F&G Annuities & Life, Inc. - (FG)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Risk Management and Strategy Disclosure

The Company’s Information Security team is responsible for executing the Company’s enterprise-wide cybersecurity strategy, which is based upon the Center for Internet Security’s best practice controls, including providing subject matter expertise, accountability, and oversight in the areas of policy and standards development, security architecture, engineering, and development practices, third-party IT and Security risk, compliance with industry, state, and federal regulations, and security education, awareness, and training. The Information Security program is managed and overseen by a full-time Chief Information Security Officer (“CISO”) with over 25 years in information technology leadership, service management, operations, information security, risk management, and regulatory compliance.
The CISO reports to the Company’s Chief Information Officer (“CIO”), who is an executive of the Company and oversees all of the Company’s information technology efforts. The Company’s CIO has over 32 years of information technology leadership experience within the insurance and financial services industries. The CIO provides regular updates to senior leadership, including reports to the Board on a periodic basis.

In conjunction with CIO senior leadership updates and periodic reports to the Board, the Company’s ERM team also provides updates on the Company’s cyber risk and threats, status of key projects improving the Company’s security posture, and efforts reducing the company’s attack surface.
70






In addition, a cybersecurity working group reviews the status of the Company’s cybersecurity environment monthly with the senior managers of various departments including Information Technology, Information Security, ERM, Internal Audit, and Compliance. Based on the information received, the working group generates monthly reports and updates key stakeholders across the enterprise.
To mitigate information and cybersecurity risks, the Company utilizes external firms to perform supplemental annual vulnerability and penetration testing to objectively assess and identify potential improvements to the Company’s security posture. Findings from such testing are tracked, prioritized, remediated, and reported accordingly. The Company also leverages a third-party to perform 24x7 Security Operations Center monitoring of its information assets. The Company has processes in-place to risk assess through initial due diligence, monitor throughout the third-party service provider lifecycle, and periodically re-evaluate the technology and security risks associated with the usage of third-party service providers. Additionally, the Company maintains cyber insurance coverage to reduce potential financial losses that may stem from security incidents.
See Item 1A - Risk Factors for discussion of material risks faced by the Company, including risks related to cybersecurity.
Governance Disclosure
As set forth in the Company’s charter, our Audit Committee, comprised of fully independent directors, is responsible for reviewing with management of the Company, the Company’s policies and practices with respect to risk assessment and risk management, including cybersecurity risk. The CRO reports information and cybersecurity risks through the CRO Risk Assessment Report, a copy of which is provided to the Audit Committee and the Board every quarter.
F&G has adopted a “three lines of defense” governance model for information and cybersecurity risk management. The CISO is the first line of defense providing frontline business, operational, and technology controls and capabilities to protect against information and cybersecurity risks and responding to cyber incidents and data breaches. The information security team under the CISO is responsible for overseeing infrastructure defense and security controls, managing access controls, performing vulnerability assessments, facilitating independent external penetration testing, assessing third-party or vendor information security, implementing employee awareness and training programs, and handling security incident management.
F&G's ERM department serves as the Company’s second line of defense and considers Information Security risk alongside other company risks. ERM facilitates the quarterly risk self-assessment with the CISO and the CIO to identify and assess information and cybersecurity risks, evaluates the likelihood and impact of potential risk events to Information Assets, and assesses mitigation offered by the control environment to determine residual risk. The assessment results are presented at quarterly Operational Risk Sub-Committee (“ORSC”) and ERMC meetings. ERM, jointly with the Information Security professionals, annually conducts a Cybersecurity Risk Assessment based on critical security controls set forth by the Center for Internet Security. The assessment is reported to the CRO, CISO and CIO.
The Company’s Internal Audit department serves as the third line of defense and independently assures the effectiveness of the Company’s management of information and cybersecurity risk.
As an added layer of defense, the Company has an incident response team in place to evaluate information and cybersecurity incidents on an on-going basis. Based on materiality, a security incident may be escalated to the Corporate Crisis Management Team (“CCMT”) for risk mitigation and recovery actions. In 2023, the Company’s data was subject to the MoveIt security incident pertaining to a third-party vendor of the Company. The Company activated its crisis management protocols to adequately manage the investigation, impact, and response to this incident. The incident was reported to the Audit Committee of the Board and disclosed to regulatory authorities.

71