, respond, recover and govern. As of the date of this report, risks from cybersecurity threats or incidents have not materially affected, nor are they reasonably likely to materially affect, the Company’s business strategy, results of operations or financial condition . However, in light of emerging and changing cybersecurity threats and vulnerabilities, the Company cannot guarantee that it will not be a victim of a cybersecurity attack in the future that could materially affect the Company. See Item 1A, Risk Factors for more information. The IT security department is responsible for the day-to-day assessment and management of cybersecurity risks, including efforts to prevent and, if necessary, mitigate the effects of a cybersecurity incident. The Company’s IT security department operates under general oversight of the Company’s chief information officer (CIO) , who also serves as the Company’s chief information security officer (CISO). The Company’s CIO has 27 years of technology and technology leadership experience, including 14 years serving as a CISO, in the insurance industry. The head of the Company’s IT security department, who reports to the CIO, holds a Certified Information Systems Security Professional designation from the Information Security Certification Consortium, has 20 years of experience in the insurance industry and has served in IT security-related roles for 24 years. Management oversight of cybersecurity risks is provided primarily through the Company’s Technology Committee , which is chaired by the Company’s CIO and comprised of members of senior management. The Technology Committee’s responsibilities include general oversight of cybersecurity-related matters, maintenance of the cybersecurity and data privacy programs and oversight of the Company’s cybersecurity incident response plan. Technology risk, including cybersecurity risk, is also integrated into the Company’s enterprise risk management process. The Company’s Risk Committee, chaired by the CEO and comprised of members of executive management, identifies the Company’s material risks and reviews the strategies, processes and controls in place to facilitate the understanding, identification, prevention, measurement, reporting and mitigation of those risks. The Risk Committee meets quarterly and reviews the Technology Committee’s current assessment of cybersecurity risks. Through 2024, the RLI Corp. Board of Directors provided oversight for cybersecurity risks primarily through its Audit Committee. In February 2025, the charter of the Finance & Investments Committee was revised to include overall enterprise risk management oversight, including oversight of cybersecurity risk. The committee was renamed the Finance & Risk Committee (FRC). The Company’s CIO, along with the head of the Company’s IT security department, presents quarterly to the designated committee on cybersecurity risks and the Company’s strategies to assess and manage those risks. Additionally, the board receives periodic updates on emerging cybersecurity issues and developments through director education provided by the Company and third-party experts, detailed reviews provided by the CIO and the Company’s head of IT security on select cybersecurity topics, and periodic “table top” simulations of a cybersecurity event . The Company maintains a Cybersecurity Incident Response Plan (CIRP) providing a framework for identifying, evaluating and escalating potential or actual cybersecurity events. The CIRP assigns responsibilities and provides a workflow between the Company’s IT security department; the Company’s Technology Committee; and the board of directors regarding the detection, assessment and response to a cybersecurity event. The Company’s internal audit department routinely engages third-party cybersecurity consultants to conduct network security audits. The Company also engages other third-party consultants in a number of areas to support the assessment, identification and management of cybersecurity risks, including risk assessments, log monitoring, threat intelligence, system penetration testing, training and incident response, among others . The Company performs cybersecurity due diligence and monitoring of third-party vendors, which may include the review of System and Organization Control (SOC) reports or the results of a security questionnaire, to identify the cybersecurity controls and protections maintained by a third party .

Company Information