Enstar Group LTD 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Enstar Group LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:09:31 EST.

Filings

10-K filed on 2025-02-27

Enstar Group LTD filed a 10-K at 2025-02-27 16:09:31 EST
Accession Number: 0001363829-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK DISCLOSURES We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on both our own systems, networks and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a comprehensive information security program for assessing, identifying, managing and reporting on material risks from threats to our information security. Our information security program is based on industry standards and best practices, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework. As part of our information security program, we also require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. We also train employees on how to identify potential cybersecurity risks and protect our information and resources. This training is mandatory for all employees globally upon hire and on an annual basis. We use the Three Lines Model in order to ensure our information security program’s effectiveness and readiness. Our first line is our IT Security Operations, which implements and executes upon a robust control framework, while our Information Security Assurance function maintains an information security assurance program that includes external penetration management and performing third-party risk assessments. Our second line is our Risk and Compliance functions. Our Risk function performs table top exercises, “red team” testing and stress testing, while our Compliance function ensures regulatory requirements are identified proactively and monitors compliance with our internal policies and procedures. Our third line consists of our Internal Audit function, which provides objective assurance and testing over internal policies and procedures related to our information security program. Governance Management Oversight Our management plays an active role in assessing and managing the risks posed to us by cybersecurity threats. Our strategy for managing cybersecurity risk is embedded within the IT function, which reports to our Chief of Business Operations (CBO) and our Information Security function, which reports to our CRO. The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Global Chief Information Officer (CIO) and our Group Information Security Officer (GISO). Our CIO has over 25 years of experience in the area of information technology. He previously served in related roles, including IT strategy and delivery roles at Arthur Andersen Consulting and Deloitte Consulting, and has served in his current role since joining us in 2017. Our GISO has over 19 years of information security experience. His experience includes driving our information security strategy, awareness and training, third-party cyber risk management, compliance, and providing assurance of the security activities conducted by the IT Security Operations team. He has served in his current role since joining us in 2006. Our CIO and GISO are responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Enstar Group Limited | 2024 Form 10-K Board Oversight The Board of Directors actively oversees the Company’s management of cybersecurity risk. Primary responsibility for the Board’s role in oversight of the Company’s management of cybersecurity risk is delegated to the Risk Committee of the Board. The Risk Committee is responsible for reviewing, discussing with management, and overseeing the Company’s data privacy, information technology and security and cybersecurity risk exposures. Our CIO and GISO provide regular updates on cybersecurity risk and our information security program to the Risk Committee. These reports typically occur on a quarterly basis and include updates on current cyber risks, cybersecurity strategies and initiatives, event preparedness, the status of projects to strengthen our information security program, and the emerging cybersecurity threat landscape. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a breach, we have a comprehensive plan in place for assessing and addressing any potential threats to our information security. We maintain a Cyber and Data Incident Response Plan and Framework, which identifies and describes the roles and responsibilities of the Cyber Incident and Response Team and the Crisis Oversight Committee. The Cyber Incident Response Team is responsible for receiving information relating to possible incidents, investigating and analyzing them, and taking the appropriate action to avoid and mitigate the damage caused by such incidents. The Crisis Oversight Committee, chaired by our CBO, is responsible for support and oversight of the Cyber and Data Incident Response Plan and Framework and oversight of the Cyber Incident Response Team’s execution of the plan in the event of a cyber incident. We maintain an operational incident portal that allows employees to log instances where they believe they have been the victim of a cyber incident, encountered a data breach or have become aware that a third-party service provider has suffered a cyber incident or data breach. In respect of cyber incidents and data breaches, timely reporting helps to contain the breach, recover faster, minimize business impacts, and comply with laws and regulations including time sensitive notifications. Cyber security is considered everyone’s responsibility, and it is important that incidents are reported quickly and efficiently. Cybersecurity Risks Our cybersecurity risk management processes are integrated into our overall ERM Framework. As part of our ERM Framework, we maintain the traditional Three Lines Model (Management, Risk & Compliance and Internal Audit) to delineate accountabilities and establish a ‘check and balance’ management of risks. For additional information on our ERM Framework, refer to “Item 1. Business - Enterprise Risk Management.” Although our information security program is designed to attempt to prevent, detect and respond to a cybersecurity incident, there can be no assurance that such an incident will not occur. A cybersecurity incident could cause the failure of our information security systems or those of our third-party service providers, which could materially impact our ability to perform certain critical functions, affect the confidentiality, availability or integrity of our proprietary information and expose us to litigation and increase our administrative expenses. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. However, evolving cybersecurity threats make it increasingly challenging to anticipate, detect, and defend against cybersecurity threats and incidents. For additional information on the risks we face from cybersecurity threats, refer to “Item 1A. Risk Factors - Risks Relating to Our Operation.”

Company Information