|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our business heavily relies on various IT and application systems that contain proprietary and confidential information about our operations, employees, agents, claimants, customers, and their employees and property, including personally identifiable information. These systems are connected to and/or accessed from the Internet, making them susceptible to cyber-attacks. A cyber-attack on our systems, distribution partners and their key operating systems, or any other third-party partners or vendors and their key operating systems, may materially affect us. Potential impacts include prolonged interruption of our business operations, reputational harm, or substantial monetary damages. For a detailed description of the risks related to cybersecurity, refer to the "Risks Related to our General Operations" section in Item 1A. "Risk Factors." of this Form 10-K.
We have a dedicated unit, led by the Senior Vice President ("SVP") of IT Enterprise Strategy and Execution, to implement cybersecurity controls, assess and report on cybersecurity risks, and consult with our ERM unit, which is responsible for identifying, measuring, monitoring, and reporting on key enterprise-wide risks, including cybersecurity risks.
We work with industry-leading security consulting and technology partners, employing a "defense-in-depth" approach that uses multiple security measures to protect the integrity of our proprietary and confidential information. This approach aligns with the National Institute of Standards and Technology Cyber Security Framework and provides preventative, detective, and responsive measures to identify and manage risks. We periodically review our strategy and modify its implementation based on threat trends, program maturity, assessment results, and the advice of third-party security consultants. We have documented information security policies, procedures, and guidelines, known as our "Written Information Security Program." Our program (i) balances responsiveness to rapidly changing threats with ensuring our IT security environment's sustainability and overall
effectiveness, and (ii) is reasonably likely to defend against risks of cybersecurity threats that would have a material impact on our business strategy, results of operations, or financial condition. This program focuses on the following six key areas to monitor various IT performance and security metrics:
•Proactive cybersecurity processes, including vulnerability scanning, penetration testing, and periodic program assessments by outside security consultants and assessors;
•Reactive cybersecurity processes that we regularly evaluate using incident response and disaster recovery exercises based on realistic scenarios;
•Endpoint technology that includes encryption, threat management, monitoring, investigation support, and backups;
•Identity and access management controls that often include multi-factor authentication and additional safeguards for staff granted elevated privileges;
•Employee cyber risk awareness, training, and testing that covers cybersecurity threats and actions to prevent or report attacks; and
•Third-party risk management and security standards, including due diligence, continuous monitoring, cyber risk scoring, and contractual obligations. We review third-party control environments when practical and align the risk exposure with our business requirements and risk tolerances.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have a dedicated unit, led by the Senior Vice President ("SVP") of IT Enterprise Strategy and Execution, to implement cybersecurity controls, assess and report on cybersecurity risks, and consult with our ERM unit, which is responsible for identifying, measuring, monitoring, and reporting on key enterprise-wide risks, including cybersecurity risks.
We work with industry-leading security consulting and technology partners, employing a "defense-in-depth" approach that uses multiple security measures to protect the integrity of our proprietary and confidential information. This approach aligns with the National Institute of Standards and Technology Cyber Security Framework and provides preventative, detective, and responsive measures to identify and manage risks. We periodically review our strategy and modify its implementation based on threat trends, program maturity, assessment results, and the advice of third-party security consultants. We have documented information security policies, procedures, and guidelines, known as our "Written Information Security Program." Our program (i) balances responsiveness to rapidly changing threats with ensuring our IT security environment's sustainability and overall
effectiveness, and (ii) is reasonably likely to defend against risks of cybersecurity threats that would have a material impact on our business strategy, results of operations, or financial condition. This program focuses on the following six key areas to monitor various IT performance and security metrics:
•Proactive cybersecurity processes, including vulnerability scanning, penetration testing, and periodic program assessments by outside security consultants and assessors;
•Reactive cybersecurity processes that we regularly evaluate using incident response and disaster recovery exercises based on realistic scenarios;
•Endpoint technology that includes encryption, threat management, monitoring, investigation support, and backups;
•Identity and access management controls that often include multi-factor authentication and additional safeguards for staff granted elevated privileges;
•Employee cyber risk awareness, training, and testing that covers cybersecurity threats and actions to prevent or report attacks; and
•Third-party risk management and security standards, including due diligence, continuous monitoring, cyber risk scoring, and contractual obligations. We review third-party control environments when practical and align the risk exposure with our business requirements and risk tolerances.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Executive Vice President ("EVP") & Chief Information Officer ("CIO") and the SVP of Enterprise Strategy and Execution provide quarterly updates on the strength of our cyber risk control environment, emerging cyber threat issues, and the results of external assessments by outside security consultants and assessors to the Board’s Risk Committee. The Board's Risk Committee oversees our ERM framework and practices. It assists the Board in overseeing our operational activities, including the Company's information technology security program, and identifying and reviewing related risks.
The cybersecurity team, managed by the SVP of IT Enterprise Strategy and Execution, (i) receives oversight and executive support through engagement with our ERC, which is responsible for the holistic evaluation, management, and supervision of our aggregate risk profile and (ii) collaborates with our ERM function on business alignment and cybersecurity insurance procurement.
The expertise of key members of management and our committees responsible for assessing, managing, and presenting quarterly updates to the Board’s Risk Committee about our cybersecurity risks is summarized as follows:
•John Bresney, EVP & CIO, reports directly to our Chief Executive Officer and is responsible for all of our IT operations, including oversight of the SVP of Enterprise Strategy and Execution’s implementation of our cybersecurity program and enforcement of our cybersecurity policies. He has worked for us for approximately 32 years, holding various technology and information security roles of increasing responsibility. He has a bachelor’s degree in information systems and business, a Master’s Certificate in Project Management, and a Columbia University CIO Program Certificate.
•Robert McKenna, SVP of Enterprise Strategy and Execution, reports to our CIO and leads the implementation of our cybersecurity program, enforcement of our cybersecurity policies, technology planning, projects driving IT strategy, and enterprise IT risk management. He also oversees cybersecurity incidents under our Security Incident Response Plan ("IRP"). He has worked for us for approximately 23 years in related positions of increasing responsibility and has over 28 years of technology and information security experience. He has a master’s degree in business administration, a Certificate in Project Management, and is a Certified Insurance Counselor.
•Ari Moskowitz SVP, Chief Risk and Reinsurance Officer, reports to our CFO and leads our Reinsurance and ERM teams, and chairs the ERC and the Market Security Committee. He has a bachelor's degree in mathematics from Touro College in New York, is an Associate of the Casualty Actuarial Society, and is a member of the American Academy of Actuaries. Before joining Selective in mid-2025, he spent seven years at Everest Group, leading risk and
actuarial functions in various executive leadership roles. His predecessor was Christopher Cunniff, who worked for us for approximately eight years.
Our IRP describes the circumstances that require internal and external notifications of cybersecurity incidents that (i) relate to any of our computer systems or networks and compromise the confidentiality, integrity, or availability of the systems or networks, (ii) compromise the confidentiality, integrity, or availability of any sensitive data that belongs to us or a third party and is in our care or custody, or (iii) involve one or more third parties with whom we share sensitive data. It describes the (i) involvement of the SVP of Enterprise Strategy and Execution, (ii) escalation process of such incidents to senior management, including the General Counsel, CIO, Chief Financial Officer, CRO, and CEO, (iii) reporting process to the Risk Committee and Board, and (iv) the notification and disclosure process to customers, distribution partners, regulators, and the SEC. The IRP also provides guidance on evaluating potential cyber events and suspicious cyber occurrences. We engage outside legal counsel and technical experts to regularly review the IRP and use internal teams and outside advisors with specialized skills to support the response and recovery efforts of proprietary and confidential information.
For additional information on our overall corporate governance structure and internal process of assessing our other significant risks, see the "Corporate Governance, Sustainability and Social Responsibility" section in Item 1. "Business." of this Form 10-K.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Executive Vice President ("EVP") & Chief Information Officer ("CIO") and the SVP of Enterprise Strategy and Execution provide quarterly updates on the strength of our cyber risk control environment, emerging cyber threat issues, and the results of external assessments by outside security consultants and assessors to the Board’s Risk Committee. The Board's Risk Committee oversees our ERM framework and practices. It assists the Board in overseeing our operational activities, including the Company's information technology security program, and identifying and reviewing related risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Executive Vice President ("EVP") & Chief Information Officer ("CIO") and the SVP of Enterprise Strategy and Execution provide quarterly updates on the strength of our cyber risk control environment, emerging cyber threat issues, and the results of external assessments by outside security consultants and assessors to the Board’s Risk Committee. The Board's Risk Committee oversees our ERM framework and practices. It assists the Board in overseeing our operational activities, including the Company's information technology security program, and identifying and reviewing related risks.
The cybersecurity team, managed by the SVP of IT Enterprise Strategy and Execution, (i) receives oversight and executive support through engagement with our ERC, which is responsible for the holistic evaluation, management, and supervision of our aggregate risk profile and (ii) collaborates with our ERM function on business alignment and cybersecurity insurance procurement.
|Cybersecurity Risk Role of Management [Text Block]
|
The Executive Vice President ("EVP") & Chief Information Officer ("CIO") and the SVP of Enterprise Strategy and Execution provide quarterly updates on the strength of our cyber risk control environment, emerging cyber threat issues, and the results of external assessments by outside security consultants and assessors to the Board’s Risk Committee. The Board's Risk Committee oversees our ERM framework and practices. It assists the Board in overseeing our operational activities, including the Company's information technology security program, and identifying and reviewing related risks.
The cybersecurity team, managed by the SVP of IT Enterprise Strategy and Execution, (i) receives oversight and executive support through engagement with our ERC, which is responsible for the holistic evaluation, management, and supervision of our aggregate risk profile and (ii) collaborates with our ERM function on business alignment and cybersecurity insurance procurement.
The expertise of key members of management and our committees responsible for assessing, managing, and presenting quarterly updates to the Board’s Risk Committee about our cybersecurity risks is summarized as follows:
•John Bresney, EVP & CIO, reports directly to our Chief Executive Officer and is responsible for all of our IT operations, including oversight of the SVP of Enterprise Strategy and Execution’s implementation of our cybersecurity program and enforcement of our cybersecurity policies. He has worked for us for approximately 32 years, holding various technology and information security roles of increasing responsibility. He has a bachelor’s degree in information systems and business, a Master’s Certificate in Project Management, and a Columbia University CIO Program Certificate.
•Robert McKenna, SVP of Enterprise Strategy and Execution, reports to our CIO and leads the implementation of our cybersecurity program, enforcement of our cybersecurity policies, technology planning, projects driving IT strategy, and enterprise IT risk management. He also oversees cybersecurity incidents under our Security Incident Response Plan ("IRP"). He has worked for us for approximately 23 years in related positions of increasing responsibility and has over 28 years of technology and information security experience. He has a master’s degree in business administration, a Certificate in Project Management, and is a Certified Insurance Counselor.
•Ari Moskowitz SVP, Chief Risk and Reinsurance Officer, reports to our CFO and leads our Reinsurance and ERM teams, and chairs the ERC and the Market Security Committee. He has a bachelor's degree in mathematics from Touro College in New York, is an Associate of the Casualty Actuarial Society, and is a member of the American Academy of Actuaries. Before joining Selective in mid-2025, he spent seven years at Everest Group, leading risk and
actuarial functions in various executive leadership roles. His predecessor was Christopher Cunniff, who worked for us for approximately eight years.
Our IRP describes the circumstances that require internal and external notifications of cybersecurity incidents that (i) relate to any of our computer systems or networks and compromise the confidentiality, integrity, or availability of the systems or networks, (ii) compromise the confidentiality, integrity, or availability of any sensitive data that belongs to us or a third party and is in our care or custody, or (iii) involve one or more third parties with whom we share sensitive data. It describes the (i) involvement of the SVP of Enterprise Strategy and Execution, (ii) escalation process of such incidents to senior management, including the General Counsel, CIO, Chief Financial Officer, CRO, and CEO, (iii) reporting process to the Risk Committee and Board, and (iv) the notification and disclosure process to customers, distribution partners, regulators, and the SEC. The IRP also provides guidance on evaluating potential cyber events and suspicious cyber occurrences. We engage outside legal counsel and technical experts to regularly review the IRP and use internal teams and outside advisors with specialized skills to support the response and recovery efforts of proprietary and confidential information.
For additional information on our overall corporate governance structure and internal process of assessing our other significant risks, see the "Corporate Governance, Sustainability and Social Responsibility" section in Item 1. "Business." of this Form 10-K.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Executive Vice President ("EVP") & Chief Information Officer ("CIO") and the SVP of Enterprise Strategy and Execution provide quarterly updates on the strength of our cyber risk control environment, emerging cyber threat issues, and the results of external assessments by outside security consultants and assessors to the Board’s Risk Committee. The Board's Risk Committee oversees our ERM framework and practices. It assists the Board in overseeing our operational activities, including the Company's information technology security program, and identifying and reviewing related risks.
The cybersecurity team, managed by the SVP of IT Enterprise Strategy and Execution, (i) receives oversight and executive support through engagement with our ERC, which is responsible for the holistic evaluation, management, and supervision of our aggregate risk profile and (ii) collaborates with our ERM function on business alignment and cybersecurity insurance procurement.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The expertise of key members of management and our committees responsible for assessing, managing, and presenting quarterly updates to the Board’s Risk Committee about our cybersecurity risks is summarized as follows:
•John Bresney, EVP & CIO, reports directly to our Chief Executive Officer and is responsible for all of our IT operations, including oversight of the SVP of Enterprise Strategy and Execution’s implementation of our cybersecurity program and enforcement of our cybersecurity policies. He has worked for us for approximately 32 years, holding various technology and information security roles of increasing responsibility. He has a bachelor’s degree in information systems and business, a Master’s Certificate in Project Management, and a Columbia University CIO Program Certificate.
•Robert McKenna, SVP of Enterprise Strategy and Execution, reports to our CIO and leads the implementation of our cybersecurity program, enforcement of our cybersecurity policies, technology planning, projects driving IT strategy, and enterprise IT risk management. He also oversees cybersecurity incidents under our Security Incident Response Plan ("IRP"). He has worked for us for approximately 23 years in related positions of increasing responsibility and has over 28 years of technology and information security experience. He has a master’s degree in business administration, a Certificate in Project Management, and is a Certified Insurance Counselor.
•Ari Moskowitz SVP, Chief Risk and Reinsurance Officer, reports to our CFO and leads our Reinsurance and ERM teams, and chairs the ERC and the Market Security Committee. He has a bachelor's degree in mathematics from Touro College in New York, is an Associate of the Casualty Actuarial Society, and is a member of the American Academy of Actuaries. Before joining Selective in mid-2025, he spent seven years at Everest Group, leading risk andactuarial functions in various executive leadership roles. His predecessor was Christopher Cunniff, who worked for us for approximately eight years.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Executive Vice President ("EVP") & Chief Information Officer ("CIO") and the SVP of Enterprise Strategy and Execution provide quarterly updates on the strength of our cyber risk control environment, emerging cyber threat issues, and the results of external assessments by outside security consultants and assessors to the Board’s Risk Committee. The Board's Risk Committee oversees our ERM framework and practices. It assists the Board in overseeing our operational activities, including the Company's information technology security program, and identifying and reviewing related risks.
The cybersecurity team, managed by the SVP of IT Enterprise Strategy and Execution, (i) receives oversight and executive support through engagement with our ERC, which is responsible for the holistic evaluation, management, and supervision of our aggregate risk profile and (ii) collaborates with our ERM function on business alignment and cybersecurity insurance procurement.
The expertise of key members of management and our committees responsible for assessing, managing, and presenting quarterly updates to the Board’s Risk Committee about our cybersecurity risks is summarized as follows:
•John Bresney, EVP & CIO, reports directly to our Chief Executive Officer and is responsible for all of our IT operations, including oversight of the SVP of Enterprise Strategy and Execution’s implementation of our cybersecurity program and enforcement of our cybersecurity policies. He has worked for us for approximately 32 years, holding various technology and information security roles of increasing responsibility. He has a bachelor’s degree in information systems and business, a Master’s Certificate in Project Management, and a Columbia University CIO Program Certificate.
•Robert McKenna, SVP of Enterprise Strategy and Execution, reports to our CIO and leads the implementation of our cybersecurity program, enforcement of our cybersecurity policies, technology planning, projects driving IT strategy, and enterprise IT risk management. He also oversees cybersecurity incidents under our Security Incident Response Plan ("IRP"). He has worked for us for approximately 23 years in related positions of increasing responsibility and has over 28 years of technology and information security experience. He has a master’s degree in business administration, a Certificate in Project Management, and is a Certified Insurance Counselor.
•Ari Moskowitz SVP, Chief Risk and Reinsurance Officer, reports to our CFO and leads our Reinsurance and ERM teams, and chairs the ERC and the Market Security Committee. He has a bachelor's degree in mathematics from Touro College in New York, is an Associate of the Casualty Actuarial Society, and is a member of the American Academy of Actuaries. Before joining Selective in mid-2025, he spent seven years at Everest Group, leading risk and
actuarial functions in various executive leadership roles. His predecessor was Christopher Cunniff, who worked for us for approximately eight years.Our IRP describes the circumstances that require internal and external notifications of cybersecurity incidents that (i) relate to any of our computer systems or networks and compromise the confidentiality, integrity, or availability of the systems or networks, (ii) compromise the confidentiality, integrity, or availability of any sensitive data that belongs to us or a third party and is in our care or custody, or (iii) involve one or more third parties with whom we share sensitive data. It describes the (i) involvement of the SVP of Enterprise Strategy and Execution, (ii) escalation process of such incidents to senior management, including the General Counsel, CIO, Chief Financial Officer, CRO, and CEO, (iii) reporting process to the Risk Committee and Board, and (iv) the notification and disclosure process to customers, distribution partners, regulators, and the SEC. The IRP also provides guidance on evaluating potential cyber events and suspicious cyber occurrences. We engage outside legal counsel and technical experts to regularly review the IRP and use internal teams and outside advisors with specialized skills to support the response and recovery efforts of proprietary and confidential information.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef