IT and Cyber Security – Greenlight Re

IT and Cybersecurity

Greenlight Re maintains robust security policies and practices that span across the
organization. The foundation of our information security practices is rooted in the principles set forth
by the National Institute of Standards and Technology (“NIST”), ensuring a robust and
comprehensive approach to safeguarding our digital assets. This program provides standards,
guidelines, and best practices for improving our cybersecurity risk management. To effectively
manage our cybersecurity risk, we employ a comprehensive approach encompassing risk assessment,
identification, and mitigation, all aligned with the rigorous standards and principles. Cybersecurity
and IT compliance risk metrics are monitored regularly to assess, identify, manage, and protect our
network. Periodic audits of IT and Cybersecurity are carried out as part of internal and external audits
and are performed by professionals.

Third party cybersecurity
Our approach to third-party cybersecurity underscores a commitment to robust risk
management and adherence to industry best practices. By implementing comprehensive measures in
line with recognized standards, we ensure that our third-party cybersecurity protocols are aligned with
rigorous standards. Regular assessments, SOC reviews, and collaborative efforts are integral
components of our strategy, aimed at fostering a secure and resilient ecosystem that safeguards
sensitive information and maintains the integrity of our digital infrastructure in partnership with
external entities.

Our CISO and ITSC
Our Chief Information Security Officer (“CISO”) has more than three decades of expertise in
the IT Industry and is a member of ISACA, showcasing a rich portfolio of industry certifications like
CISM, CPDSE, MCSE, and holding accreditations from vendors such as ISACA, CISCO and
Microsoft.

Our IT Steering Committee (“ITSC”) reports to the Executive Committee and is chaired by
the Chief Risk Officer (CRO). The ITSC meets at least quarterly to discuss and approve IT and
Cybersecurity matters. The ITSC produces and approves an annual IT budget, as well as an Incident
Management and Response plan through which the CISO and the ITSC are informed about
cybersecurity incidents. The CRO, Head of IT, and CISO present an IT and Cybersecurity Update to
the Audit Committee of the Board on a quarterly basis to discuss the status of Cybersecurity and IT
compliance risk metrics, and any new or emerging cybersecurity threats or risks. Our Audit
Committee assists the Board in its oversight responsibilities regarding our systems, policies, and
procedures relating to technology and cybersecurity. The Audit Committee’s charter mandates that the
Audit Committee reviews our technology and cybersecurity systems, policies, and procedures
(including those relating to our assessment of third-party provider cybersecurity controls) with
management. The Audit Committee is further tasked with discussing with management the policies
with respect to risk assessment and risk management, including those related to technology and
cybersecurity.

Internal processes
To assist with mitigating the risks of cybersecurity threats, regular cybersecurity training is
provided to employees and members of the Board. This is completed annually and forms part of our
employee onboarding process. We protect our information systems with physical, electronic, and
software safeguards considered appropriate by our management.

We employ a specialist vendor to continuously monitor our systems for security events and
risks within our network. Further, to mitigate risk arising from our relationships with third-parties,
vendors must be SOC 1 Type 2 or SOC 2 compliant where data is stored, as determined in accordance
with the framework developed by the American Institute of Certified Public Accountants, or
undertake our enhanced due diligence process. Periodic testing is performed, and all material
incidents are reported to the Board.

Breaches and Incidents
As of the year ended December 31, 2023, Greenlight Re has not experienced an information
security breach within the last three years, has not been materially impacted by any third-party
information security breaches, and has not identified any cybersecurity threats likely to materially
affect the Company’s business strategy, results of operations, or financial conditions.