Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Ryan Specialty’s processes for assessing, identifying, and managing material risks from cybersecurity threats is integrated into our overall enterprise risk management program, which is overseen by the Audit Committee of the Board
(the “Audit Committee”). The Audit Committee is charged with reviewing our cybersecurity processes for assessing key
strategic, operational and compliance risks. The Audit Committee then provides updates on significant cybersecurity
matters to the Board periodically. We have established comprehensive cybersecurity policies, standards, processes,
practices, and controls to mitigate the risk of cyber threats, and we continually invest in prevention and detection
technology and employee training to enhance our cybersecurity posture. Our cybersecurity risk management program
leverages and strives to align with the U.S. National Institute of Standards and Technology Cybersecurity Framework,
which organizes cybersecurity risks into five categories: identify, protect, detect, respond, and recover.
Collaboration
Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key
security, risk, legal, compliance, IT, and business leaders meet regularly to develop strategies for preserving the
confidentiality, integrity, and availability of Company, employee, and third-party information provided to us; identifying,
preventing, and mitigating cybersecurity threats; and effectively responding to cybersecurity incidents. We maintain
controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions
regarding legal and regulatory compliance, public disclosure, and reporting of such incidents can be made by management
and presented to the Audit Committee and the Board, as necessary, in a timely manner.
Risk Assessment and Technical Safeguards
Our Information Security Steering Committee (the “Security Committee”), which is led by our Company’s
Chief Information Security Officer (“CISO”), meets quarterly to prioritize and align actions with business priorities,
manage issues, and respond to changes in regulatory requirements. At least annually, we conduct a cybersecurity risk
assessment that takes into account information from internal stakeholders, known security vulnerabilities, and information
from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and
evaluations by third parties and consultants) and includes a tabletop exercise and external and internal penetration testing.
The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our preventive and
detective security controls, make recommendations to improve processes, and inform a broader enterprise-level risk
assessment that is presented to members of management, the Audit Committee, which is comprised solely of independent
directors, and the Board, when necessary. Throughout the year we do vulnerability testing. We regularly assess and deploy
technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly
evaluated and improved based on industry best practices, vulnerability assessments, cybersecurity threat intelligence, input
from consultants, and incident response experience.
Monitoring and Incident Response Plan
Information Security risks are monitored by our security operations center team along with managed services
providing 24x7x365 monitoring and response. Ryan Specialty retains third-party resources with a leading cybersecurity
company for incident response when needed, including remediation. We apply lessons learned from our defense and
monitoring efforts to help manage and prevent future incidents. We have established a comprehensive incident response
plan that is regularly tested and evaluated to confirm its effectiveness. In the event our CISO determines a cybersecurity
incident needs to be escalated, she engages our critical escalation team who, with the assistance of third-party consultants,
will make the determination as to whether the incident is material and whether escalation to senior management, the Audit
Committee, and/or the Board is required.
Third-Party Risk Assessments
We conduct information security assessments before sharing or allowing the hosting of sensitive data in
computing environments managed by third parties, and our standard terms and conditions contain contractual provisions
requiring certain security protections and require those vendors and providers, that meet certain risk profiles, to meet
appropriate security requirements, controls, and responsibilities.
Education and Awareness
Our policies require each of our employees to contribute to our data security efforts. We regularly remind
employees of the importance of properly handling and protecting Company, employee, and third-party data, including
through annual privacy and security training to enhance employee awareness of how to recognize, detect, and respond to
cybersecurity threats. In addition to the annual training requirements, we regularly send employees mock phishing emails
to test their ability to assess incoming email threats.
For companies that we acquire, our integration efforts include, where appropriate, workable timelines for
alignment on information security, data privacy, cybersecurity and employee education.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] |
Ryan Specialty’s processes for assessing, identifying, and managing material risks from cybersecurity threats is integrated into our overall enterprise risk management program, which is overseen by the Audit Committee of the Board
(the “Audit Committee”). The Audit Committee is charged with reviewing our cybersecurity processes for assessing key
strategic, operational and compliance risks. The Audit Committee then provides updates on significant cybersecurity
matters to the Board periodically. We have established comprehensive cybersecurity policies, standards, processes,
practices, and controls to mitigate the risk of cyber threats, and we continually invest in prevention and detection
technology and employee training to enhance our cybersecurity posture. Our cybersecurity risk management program
leverages and strives to align with the U.S. National Institute of Standards and Technology Cybersecurity Framework,
which organizes cybersecurity risks into five categories: identify, protect, detect, respond, and recover.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
The Audit Committee oversees our overall enterprise risk assessment and risk management policies including
risks related to cybersecurity. The Board and Audit Committee set the tone at the top by providing oversight and
establishing expectations for the overall effectiveness and efficiency of the information security program. Each quarter, our
CISO provides a quarterly update to the Audit Committee about our cybersecurity program, including detection,
mitigation, and remediation of significant incidents, if any, that occurred during the quarter. Additionally, on an annual
basis, the CISO delivers reports to the Board and Audit Committee with an annual cybersecurity risk assessment that
includes information concerning the prevention, detection, mitigation, and remediation of cybersecurity incidents, if any,
including material security risks and information security vulnerabilities. The Audit Committee provides a quarterly
summary of all important issues to the full Board.
In addition, if warranted based on our response plan, cyber security incidents will be escalated to the attention
of the Audit Committee while such incidents are ongoing.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee oversees our overall enterprise risk assessment and risk management policies including risks related to cybersecurity. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] |
Each quarter, our CISO provides a quarterly update to the Audit Committee about our cybersecurity program, including detection,
mitigation, and remediation of significant incidents, if any, that occurred during the quarter. Additionally, on an annual
basis, the CISO delivers reports to the Board and Audit Committee with an annual cybersecurity risk assessment that
includes information concerning the prevention, detection, mitigation, and remediation of cybersecurity incidents, if any,
including material security risks and information security vulnerabilities. The Audit Committee provides a quarterly
summary of all important issues to the full Board.
In addition, if warranted based on our response plan, cyber security incidents will be escalated to the attention
of the Audit Committee while such incidents are ongoing.
|
| Cybersecurity Risk Role of Management [Text Block] |
Primary responsibility for assessing and managing our cybersecurity risks rests with our CISO, who reports to our Executive Vice President, Operations, Technology & Data Analytics (“EVP OP”). Both are members of our Security
Committee, which is a governing body that drives alignment on security decisions across the Company. The Security
Committee includes management across the departments and functions of the organization to enable transparency and
alignment with the business’ strategic goals and objectives. The Security Committee responsible for managing and
implementing the Company’s cybersecurity programs has many years of valuable business experience managing risks and
developing and implementing cybersecurity policies and procedures. Our CISO has extensive experience in information
security, managing cybersecurity programs and cybersecurity risks, and has served in various roles in information
technology and information security for almost 30 years, including serving as the CISO at another large public company.
She holds an undergraduate degree in Information and Decision Sciences. Our EVP OP has extensive enterprise risk
management experience, developed over more than 25 years while holding senior leadership positions, including group
CIO and divisional COO roles, at global brokerage and risk management firms, and serving clients as a management
consultant. He holds an undergraduate degree in accounting.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
Primary responsibility for assessing and managing our cybersecurity risks rests with our CISO, who reports to our Executive Vice President, Operations, Technology & Data Analytics (“EVP OP”). Both are members of our Security
Committee, which is a governing body that drives alignment on security decisions across the Company. The Security
Committee includes management across the departments and functions of the organization to enable transparency and
alignment with the business’ strategic goals and objectives. The Security Committee responsible for managing and
implementing the Company’s cybersecurity programs has many years of valuable business experience managing risks and
developing and implementing cybersecurity policies and procedures.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] |
Our CISO has extensive experience in information security, managing cybersecurity programs and cybersecurity risks, and has served in various roles in information
technology and information security for almost 30 years, including serving as the CISO at another large public company.
She holds an undergraduate degree in Information and Decision Sciences. Our EVP OP has extensive enterprise risk
management experience, developed over more than 25 years while holding senior leadership positions, including group
CIO and divisional COO roles, at global brokerage and risk management firms, and serving clients as a management
consultant. He holds an undergraduate degree in accounting.
|
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] |
Information Security risks are monitored by our security operations center team along with managed services providing 24x7x365 monitoring and response. Ryan Specialty retains third-party resources with a leading cybersecurity
company for incident response when needed, including remediation. We apply lessons learned from our defense and
monitoring efforts to help manage and prevent future incidents. We have established a comprehensive incident response
plan that is regularly tested and evaluated to confirm its effectiveness. In the event our CISO determines a cybersecurity
incident needs to be escalated, she engages our critical escalation team who, with the assistance of third-party consultants,
will make the determination as to whether the incident is material and whether escalation to senior management, the Audit Committee, and/or the Board is required.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |