ARCH CAPITAL GROUP LTD. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

ARCH CAPITAL GROUP LTD. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:14:56 EST.

Filings

10-K filed on 2025-02-27

ARCH CAPITAL GROUP LTD. filed a 10-K at 2025-02-27 16:14:56 EST
Accession Number: 0000947484-25-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations . Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. For example, to identify and assess risks from cybersecurity threats, our enterprise risk management program considers cybersecurity as part of the Company’s risk assessment process, and our risk management framework requires risk owners to monitor key risks such as cybersecurity on a continuous basis . See Item 1, " Business-Enterprise Risk Management " for additional information. As a foundation of our approach to cybersecurity risk, we have implemented processes at several levels across our enterprise to help assess, identify and manage cybersecurity risks and incidents. Our privacy and information security policies and standards cover topics such as information sharing, privacy, data handling and data management as well as more detailed information technology (“IT”) processes encompassing incident response, access control, disaster recovery and testing, among other areas. These policies and standards are regularly reviewed and updated at least annually based on the risk and regulatory environment in which we operate. We monitor closely privacy and cybersecurity, AI and operational resilience laws, regulations and guidance applicable to us. See Item 1, " Business-Regulation-Cybersecurity and Privacy " for additional details. We use many third parties for IT functions and our vendor management group performs information security risk assessments on our third-party service providers with respect to their ability to protect data from unauthorized access, and on a risk weighted basis, we perform re-assessments routinely. The Company also requires these vendors to adhere to privacy and cybersecurity measures and has a third-party service provider monitoring program in place that reviews changes to the security posture of certain higher risk third-party service providers. Our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, employee or vendor error or misconduct, and other external hazards could expose our information systems and those of our vendors to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our ability to conduct our business. We annually undergo an external penetration testing by a third-party cybersecurity firm. These tests and our tabletop exercises enable us to incorporate recommendations and learnings in our program. While we and third parties with which we do business have experienced cybersecurity incidents, to date, the Company does not believe that any previous cybersecurity incidents have materially affected the Company . The sophistication of cybersecurity threats, including through the use of AI, continues to increase, and the controls and preventative actions that we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency such as AI may further expose our information systems to the risk of cybersecurity incidents. See Item 1A, " Risk Factors-Risk Relating to Our Industry, Business & Operations -Technology failures and cyber attacks, including, but not limited to, ransomware, exploitation in software or code with malicious intent, state-sponsored cyber attacks, as well as vulnerabilities relating to new technologies, such as generative AI, may impact us or our business partners and service providers, causing a disruption in service and operations which could materially and negatively impact our business and/or expose us to litigation." ARCH CAPITAL 63 2024 FORM 10-K Governance As part of our overall risk management approach, we recognize the importance of identifying and managing cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Our Audit Committee, comprised of independent directors from our Board, oversees the Board’s responsibilities relating to the operational (including IT risks, business continuity and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through quarterly reports from our Chief Information Officer (“CIO”) and Chief Operations Officer (“COO”), with input from our Chief Information Security Officer (“CISO”). Our cybersecurity and IT executives include our CIO , who has 34 years of experience in Information Technology, including 21 years in the financial services space. His responsibilities as the CIO include all areas of Information Technology and information security oversight. Our CISO, has 19 years of experience in information security. The CISO holds certifications from leading security associations. The information security personnel reporting to the CISO hold various leading security certifications. The CISO, reporting to the CIO, oversees the implementation and compliance of our information security standards and mitigation of related risks. We also have three management level committees and a team that supports our processes to assess and manage cybersecurity risk. - The Privacy and Security Committee (“P&S Committee”), co-chaired by the CISO and our Deputy General Counsel, brings together Information Security, legal, compliance, human resources and other function leads. The P&S Committee provides a forum for these cross-functional members of management to: consider new laws and regulations relating to privacy and security; consider emerging risks relating to cybersecurity and data protection; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise. - The Operational Risk Committee (“ORC”), comprised of senior IT, operations, risk, legal and compliance leaders across business segments, manages risks from matters related to business continuity including risks posed by cybersecurity threats, and implements controls to mitigate such operational risks. Among other processes, the ORC reviews the Company’s programs and processes related to business operations and resiliency, including crisis incident management and cyber risk response, third party risk, vendor management, facilities, unplanned downtime, business disruption, business continuity and disaster recovery. Key information reviewed by the ORC, including as it relates to cybersecurity, are included in the COO’s quarterly report to the Audit Committee. - The Crisis Incident Management Team (“CIMT”), which includes senior executives across the Company, is alerted as appropriate to cybersecurity incidents, natural disasters and business outages. Each quarter, the CIMT exercises its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options. - The IT Steering Committee (“IT Committee”, which includes our CIO, CISO, COO and members of executive leadership, oversees IT initiatives while considering cybersecurity risk mitigation with respect to these initiatives. The P&S Committee, ORC, CIMT and IT Committee are comprised of executives with reporting lines to the CIO and/or the COO. We also have an enterprise Artificial Intelligence Governance and Oversight Committee focusing on the use and management of AI in our operations. At the employee level, we maintain an experienced IT security team tasked with ongoing reviews of our technology systems, implementation of our privacy and cybersecurity program and support for the CIO and CISO in carrying out their reporting, security and mitigation functions. We also hold employee training on privacy and cybersecurity, records and information management, conduct regular phishing tests and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population.

Company Information