|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of the Company’s decision-making processes. The Company regularly assesses risks from cybersecurity threats and monitors its computer networks for vulnerabilities. To defend the Company’s computer systems from cyberattacks, the Company uses various security tools that are designed to help the Company protect against, identify, monitor, escalate, investigate, resolve, and recover from security incidents in a timely manner.
The Company maintains an Information Security Policy and Standards that details how material risks from cybersecurity threats are assessed, identified, and managed:
•Risk assessment – a periodic risk assessment is performed by the Chief Information Security Officer using the National Institute of Standards and Technology cybersecurity framework and rates risks by criticality.
•Risk identification – vulnerabilities and risks are identified through functions performed by the Chief Information Security Officer which includes assessments using automated tools, monitoring activities, reviewing threat intelligence, and responding to incidents. Risks are also identified through independent assessments performed by third-party consultants and the internal audit function.
•Risk management – the Chief Technology Officer oversees a process designed to protect against and remediate risks according to their criticality and presents to the Risk Oversight and Audit Committees of the Board and management at least semi-annually. The Chief Information Security Officer also presents to the Board and Risk Oversight Committee on information technology, cybersecurity and data privacy matters at least annually.
The Company’s Information Security Policy and Standards details a process for responding to cybersecurity events. Awareness and alertness are important components of the Company’s cybersecurity program; each year employees are required to take the cybersecurity training and the Company conducts regular exercises to educate employees about best practices and help them identify and avoid potential threats.
The Company engages third-party consultants to conduct periodic penetration testing designed to identify potential security vulnerabilities. The Company’s internal audit function, which has been outsourced to an international accounting firm, conducts periodic audits of cybersecurity and reports on such matters to the Audit Committee of the Board.
The Company takes measures designed to mitigate risks associated with third-party vendors that have access to confidential information or provide business critical functions. Through its vendor management program, the Company screens these third-party vendors to assess their data security protocols both prior to initial engagement and periodically thereafter for compliance with the program standards. The Company seeks contractual obligations from third-party vendors to notify it in the event of a cybersecurity incident, and monitors threat intelligence reports as well as current reports of SEC-registered vendors and their sub-service providers that have access to confidential information or provide business critical functions for cybersecurity incidents.
The Company has not experienced any cybersecurity incidents that have materially affected, or that it believes are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of the Company’s decision-making processes. The Company regularly assesses risks from cybersecurity threats and monitors its computer networks for vulnerabilities. To defend the Company’s computer systems from cyberattacks, the Company uses various security tools that are designed to help the Company protect against, identify, monitor, escalate, investigate, resolve, and recover from security incidents in a timely manner.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Role of Management [Text Block]
|
Under the Company’s cybersecurity governance framework, the Board has overall responsibility for overseeing management’s establishment and operation of a cybersecurity program. Members of the Board have broad-based skills in risk management oversight and/or cybersecurity oversight certifications. The Board delegates certain cybersecurity oversight responsibilities to the Risk Oversight Committee, which oversees enterprise risk, vendor management, and information technology risks, including assessing and managing cybersecurity and data privacy risks, and to the Audit Committee, whose oversight responsibility includes, as part of its oversight of the Company’s system of internal controls over financial reporting, assessing and managing financial risk exposures, including information technology, cybersecurity and data privacy risk related to the Company’s financial systems. The Risk Oversight Committee has specific responsibility for overseeing information technology processes and controls, including for cybersecurity, data privacy, compliance with related policies, and the process to monitor risks to the Company arising from changing technology trends, and coordinates with the Audit Committee, as needed.
The security of the Company’s products, services and corporate network is a key priority both for the growth of the Company’s business and its responsibilities as the leading financial guaranty insurance company. The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations.
As described above in Cybersecurity – Risk Management and Strategy, the Company’s Chief Technology Officer has management responsibility for overseeing a process designed to remediate cybersecurity risks, and reports to the Board, Risk Oversight Committee, Audit Committee and management at least semi-annually. The Chief Technology Officer reported to the Board, Risk Oversight Committee and Audit Committee four times in 2024. The Chief Technology Officer has over 25 years of experience in information technology, technology research and security and operations management, with over 15 of those years focused in financial services and insurance. The Chief Technology Officer holds a Master of Science in Information Systems and a Master of Business Administration with a focus in Management and Operations. The Company has appointed a Chief Information Security Officer, who is responsible for leading the assessment and management of cybersecurity risk. In 2024, the Chief Information Security Officer made an annual report on information technology and cybersecurity risks to the Board and made four quarterly reports to the Risk Oversight Committee and the Audit Committee. The Chief Information Security Officer has over 25 years of experience in information security and is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA). The
Chief Information Security Officer reports to the Board, its committees, and management on cybersecurity threats on a regular basis.
The Company uses various tools to prevent, detect, and mitigate cybersecurity incidents. The Company has procedures in place to respond to cybersecurity incidents, which include prompt meeting of the Cybersecurity Incident Disclosure Committee, a Company management committee, to assess cybersecurity incidents and determine materiality requiring disclosure on Form 8-K, notification of the Board of any material cybersecurity incidents, quarterly reporting by the Chief Information Security Officer of material and non-material incidents to the Risk Oversight Committee and management, and to the Audit Committee of such incidents related to the Company’s financial systems.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Under the Company’s cybersecurity governance framework, the Board has overall responsibility for overseeing management’s establishment and operation of a cybersecurity program. Members of the Board have broad-based skills in risk management oversight and/or cybersecurity oversight certifications. The Board delegates certain cybersecurity oversight responsibilities to the Risk Oversight Committee, which oversees enterprise risk, vendor management, and information technology risks, including assessing and managing cybersecurity and data privacy risks, and to the Audit Committee, whose oversight responsibility includes, as part of its oversight of the Company’s system of internal controls over financial reporting, assessing and managing financial risk exposures, including information technology, cybersecurity and data privacy risk related to the Company’s financial systems. The Risk Oversight Committee has specific responsibility for overseeing information technology processes and controls, including for cybersecurity, data privacy, compliance with related policies, and the process to monitor risks to the Company arising from changing technology trends, and coordinates with the Audit Committee, as needed.
The security of the Company’s products, services and corporate network is a key priority both for the growth of the Company’s business and its responsibilities as the leading financial guaranty insurance company. The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations.
As described above in Cybersecurity – Risk Management and Strategy, the Company’s Chief Technology Officer has management responsibility for overseeing a process designed to remediate cybersecurity risks, and reports to the Board, Risk Oversight Committee, Audit Committee and management at least semi-annually. The Chief Technology Officer reported to the Board, Risk Oversight Committee and Audit Committee four times in 2024. The Chief Technology Officer has over 25 years of experience in information technology, technology research and security and operations management, with over 15 of those years focused in financial services and insurance. The Chief Technology Officer holds a Master of Science in Information Systems and a Master of Business Administration with a focus in Management and Operations. The Company has appointed a Chief Information Security Officer, who is responsible for leading the assessment and management of cybersecurity risk. In 2024, the Chief Information Security Officer made an annual report on information technology and cybersecurity risks to the Board and made four quarterly reports to the Risk Oversight Committee and the Audit Committee. The Chief Information Security Officer has over 25 years of experience in information security and is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA). The
Chief Information Security Officer reports to the Board, its committees, and management on cybersecurity threats on a regular basis.
The Company uses various tools to prevent, detect, and mitigate cybersecurity incidents. The Company has procedures in place to respond to cybersecurity incidents, which include prompt meeting of the Cybersecurity Incident Disclosure Committee, a Company management committee, to assess cybersecurity incidents and determine materiality requiring disclosure on Form 8-K, notification of the Board of any material cybersecurity incidents, quarterly reporting by the Chief Information Security Officer of material and non-material incidents to the Risk Oversight Committee and management, and to the Audit Committee of such incidents related to the Company’s financial systems.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef