Jackson Financial Inc. - (JXN)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Cybersecurity Incidents
As previously disclosed in Item 2. Management’s Discussion and Analysis of Financial Condition and Results of Operations— Macroeconomic, Industry and Regulatory Trends — Cybersecurity Event in our Form 10-Q for the quarter ended June 30, 2023, Jackson determined that its information at one of our third-party vendors, Pension Benefit Information, LLC (“PBI”), was impacted by a cybersecurity breach involving Progress Software Corporation’s MOVEit Transfer software. The PBI service helps Jackson to identify possible beneficiaries for death benefits. According to PBI, an unknown actor exploited a MOVEit software flaw to access PBI’s systems and download certain data. Our assessment indicated that personally identifiable information relating to approximately 850,000 of Jackson’s customers was obtained by that unknown actor from PBI’s systems. PBI informed Jackson that it rectified the MOVEit vulnerability.
Separately, Jackson experienced unauthorized access to two servers as a result of the MOVEit flaw; however, the scope and nature of the data accessed on those servers was significantly less than the PBI impact. Our assessment was that a subset of information relating to certain partner organizations and individuals, including certain customers of Jackson, was obtained from the two affected servers.
At this time, we do not believe the incidents or related litigation will have a material adverse effect on the business, operations, or financial results of Jackson Financial.
Governance
JFI’s Board Oversight of Risks from Cybersecurity Threats: JFI’s Board approved both the Company’s initial JFI Information Security Policy and the JFI Privacy Policy. The Finance and Risk Committee of the JFI Board assists the Board with oversight of the Company’s risk framework and its effectiveness. The Finance and Risk Committee regularly reviews top risks identified by management, the Company’s risk appetite, and financial and non-financial risks, including information security and cybersecurity. The committee also reviews activity reports on the status of our cybersecurity program, including material policy changes, breaches, and remediation actions. At least annually, and more often as needed, the committee meets with our Chief Information Security Officer (“CISO”) in a dedicated session to review and discuss in-depth cybersecurity risks facing the Company.
JFI’s Board of Directors receives periodic reports from its Finance and Risk Committee regarding the committee’s actions in respect of cybersecurity and related regulatory developments and receives from our CISO regular updates about cybersecurity threats and our cybersecurity and privacy programs.
Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats: Our CISO is a member of the senior leadership team and oversees our Information Security and Privacy Team. The CISO provides regular updates to the Board on cybersecurity threats facing the organization, including developments in our ongoing information security and privacy programs. As noted, the CISO meets in dedicated sessions with the Finance and Risk Committee to review and discuss in-depth cybersecurity risks facing the Company.
Our Information Security and Privacy Team includes 70 full-time positions with at least 50% of our associates holding industry certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Privacy Professional (CIPP). All associates and contractors with access to our Company’s systems receive comprehensive initial and ongoing annual training on responsible information security, data security, and cybersecurity practices and how to protect against cyber threats.
Regular independent third-party assessments, penetration testing, and internal audits are conducted to validate controls and to position our cybersecurity maturity level at or ahead of industry trends in meeting stringent security standards. We regularly assess our security program internally and externally, through benchmarking studies and assessments against our Information Security and Privacy Policies and Standards and conduct assessments of the effectiveness of relevant internal control activities designed to restrict inappropriate access to our IT systems, support data integrity within our IT systems, and ensure ongoing availability of our IT systems. Certain of these control activities are also subject to an assessment by our external auditor to support its opinion on the effectiveness of our internal control over financial reporting.
40
Part I | Item 2. Properties