OXBRIDGE RE HOLDINGS Ltd 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 26, 2025

OXBRIDGE RE HOLDINGS Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 16:01:38 EDT.

Filings

10-K filed on 2025-03-26

OXBRIDGE RE HOLDINGS Ltd filed a 10-K at 2025-03-26 16:01:38 EDT
Accession Number: 0001641172-25-000736

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Governance Cybersecurity is an integral part of the Board’s risk analysis and discussions with management. Our board of directors administers the Company’s cybersecurity risk oversight function directly as a whole, as well as through the audit committee. At least annually, the full Board is updated on the Company’s cybersecurity risks and risk mitigation strategy by the audit committee. The audit committee has access to advisors, and various other reports, and presentation materials related to cybersecurity threats, risk and mitigation. The Board also receives ad hoc updates, as needed, about material changes to the Company’s cybersecurity program and/or the cybersecurity landscape, including briefings on major legislative and regulatory developments. The Company regularly evaluates its cybersecurity risk profile and leads the development of strategies to mitigate risks and address cybersecurity issues that may arise in consultation with members of our senior management team. On an as needed basis, the Company engages external advisors and consultants to assess our internal cybersecurity programs and compliance with applicable regulatory requirements and industry standards We have formal policies and procedures that address cybersecurity incident response and disaster recovery from interference with our critical applications. Our Cybersecurity Incident Response Standard provides a documented framework for responding to cybersecurity incidents in coordination across multiple departments. In the event of such an incident, our Cybersecurity Incident Response Team (“CIRT”), which includes our CIO, Chief Executive Officer, Chief Financial Officer, and outside legal counsel, would respond to such incident in accordance with our Cybersecurity Incident Response Standard. Any cybersecurity incident that is designated by the CIRT with a “High” severity classification according to the Cybersecurity Incident Response Standard or that otherwise necessitates regulatory disclosure because of its materiality, will be communicated by the CIRT to the Board within specified timeframes. All cybersecurity incidents, will be evaluated by our CIRT to assess the impact of the incident on the Company, considering qualitative and quantitative factors. In conducting this assessment and responding to an incident, the CIRT Team may utilize the services of third-party consultants. Third-party consultants may be engaged to assist with the identification of the source of any cybersecurity incidents, remediation and recovery from such incident, and the refinement of cybersecurity controls to avert similar future cybersecurity threats and incidents. Cybersecurity user awareness training is mandatory for all new hires and for existing employees on an annual basis to help protect our employees and the Company against cybersecurity threats. Novel cybersecurity threats to the Company that are identified are communicated to all employees by email, as needed, in an effort to promote awareness and protect the Company from cyber attacks. Risk Management Strategy We maintain an Enterprise Risk Management (“ERM”) program to identify and respond to the most critical risks to our business, including cybersecurity risks. Risks and vulnerabilities from our increased reliance on information technology systems are assessed at least annually by our Executive Management Team as part of our ERM program. In response to such assessments, controls are embedded into our processes and technology by our Executive Management Team to seek to mitigate risks to our systems and processes from cybersecurity incidents. We continuously evaluate whether we have adequate controls in place utilizing a risk-based approach that tailors and applies best practice from various industry standard IT Management frameworks such as Information Technology Infrastructure Library (ITIL), Control Objectives for Information Technologies (COBIT), National Institute of Standards and Technology CyberSecurity Framework, and ISO/IEC 27001. Our daily operations are continuously monitored. We monitor traffic traversing our computer networks and have implemented IT controls and processes to secure our business applications and prevent unauthorized access to or the loss of sensitive data. Our controls include the use of multiple encryption layers for data in transit and at rest, multi-factor authentication, data classification, and data loss prevention. We plan to assess the adequacy of our cybersecurity IT controls through annual cybersecurity vulnerability testing. 27 We maintain a risk-based approach to evaluating and overseeing cybersecurity risks presented by our third-party vendors. Third-party vendors that meet certain criteria, such as owning and operating any information technology networks and systems on which the Company relies, are evaluated to assess their performance across several domains, including data security and operations management. We seek to maintain effective communication with our third-party vendors to facilitate timely notification of cybersecurity incidents that might impact the Company. We also independently monitor reputable cybersecurity publications for notifications about vulnerabilities in widely used software libraries, APIs, and other generally available technologies upon which our third-party vendors’ products might rely. Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, like other companies in our industry, we could, from time to time, experience threats and security incidents related to our and our third-party vendors’ information systems. For more information, please see “Item 1A. Risk Factors - Increased Information Technology (“IT”) security threats and more sophisticated computer crime could pose a risk to our systems, networks, and services.”

Company Information