Burford Capital Ltd 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

Burford Capital Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 16:16:28 EST.

Filings

10-K filed on 2025-03-03

Burford Capital Ltd filed a 10-K at 2025-03-03 16:16:28 EST
Accession Number: 0001714174-25-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy We strive to create a pervasive culture of cybersecurity and information systems security, focusing particularly on the tone set by our senior management. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical information systems and data. Our cybersecurity risk management program leverages certain practices from the National Institute of Standards and Technology Cybersecurity Framework, the Center for Internet Security Top 20 Critical Security Controls and the Control Objectives for Information and Related Technologies. This does not imply that we meet any particular technical standards, specifications or requirements, only that we use these frameworks and controls as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas. To provide for the resilience of critical information systems and data, maintain legal and regulatory compliance, manage our material risks from cybersecurity threats and protect against, detect and respond to cybersecurity incidents, our cybersecurity risk management program includes the following key elements: ▪ 24x7x365 security operations monitoring of our information systems and services to detect and act on weaknesses and potential intrusions ▪ Cloud-based platform operations that allow us to store our data on the servers of technology companies, with built-in disaster recovery protection and regular backups ▪ Regular internal and external security audits, penetration tests and risk assessments designed to help identify significant cybersecurity risks to our critical information systems and data ▪ Collaboration with third-party service providers , where appropriate, to assess, test or otherwise assist with aspects of our security controls ▪ Testing of new products and services to identify potential security vulnerabilities before release ▪ Regular network and endpoint monitoring ▪ Business resiliency planning with disaster recovery and business continuity testing ▪ Role-based access controls to identify, authenticate and authorize individuals to access information systems based on their job responsibilities ▪ Protection, including encryption, for the secure communication of sensitive data ▪ Monitoring of emerging data protection laws and implementation of changes to our processes designed to comply therewith as well as regular review of best practices from both the legal and financial services industries and engaging in a program of continuous improvement ▪ Regular review of policies, procedures and standards related to cybersecurity ▪ Cybersecurity awareness training of our employees and senior management at regular intervals ▪ Cross-functional approach to addressing cybersecurity risk, involving senior representatives from all our offices in business, information technology, finance and legal and compliance functions ▪ Cybersecurity incident response plan that sets forth procedures for responding to cybersecurity incidents, including processes designed to triage, assess severity, escalate, contain, investigate and remediate such cybersecurity incidents, as well as to comply with potentially applicable legal and regulatory obligations and mitigate reputational damage ▪ Third-party risk management process for certain service providers based on our assessment of their criticality to our business and risk profile ▪ Strong access controls for platforms and devices, including multi-factor authentication and conditional access As part of the above processes and procedures, we regularly engage with assessors, consultants and other third parties, including by having a third-party consultant review our cybersecurity risk management program on an annual basis to help identify areas for continued focus, improvement and compliance. Our cybersecurity risk management program also addresses cybersecurity risks associated with our use of third-party service providers, including those who have access to our employee data or our information systems. Cybersecurity considerations affect the selection and oversight of our third-party service providers, and we perform diligence on third-party service providers that have access to our information systems, data or facilities that house such information systems or data. In addition, we distribute a cybersecurity survey to all major third-party service providers on an annual basis to assess their adherence to our cybersecurity requirements. During the years ended December 31, 2024, 2023 and 2022, we have not identified any material cybersecurity incidents and have not identified any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, and the expenses we have incurred from any cybersecurity incidents were immaterial. There can be no assurance that our cybersecurity risk management program, including our policies, processes, controls and procedures, will be fully implemented, complied with or effective in protecting our systems and information. See " Risk factors-Risks relating to cybersecurity, third-party service providers, information systems and data privacy and protection " for additional information with respect to cybersecurity risks. Cybersecurity governance The Board of Directors considers cybersecurity risks as part of its risk management and oversight function and has oversight of our enterprise risk management program, including cybersecurity and other information systems risks. At each of its quarterly meetings, members of the Board of Directors receive a comprehensive risk presentation and review the key risks across the global enterprise focusing, among other things, on cybersecurity and other information systems risks. In addition, from time to time, the Board of Directors receives presentations on various cybersecurity topics from our Chief Information Officer, including relating to our efforts to improve our cybersecurity risk management program and comparison of our cybersecurity risk management program to those of other companies in the legal and financial services industries. The Chief Information Officer and the cybersecurity committee have the responsibility for our overall cybersecurity risk management program. Our Chief Information Officer has primary responsibility for assessing and managing material risks from cybersecurity threats, and has over 20 years of cybersecurity work experience, including at major financial institutions and consulting firms and involving the management of information security and the development of cybersecurity strategy, and who has relevant degrees and certifications, including a Bachelor’s degree in Computer Science from Cornell University . Our Chief Information Officer supervises both our internal information technology team and our external cybersecurity consultants and other third-party service providers. Our Chief Information Officer meets regularly with our internal cybersecurity committee, composed of senior representatives from all our offices in business, information technology, finance and legal and compliance functions, including, among others, our Chief Financial Officer and our Chief Compliance Officer. With assistance from our internal information technology team, our Chief Information Officer conducts cybersecurity and other information systems risk assessments on at least an annual basis and reports the results of these assessments, as well as any material cybersecurity and other information systems risks, to the cybersecurity committee. The cybersecurity committee focuses on assessing processes and procedures to assist with prevention and detection of cybersecurity incidents, whereas our Chief Information Officer, with assistance from our internal information technology team, is responsible for mitigation and remediation of cybersecurity incidents. In addition, we engage third-party vendors to (i) perform a yearly cybersecurity assessment to identify any weaknesses and address them, including performing yearly penetration tests to determine if there are any vulnerabilities, and (ii) monitor our cloud environment 24/7, identify threats and respond to them by shutting down any activity that is deemed potentially harmful. Our cybersecurity policies specify escalation points for reporting potential cybersecurity incidents to our Chief Information Officer and our Chief Compliance Officer, and we have adopted a cybersecurity incident response plan that sets forth procedures for responding to cybersecurity incidents. If applicable, the Board of Directors receives briefings from management on our cybersecurity risk management program and any significant cybersecurity incidents.

Company Information