WILLIS TOWERS WATSON PLC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

WILLIS TOWERS WATSON PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 12:58:58 EST.

Filings

10-K filed on 2025-02-25

WILLIS TOWERS WATSON PLC filed a 10-K at 2025-02-25 12:58:58 EST
Accession Number: 0000950170-25-026278

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY WTW’s management is responsible for the day-to-day management of risks, and the board, including through its committees, is responsible for understanding and overseeing the various risks facing WTW. As a professional services firm providing advice, broking and solutions in the areas of people, risk and capital, and often involving confidential and sensitive information, cybersecurity risk management is an integral part of our enterprise risk management (‘ERM’) strategy. Cybersecurity Risk Management and Strategy Increased global cybersecurity vulnerabilities, threats and more sophisticated and targeted cyber-related attacks pose an ongoing risk to the security of our information systems and networks. WTW seeks to manage cybersecurity risks consistent with its general approach to ERM. As further described below, our cybersecurity risk management program is coordinated by cross-functional teams. Technology and cyber risks that meet certain thresholds are escalated and tracked by the ERM team within the WTW Risk function. WTW has been certified by ISO 27001 and identifies, categorizes and manages cyber risks according to frameworks such as SOC 2 - Type 2 and the National Institute of Standards and Technology (‘NIST’) Framework. Additionally, WTW undertakes vulnerability scanning, and engages third parties from time-to-time to conduct penetration testing to help WTW identify and reduce the threat of known and emerging cybersecurity risks. Board Oversight and Governance WTW’s board of directors has delegated the oversight of cybersecurity risks to the Risk and Operational Oversight Committee (the ‘Risk Committee’), which was recently formed following the completion of the three-year term of the Operational Transformation Committee. The Risk Committee assists the board of directors in its oversight of the ERM framework, policies, and practices used by WTW to identify, assess, and manage WTW’s key operational risks, including without limitation: cybersecurity, technology, information security, privacy, and artificial intelligence risk. WTW’s Chief Information Security Officer (‘CISO’) and Global Head of Technology report to the Risk Committee on cybersecurity matters, including key risks. The Risk Committee reports to the board of directors at each formal board meeting and the board of directors discusses those reports. Management Oversight and Governance Management plays an important role in assessing and managing WTW’s material risks from cybersecurity threats. The CISO is responsible for designing and implementing a security program and strategy. WTW’s CISO has served in various roles in information technology and information security for over 33 years, including serving as CISO of several public companies. The CISO holds undergraduate and graduate degrees in mathematics and strategic information systems and has attained the professional certification of 40 Certified Information Systems Security Professional. The CISO reports to the Global Head of Technology. WTW’s Global Head of Technology has served in various roles in information technology for over 25 years. The Global Head of Technology holds a graduate degree in business. As part of the WTW cybersecurity program, cross-functional teams throughout WTW, including enterprise risk management, operational resilience, legal, compliance and information security, coordinate to monitor, consider, and, when appropriate, address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications among these teams, the CISO, the Global Head of Technology, and other members of senior management, as appropriate, are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents and escalate such threats and incidents as appropriate through the processes described in more detail below. WTW’s cybersecurity program is an ongoing process designed to identify, assess and manage WTW’s risk exposures over the short-, intermediate- and long-term. Management’s cybersecurity risk management strategy and processes include the following areas of focus: - Incident Response Planning : WTW has a global Information and Cyber Security Incident Response Plan (‘ICSIRP’ or ‘Plan’) for identifying and managing cyber and data security threats. The ICSIRP defines the roles and responsibilities of WTW stakeholders involved in responding to cyber and data security events, severity levels and incident categories, and it outlines a process for incident management, including escalation and communication procedures. - Technical Safeguards : WTW seeks to continuously improve implemented technical safeguards that are designed to protect WTW’s information systems. Standards include controls for access management, cyber threat and incident management, data security, encryption, human resource security, network and device security, secure asset management, secure system development, security operations and third-party security. While WTW seeks to maintain adequate controls, they may not always be effective or at the level of maturity that the Company ultimately wishes to maintain. See Part I, Item 1A Risk Factors under the heading ’ Data and cybersecurity breaches or improper disclosure of confidential company or personal data could result in material financial loss, regulatory actions, reputational harm and/or legal liability’ for more information about WTW’s technical controls, management, mitigation, and security practices as well as the risks related thereto. - Education and Awareness : WTW’s policy requires annual, mandatory privacy and information security training for all WTW colleagues. - Third-Party Risk Management : WTW’s risk management strategy includes a risk management process focused on third-party service providers and other parties with which we engage that is intended to align with the technology security key controls across the organization. - Threat Intelligence : Through its regular monitoring processes, WTW obtains intelligence on cyber threats relevant to the Company at strategic, operational and tactical levels to help inform and reassess its cybersecurity risk management priorities. Material Effects of Cybersecurity Incidents Although we and our vendors regularly experience cybersecurity incidents, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected our business strategy, results of operations or financial condition. However, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. To learn more about risks from cybersecurity threats, review the risk factors included in Part I, Item 1A Risk Factors in this Annual Report on Form 10-K, as updated by WTW’s subsequent SEC filings. The risks described in such filings are not the only risks facing WTW. Additional risks and uncertainties not currently known or that may currently be deemed to be immaterial also may materially adversely affect WTW’s business, financial condition or results of operations.

Company Information