Argo Group International Holdings, Inc. 10-K Cybersecurity GRC - 2025-03-25

Page last updated on March 25, 2025

Argo Group International Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-25 08:17:23 EDT.

Filings

10-K filed on 2025-03-25

Argo Group International Holdings, Inc. filed a 10-K at 2025-03-25 08:17:23 EDT
Accession Number: 0001628280-25-014609

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and tests those systems pursuant to our cybersecurity policies, processes and practices. This includes scanning our internal network and infrastructure at least monthly to enhance security measures and conducting third-party vulnerability testing at minimum on an annual basis to better protect against external attacks. We also use security tools intended to protect our information systems from cybersecurity threats, and to help us identify, escalate, investigate, resolve and recover from security incidents in a timely manner. In particular, our information security program and approach are based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST Framework”). The NIST Framework establishes core requirements related to information protection, processes and technologies. In addition, we maintain a Data Protection Framework and various policies, including Information Security Policy, Privacy Policy, and Records & Information Management Policy, to appropriately manage personal information necessary to operate our business and comply with applicable regulations. We also maintain a Third-Party Risk Management Program, including a Vendor Management Policy, which allows us to better oversee, monitor, identify and control certain risks related to the processing of personal information and customer information by our authorized third parties . This program includes categorizing vendor risk based upon the types of service being provided and types of data handled, performing risk assessments using proforma questionnaires, and undertaking reviews of Systems and Organization Controls (SOC) reports for critical vendor relationships. In accordance with these policies, we share personal information with affiliates, business partners, third-party service providers, or vendors only when we have a legitimate business purpose for doing so and it is permissible by law. We require third parties to maintain similar standards to ours to protect personal information. We have implemented a risk mitigation process to identify and assess the cyber posture of third parties providing commodities or services to our legal entities. We also have implemented multiple layers of data protection measures. We have in the past, and may in the future, engage third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. As part of continuous improvement initiative, we strive to mature and build a robust and resilient environment to protect and defend against bad actors. We engage third parties to perform internal and external testing to improve security operations, disaster recovery, and incident response programs. As we have noted, increased adoption of AI technologies, especially Generative AI, may increase cybersecurity risks, so Argo Group has instituted an AI Policy specifically addressing such risks. Additionally, we have implemented additional technical controls to help safeguard against data loss to generative AI and have established a cross-functional AI Working Group, which meets on a periodic basis to ensure that the company remains abreast of any AI developments that may require changes to our security posture. To date, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Refer to the risk factors under " Operational Risks " in Part I, Item 1A, “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company. 30 Table o f Contents Governance Our Board oversees the Company’s risk management process, including on cybersecurity risks, directly and through committees to which the Board has delegated authority. The Company’s Audit & Risk Management Committee is responsible for overseeing our internal controls, including cybersecurity and data protection programs, and reviews the effectiveness of our financial reporting processes and internal controls, including data privacy, information technology security and control. Meetings of the Audit & Risk Management Committee often include discussions of specific risk areas, including, among others, those relating to cybersecurity. The Audit & Risk Management Committee also frequently discusses, in accordance with its duties and responsibilities as enumerated in its committee charter, the policies, guidelines and process by which management assesses and manages risks related to data protection and cybersecurity, including assessments of the overall threat landscape, steps management has taken to monitor or mitigate its risk exposure and related strategies and investments. Our Chief Information Officer and Chief Information Security Officer regularly reports on data protection and information technology security matters to the Audit & Risk Management Committee and to Argo senior management via Security Governance Council meetings. As discussed above, our information security program and approach are based on the NIST Framework, and we have implemented cybersecurity policies, processes and practices designed to monitor and address cybersecurity threats and incidents. Our Chief Information Security Officer, under the guidance of the Chief Information Officer and in coordination with the Head of Risk, Head of Operations, and General Counsel, is responsible for leading the assessment and management of cybersecurity risks. Our Chief Information Security Officer holds the Certified Information Systems Security Professional (CISSP) designation, has over 20 years of experience working in information security, data protection and privacy, and regularly receives reports from our threat intelligence resources, in concert with enterprise risk, and legal departments, on cybersecurity threats and incidents. In addition, plans have been authored to assist our security, legal, and finance functions in assessing and managing Argo’s material risks from cybersecurity threats, and we conduct tabletop exercises and training sessions at least annually to help ensure effectiveness of said plans. Additionally, we also utilize outside resources to assist and participate in the determination of materiality of incidents stemming from cybersecurity threats.

Company Information