Privacy, Security and Trust

Data Privacy and Protection
Everest is committed to conducting business in a compliant manner while taking steps to safeguard personal data we receive, collect, transfer and store in the course of doing business. Our established policies and procedures have been built to comply with the applicable privacy and data protection laws wherever we do business.

We maintain appropriate physical, electronic, and procedural safeguards to protect personal information. We secure our databases with various physical, technical and procedural measures, and we restrict access to your information by unauthorized persons.

We also train all employees on their responsibility to safeguard customer data and provide them with appropriate guidelines for adhering to our company's business ethics standards and confidentiality policies.

Encryption, and other methods are used to protect sensitive information. The method of protection is based on the sensitivity of the data that is shared with customers and other third parties under contract to do business with Everest.

We take particular care when working with third parties, only sharing personal data with affiliates, business partners, third-party service providers, or vendors when we have a legitimate business purpose for doing so. We ensure contractual requirements, including confidentiality clauses, are in place to ensure Everest’s data protection principals are adhered to.

Refer to the Everest Privacy Notices for more information.

Personal information is information that identifies an individual and can include name, address, phone number, email address, credit history, driver’s license number, and location or IP address. If an individual applies for employment at Everest, personal information may also include work and educational experience.

We may use personal and other information for the following purposes:

  • To underwrite, quote and price insurance policies or other insurance contracts
  • To defend or settle claims
  • To assist in loss prevention and risk management activities
  • To complete transactions
  • To respond to requests for our services, including employment opportunities
  • To protect from crimes, including fraud
  • To personalize an individual's experience using our online services
  • For other business purposes as allowed by law

Refer to Information Sharing and the Everest Privacy Notices below for more information.

Access to personal information our website collects is restricted to our employees, our affiliate’s employees, or anyone who needs the information in order to provide you service in the course of our normal business operations.

Refer to the Everest Privacy Notices for more information.

Cookies are pieces of information stored directly on the computer you are using. Cookies allow us to detect information on you such as your browser type, pages visited and your browsing experience on our websites. They allow us to monitor and improve our websites in order to deliver a better user experience.

For more information on the types of information we collect on this website, see our Terms of Use and also our Cookies Policy.

In order to protect you personal information and interests, we have entered into data processing agreements as required with third-party recipients. In these data processing agreements, the service providers undertake measures to protect the data of our users, and to process them on our behalf in accordance with the applicable data protection regulations.

Your data will not be passed on to other third parties for other purposes, in particular for advertising and/or marketing purposes, nor do we sell your data to third parties.

For more information regarding processing of personal data, please refer to Privacy Notices below.

Our website does not respond to “Do Not Track” signals. DNT is a preference that users can set on their browser (if supported) to opt out from online behavioral tracking. It is your option to configure your browser settings to reflect your tracking preferences. 

Organizational Security
At Everest, security is everyone's responsibility.

The overall objectives of our risk management strategy are to reach a level of security maturity that is commensurate with the risk appetite of the Company.

Everest’s Chief Information Security Officer (CISO) is responsible for the Company’s information security, technology risk management and data privacy and protection Programs. The CISO  regularly provides updates to Everest’s Board of Directors and Senior Leadership Team.

Our commitment to security extends to our executives via our Cyber Security and Technology Risk Committee. The Committee includes a cross functional group that provides governance and oversight of our cyber security and data program. This helps to ensure we are abiding by all data security, privacy and protection regulations, are remediating risks in an effective and responsible manner, and our cyber program is aligned to business outcomes.

We annually review and refresh our information security policies based on our evolving business model, adoption of digital platforms and in accordance with regulatory compliance obligations in the jurisdictions we are authorized to do business.

The Committee also ensures that security awareness training for the entire firm is conducted regularly (at a minimum at least annually), and that ongoing communication of Program initiatives are permeated throughout the organization.

We advise and regularly train all Everest employees and relevant contractors about their responsibility to protect customer data, and we provide them with appropriate guidelines for adhering to our company’s business ethics standards and confidentiality policies.

We have safeguards in place to identify and authenticate access rights and authority levels of individuals using our network and applications. These measures ensure that only authorized users can perform actions or access information in a network or a workstation of the Company and that the access is necessary to perform their job function.

We have appropriate systems infrastructure and regularly test their resiliency to support the appropriate management of our business, as well as support our obligations to clients and business partners.

We have implemented and continue to update multi-layer controls and processes to protect data and other intellectual property including network security controls, logical and physical access controls, up-to-date managed inventories (authorized hardware and software), system monitoring, and incident response procedures.

Physical Security
Our Company has security personnel, surveillance measures, and access controls in place to prevent unauthorized access to our systems and data stores. We also protect our business locations from physical hazards as well as regularly test our response capabilities with local municipalities to maintain business continuity and deliver optimal service to our clients and business partners.

Network Security
We use boundary firewalls and internet gateways to prevent unauthorized access to or from private company networks. We have controls to ensure that only those who should have access to systems have access at the appropriate level. We ensure that virus and malware protection is installed and maintained to apply appropriate software updates and vulnerability patches.

Application Security
Secure configuration practices are in place to ensure systems are configured in the most secure way for the needs of the organization. We follow processes for developing, adding, and testing security features within applications to prevent security vulnerabilities and protect against threats such as unauthorized access and modification.

Vulnerability Assessment
Potential vulnerabilities in our technology asset portfolio are identified by performing periodic vulnerability scans.

Everest conducts comprehensive security due diligence and oversight of our third party vendors and applications, as part of our Technology Risk Management Program. In addition to the risk assessments which are performed before we contract with any third parties, our ethics standards and cyber security policies are also communicated to all third party vendors and data hosts with whom we do business, to ensure that they are also aware of their responsibility to prioritize our data security.

One or more times per year, we use and independent third party expert to conduct a risk assessment of our cyber security resilience.

We regularly test the effectiveness of our incident response plans by enacting simulation table-top exercises involving cross-functional stakeholders and continually improve these response plans based upon the lessons learned from each exercise.

Our cyber security environment and policies and programs are subject to an annual independent audit and vulnerability assessment against top information security standards such as FedRAMP. Using the feedback from this assessment, we are able to identify any vulnerabilities in our internal information security system and immediately prioritize the necessary solutions to ensure that all our information is secure. In addition to this annual independent audit, under the direction of Everest’s Internal Audit team, we internally monitor and audit all of our information technology applications and processes. All programs are monitored to make sure that all Company-wide information security measures are being followed, and that secure data is thoroughly protected.

Certifications and Compliance Requirements
Our program strategy is to maintain full compliance with requirements set forth by the GDPR, the key US – NY DFS Part 500 Cyber Security Law, and other applicable Laws, Rules and Regulations.

Everest has obtained certification for Cyber Essentials as part of our membership with Lloyd’s of London. This demonstrates that Everest has appropriate controls and standards in place across five cyber security risk disciplines.
Cyber Essentials

Everest leverages industry frameworks (from NIST, ISO, ISACA and COBIT), standards, guidelines and best practices to design, continually evaluate, improve our data and cyber security programs, protections and apply appropriate technical and organizational measures to ensure a level of security appropriate to risk.

We may change our security and privacy statements on this website as necessary. This Statement is not intended to and does not create any contractual or other legal right in or on behalf of any party.

For More Information
Please contact your company client management contact for more information on Everest’s Organizational Security regarding the services you receive from our Company.