REINSURANCE GROUP OF AMERICA INC - (RGA)
10-K Filing Date: February 26, 2024
Item 1C. CYBERSECURITY
The Company is susceptible to a variety of risks as an inherent part of serving our clients’ needs, including risks related to cybersecurity, data privacy and technology. The Company maintains a cybersecurity program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The program, which balances serving the interest of our clients, their policyholders and customers, regulatory bodies, our investors, our employees and other relevant constituencies, is integrated within the Company’s Enterprise Risk Management (“ERM”) program.
The underlying controls of the cybersecurity program are based on recognized practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and the International Organization Standardization (“ISO”) 27001 Information Security Management System Requirements. RGA periodically engages a third party to perform an assessment of the Company’s cybersecurity risk management program against the NIST framework.
RGA utilizes third-party partners, including leading national and international companies specializing in cybersecurity and software development, to supplement its security operations team to provide monitoring of its global cybersecurity environment and to coordinate the investigation and remediation of alerts. The Company also engages third party partners to
35
assist in evaluating and testing the Company’s cybersecurity infrastructure. These partners are subject to the Company’s third party due diligence process that includes security and privacy assessments, legal reviews, and ongoing assessments and performance reviews to ensure compliance with the Company’s policies and standards.
Both the board of directors and management have an active and ongoing role overseeing, assessing, identifying and managing material risks from cybersecurity threats.
The board of directors (the “Board”), directly and through its Risk Committee and Cybersecurity and Technology Committee (the “Cybersecurity Committee”), oversees the Company’s risk management strategy and cybersecurity, data privacy, and technology risks and provides oversight of ongoing investments in cybersecurity and technology. The Company’s Chief Risk Officer (“CRO”) provides regular reports to the Risk Committee regarding the Company’s general risks, including risks relating to cybersecurity threats, and responses thereto. The Cybersecurity Committee oversees the Company’s cybersecurity, customer privacy, and technology risks and monitors the Company’s strategy and progress to achieve its planned cybersecurity objectives. The CRO and Global Chief Information Security and Privacy officer (“CISO”) provide quarterly updates to the Cybersecurity Committee regarding cybersecurity, data privacy, and information technology strategy and programs. In addition, both the Risk Committee and Cybersecurity Committee meet as needed outside of the normal quarterly reporting cycle to discuss particular cybersecurity issues as required.
The Company’s risk management process and strategy, including cybersecurity risks, is the responsibility of the CRO and is supported by the Company’s Risk Management Steering Committee (“RMSC”), which includes senior management executives, including the President and Chief Executive Officer (“CEO”), the Chief Financial Officer (“CFO”), and the Chief Investment Officer, among others. The RMSC provides oversight and advises the CRO on the Company’s enterprise risk management framework and strategic risk exposures including cybersecurity risks. The Company’s CISO and CRO provide updates through quarterly meetings with the RMSC.
The CRO, Chief Information Officer (“CIO”) and CISO each have over 15 years experience in managing cybersecurity, information technology and other risk management processes. The following is a summary of the CRO, CIO, and CISO’s experience:
•The CRO, a member of RGA’s Executive Committee, has held various positions in the Company and is responsible for oversight of operational risks, which includes cybersecurity. The CRO has more than 30 years of experience and has held various positions including serving as the Company’s Global Chief Risk Officer. In addition to overseeing the overall risk governance structure of RGA’s Enterprise Risk Management program, the CRO has extensive experience leading a number of cybersecurity programs at the Company such as enhancing the Company’s cybersecurity systems to ensure compliance with Privacy and Security Regulations.
•The CIO, a member of RGA’s Executive Committee, leads the strategic direction of the Company’s information technology resources and management of RGA’s global information technology operations. The CIO has held various positions of responsibility at other companies for all aspects of technology and he has deep knowledge in organizational change, digital transformation, core platform and data analytics modernization.
•The CISO, who is responsible for implementing the Company’s cybersecurity risk management strategy, oversees the Company’s global security and privacy teams ensuring broad awareness of emerging risks and cybersecurity threats. The CISO has significant cybersecurity experience including executive management responsibility in cybersecurity, data privacy, operational risk management, and information technology, including regulatory compliance and risk quantification.
A cross functional team, including Finance, Legal, Risk and the Information Technology departments, in conjunction with others as needed, are involved in the materiality assessment of cybersecurity threats and incidents. The factors considered in the assessment of materiality include, but are not limited to, the probability of an adverse outcome, actual and expected direct and indirect costs stemming from the incident, the possibility of litigation or regulatory investigations, and the nature and extent of harm to policyholders, cedents, vendor relationships, and the Company’s reputation and competitiveness. Conclusions are reviewed and approved by the Company’s CEO, CFO and CRO.
We have experienced, and may in the future experience, whether directly or through third parties, cybersecurity incidents. While prior incidents, including those previously disclosed and not disclosed, have not materially affected our results of operations or financial condition, we cannot assure that they will not be materially affected in the future by such incidents. Additionally, although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cybersecurity incident would not materially affect our, results of operations or financial condition. For more information on our cybersecurity related risks, see Item 1A – “Risk Factors.”
36