GENWORTH FINANCIAL INC - (GNW)
10-K Filing Date: February 29, 2024
Item 1C.
Cybersecurity
We have identified information technology and cybersecurity risk as some of the most significant risk types to our business. Related to these identified risk types, we have classified our top risks and report these risks to
63
both senior management and the risk committee of Genworth Financial’s Board of Directors. For additional information regarding the risks associated with these matters, see “Item 1A—Risk Factors.”
Risk Management
Genworth’s risk management framework recognizes the significant operational risk, including risk of losses, from cyber incidents and the importance of a strong cybersecurity program for effective risk management. As part of our risk management, we have implemented a Data Security and Cybersecurity Program (the “DSCP”) which sets policy expectations, ensures broad coverage over information technology risks, integrates the Information Security and Information Technology Risk Management Framework into our broader risk management systems, establishes clear roles and governance, and aligns control expectations to the National Institute of Standards and Technology (“NIST”). Under the DSCP, we have processes for identifying, assessing and managing technology and cybersecurity risk. The DSCP employs various controls and policies to secure our operations and information, which include monitoring, reporting, managing and remediating cybersecurity threats. Key features of the DSCP include access controls, security training, system security testing, dedicated security personnel, security event monitoring, and when necessary, consultation with third-party data security experts. Through a cross-functional team, we assess and mitigate risks associated with our third-party providers and have processes in place to regularly monitor and evaluate cybersecurity risks and threats associated with the use of third-party providers. Our information security team, overseen by our Chief Information Security Officer (“CISO”), conducts annual information security awareness training for employees involved in our systems and processes that handle customer data. We have conducted cybersecurity awareness training with management, including a tabletop exercise to simulate a response to a cybersecurity incident, and used these findings to improve our processes and technologies. In addition, the DSCP includes an incident response plan, which coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to assess the materiality of the incident, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal reporting and other obligations and mitigate reputational damage. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident.
Additionally, we have procedures set forth in the DSCP for reporting and responding to potential security incidents as well as determining applicable disclosure requirements, including timely incident reporting. For example, as disclosed in our Form
8-K
filed on June 22, 2023, we were notified by PBI, a third-party vendor, that PBI was subject to the widely reported security events involving the MOVEit file transfer system, which PBI uses in the performance of its services. The MOVEit Cybersecurity Incident resulted in the unauthorized acquisition of data by a third party from PBI as well as several organizations and governmental agencies. After being notified of the security event, we, together with PBI, promptly launched an investigation to determine whether and to what extent personal information had been unlawfully accessed. Approximately 2.5 to 2.7 million of our policyholders’ or other customers’ personal information, including social security numbers, was exposed to and obtained by the threat actor as a result of the MOVEit Cybersecurity Incident. We believe that the MOVEit Cybersecurity Incident has not had any impact on any of our information systems, including our financial systems, and that there has not been any material interruption of our business operations. While we are continuing to measure the impact, including certain remediation expenses and other potential liabilities, we do not currently believe this incident or other known risks from cybersecurity threats are reasonably likely to have a material adverse effect on our business, results of operations or financial condition. See “Item 1A—Risk Factors—Our computer systems and those of our third-party service providers have in the past and may in the future fail or be compromised, including through cybersecurity breaches; we may experience issues from new and complex information technology methodologies such as artificial intelligence; and unanticipated problems could materially adversely impact our disaster recovery systems and business continuity plans, any of which could damage our reputation, impair our ability to conduct business effectively, result in enforcement action or litigation, and materially adversely affect our business, financial condition and results of operations.” 64
Governance
Our Board of Directors recognizes the importance of maintaining the privacy and security of customer information, as well as the availability of our systems, and consequently dedicates meaningful time and attention to oversight of cybersecurity risk. In light of these risks, our Board of Directors is actively engaged in the oversight of the Company’s information technology, which includes periodic briefings on cybersecurity threats and participation in cybersecurity preparedness exercises. Furthermore, under its charter, the Board’s risk committee has primary responsibility for cybersecurity oversight. In this capacity, the risk committee oversees the Company’s processes for identifying, assessing and managing technology and cybersecurity risk. In connection with the MOVEit Cybersecurity Incident, the risk committee was immediately notified by management and regularly briefed on the matter, and worked with management, including Genworth’s CISO and Chief Risk Officer (“CRO”), to assess and manage the risk and implement the Company’s response to the incident.
Genworth’s CISO and CRO, both members of management, support the cybersecurity risk oversight responsibilities of the Board and the risk committee and involve applicable management personnel in cybersecurity risk management. The risk committee receives periodic reports from the CISO and CRO on the Company’s technology and cybersecurity risk profiles, information security program and key cybersecurity initiatives. Additionally, the CISO and CRO follow a risk-based escalation process to notify the risk committee outside of the regular reporting cycle when they identify potential substantive cybersecurity risks or issues.
Genworth’s CISO is an information technology and security professional with 23 years of experience and 11 years of service at Genworth. In his 23 years of experience, he has held roles in information technology infrastructure administration, information technology infrastructure, security consulting and security administration. He received a Bachelor of Science Degree in Business Administration from Regent University and is a Certified Information Systems Security Professional (CISSP).
Genworth’s CRO has served in information technology and risk management leadership roles for over twenty years, including oversight of enterprise risk management and operational risk, as well as oversight for financial reporting systems, operational and technology platforms, and testing and quality assurance programs. He received a Bachelor of Science Degree in Decision Support Systems from Virginia Polytechnic Institute (Virginia Tech) and graduated from the Tuck Global Executive Leadership Program through Dartmouth in 2020. For more information about our CRO, see “Part III—Item 10—Directors, Executive Officers and Corporate Governance.”