XML 45 R28.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risks from cybersecurity threats or incidents (cybersecurity risks) are assessed, identified and managed by the Company in a manner that is consistent with leading cybersecurity frameworks, including the National Institute of Standards and Technology Cybersecurity Framework (NIST Framework). The Company’s approach to cybersecurity risk management is generally based on the six core functions contained within the NIST Framework organizing structure: identify, protect, detect, respond, recover and govern.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Risks from cybersecurity threats or incidents (cybersecurity risks) are assessed, identified and managed by the Company in a manner that is consistent with leading cybersecurity frameworks, including the National Institute of Standards and Technology Cybersecurity Framework (NIST Framework). The Company’s approach to cybersecurity risk management is generally based on the six core functions contained within the NIST Framework organizing structure: identify, protect, detect, respond, recover and govern.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Through 2024, the RLI Corp. Board of Directors provided oversight for cybersecurity risks primarily through its Audit Committee. In February 2025, the charter of the Finance & Investments Committee was revised to include overall enterprise risk management oversight, including oversight of cybersecurity risk. The committee was renamed the Finance & Risk Committee (FRC). The Company’s CIO, along with the head of the Company’s IT security department, presents quarterly to the designated committee on cybersecurity risks and the Company’s strategies to assess and manage those risks. Additionally, the board receives periodic updates on emerging cybersecurity issues and developments through director education provided by the Company and third-party experts, detailed reviews provided by the CIO and the Company’s head of IT security on select cybersecurity topics, and periodic “table top” simulations of a cybersecurity event.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Company’s Technology Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Through 2024, the RLI Corp. Board of Directors provided oversight for cybersecurity risks primarily through its Audit Committee. In February 2025, the charter of the Finance & Investments Committee was revised to include overall enterprise risk management oversight, including oversight of cybersecurity risk. The committee was renamed the Finance & Risk Committee (FRC). The Company’s CIO, along with the head of the Company’s IT security department, presents quarterly to the designated committee on cybersecurity risks and the Company’s strategies to assess and manage those risks. Additionally, the board receives periodic updates on emerging cybersecurity issues and developments through director education provided by the Company and third-party experts, detailed reviews provided by the CIO and the Company’s head of IT security on select cybersecurity topics, and periodic “table top” simulations of a cybersecurity event.
Cybersecurity Risk Role of Management [Text Block]

The Company maintains a Cybersecurity Incident Response Plan (CIRP) providing a framework for identifying, evaluating and escalating potential or actual cybersecurity events. The CIRP assigns responsibilities and provides a workflow between the Company’s IT security department; the Company’s Technology Committee; and the board of directors regarding the detection, assessment and response to a cybersecurity event.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] chief information officer (CIO)
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Company’s CIO has 27 years of technology and technology leadership experience, including 14 years serving as a CISO, in the insurance industry. The head of the Company’s IT security department, who reports to the CIO, holds a Certified Information Systems Security Professional designation from the Information Security Certification Consortium, has 20 years of experience in the insurance industry and has served in IT security-related roles for 24 years.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Company maintains a Cybersecurity Incident Response Plan (CIRP) providing a framework for identifying, evaluating and escalating potential or actual cybersecurity events. The CIRP assigns responsibilities and provides a workflow between the Company’s IT security department; the Company’s Technology Committee; and the board of directors regarding the detection, assessment and response to a cybersecurity event.

The Company’s internal audit department routinely engages third-party cybersecurity consultants to conduct network security audits. The Company also engages other third-party consultants in a number of areas to support the assessment, identification and management of cybersecurity risks, including risk assessments, log monitoring, threat intelligence, system penetration testing, training and incident response, among others. The Company performs cybersecurity due diligence and monitoring of third-party vendors, which may include the review of System and Organization Control (SOC) reports or the results of a security questionnaire, to identify the cybersecurity controls and protections maintained by a third party.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true