Athene Holding Ltd. - (ATHS)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
We have developed a comprehensive information security program that is designed to protect and preserve the confidentiality, integrity, and continued availability of all information that we own or possess. The program is a critical component of our overall IT Security, Risk, and Compliance Management Program, which is based, in part, on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards.
Key features of the program include:
•Implementation of a detailed cyber incident response plan that provides controls and procedures for identifying, assessing, containing, remediating, escalating, and reporting cyber incidents.
•Cross-functional approach to addressing cybersecurity risk, with engagement among internal working groups such as Risk, Information Technology, Operations, Procurement, Legal, Compliance, and Internal Audit functions.
•Information security policies and procedures that are reviewed at least annually and updated to reflect changes in law, technology, practice, and emerging threats.
•Cybersecurity awareness training for employees, upon hire and at least annually thereafter;
•Ongoing monitoring, and periodic assessment and testing, of our networks and systems for threats, vulnerabilities, and other cybersecurity risks, internal and external.
•Periodic tabletop exercises and response readiness assessments, with participation from senior executives, led by outside advisors who provide a third-party independent assessment of our technical program and internal response preparedness; results are provided to the audit committee.
•Development of risk mitigation strategies that may defray costs associated with an information security breach.
•Periodic cyber drills and disaster recovery tests which are designed to help ensure our business operations can continue in the event of a cybersecurity attack.
•Comprehensive internal risk assessment of critical third-party service providers, including of their cybersecurity posture prior to onboarding; contractual requirements for critical third-party service providers to adhere to our standards and incidents reporting; once engaged, critical third-party service providers are required to maintain a comprehensive cybersecurity plan in conformity with industry standards.
We engage industry specialists and other third parties in connection with such processes.
Our information security program is managed by our Chief Information Security Officer (CISO) with collaboration across lines of businesses and corporate functions. The CISO is a senior-level executive responsible for establishing and executing our information security strategy, including cybersecurity oversight. The CISO reports directly to our Chief Information Officer (CIO), who reports directly to our Chief Operating Officer (COO). The CIO and CISO are members of the management operational risk committee, which reports to the management risk committee. The COO is a member of the management risk committee, which reports to the board risk committee. See Item 10. Directors, Executive Officers and Corporate Governance—Corporate Governance—Committees of the Board of Directors—Management Committees for additional information about the management operational risk committee, which is responsible for overseeing operational risk, including cybersecurity risk, and the management risk committee, which is responsible for overseeing overall corporate risk.
In addition, the CIO, CISO, General Counsel and certain other members of senior management meet periodically with the audit, risk, and legal and regulatory committees of the board of directors to review our information technology and cybersecurity risk profile and to discuss risk mitigation plans. While the board risk committee is ultimately responsible for overseeing the management of our information security program at the board level, the audit and legal and regulatory committees assist the risk committees in fulfilling its duties. Each of the board committees regularly briefs the full board of directors on matters reported to them. See Item 10. Directors, Executive Officers and Corporate Governance—Corporate Governance—Risk Management Oversight for additional information regarding the role of our board of directors in risk management oversight, including its oversight of risks from cybersecurity threats. As of February 1, 2024, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. See Item 1A. Risk Factors—Risks Relating to Our Business Operations—Interruption or other operational failures in telecommunications, information technology and other operational systems, including as a result of threat actors attacking those systems, or a failure to maintain the security, integrity, confidentiality or privacy of sensitive data residing on those systems, including as a result of human
62
error, could have a material adverse effect on our business and Item 1A. Risk Factors—Risks Relating to Our Relationship with Apollo—Interruption or other operational failures in telecommunications, information technology and other operational systems at Apollo or a failure to maintain the security, integrity, confidentiality or privacy of sensitive data residing on Apollo’s systems, including as a result of human error, could have a material adverse effect on our business for further discussion of the risks we face from cybersecurity threats.
The CIO is responsible for managing our information technology strategy. Our CIO has over 30 years of insurance and financial services operations and technology experience, including as chief information officer at large insurance companies; and received a Bachelor of Science in business management and a Master of Business Administration in management information systems.
The CISO is responsible for managing our information security program. Our CISO has over 20 years of information technology experience and over 15 years of information security experience; is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Certified Information Systems Manager, and Check Point Certified Engineer; and holds a Bachelor of Arts in statistical science, a Bachelor of Science in computer science, and a Master of Business Administration in business.