Voya Financial, Inc. - (VOYA)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We maintain an information security program that seeks to comply with applicable regulatory requirements. The information security team, led by the Chief Information Security Officer ("CISO"), implements appropriate measures designed to safeguard sensitive information and protect our operations and systems against cyber threats. The information security team carries out continuous monitoring and evaluation of Voya’s technology and digital infrastructure with the goal of identifying and assessing threats and proactively mitigating potential risks. The CISO and the information security team provide regular updates to Voya's senior management, as further described under Cybersecurity Governance below.
In addition, as part of its risk management strategy, Voya has an established and integrated cybersecurity incident response plan that focuses on incident detection, management and response. The information security team periodically reviews and updates the plan and tests playbooks within the plan through tabletop exercises.
Voya's information security team is responsible for identifying, assessing, and managing cyber risk, with support from Voya's operational risk management team. Information security control tasks are performed under the direction and guidance of the CISO, who is designated under Voya’s risk management principles and policies to oversee the evaluation and mitigation of information security risks. Information security management is integrated into Voya’s overall risk management framework, which provides for a coordinated approach to addressing cybersecurity risk.
As part of Voya’s overall information security program, we may engage and retain external assessors and consultants to help improve our security, stay aligned with industry best practices, evaluate external threats and, on an as-needed basis, perform forensic reviews of cybersecurity-related incidents or independent security assessments.
With regard to risks posed by third-party vendors and service providers, Voya has a dedicated team that is responsible for evaluating, assessing, and addressing those risks, with the ultimate goal of protecting sensitive information and the security of
43 |
our operations and systems supported by those vendors and providers using a risk-based approach. This team conducts due diligence on third-party vendors and service providers, including evaluating their information security controls and related measures, to identify potential risks and implement appropriate controls.
Technology risks, including cybersecurity threats, undergo a thorough risk management assessment. We evaluate risks quantitatively and qualitatively to determine both the probability and potential severity of such risks and whether any such risks could materially affect Voya. We have experienced and may continue to experience cybersecurity incidents and threats that could materially affect our business strategy, results of operations or financial condition. There have been no known cybersecurity incidents that have materially affected us in the past three years. For more information about the cybersecurity related risks that we face, see Interruption or other operational failures in telecommunication, cybersecurity, information technology and other operational systems, including as a result of human and process error or a failure to maintain the security, integrity, confidentiality, or privacy of such systems, could harm our business in Risk Factors in Item 1A of this Annual Report on Form 10-K.
Cybersecurity Governance
As detailed above, the CISO and the information security team regularly assess and manage cybersecurity risks. Voya's information security leadership team has extensive information technology and information security experience, and the full team comprises over 100 employees with over 150 certifications from leading information security certification organizations. Additional management of cybersecurity risks is conducted by Voya's Technology and Operational Risk Committee ("TORC"), which has been delegated authority by Voya's Management Risk Committee to provide oversight of operational risk, including information and technology risk, as well as related legal, compliance and regulatory risks. Members of the TORC include senior management with relevant expertise in operations, technology, information security, legal, compliance, data privacy and operational risk management. The information security team participates in the TORC meetings to discuss cybersecurity risks and mitigation treatment. The TORC provides guidance and direction in assessing, addressing, mitigating and monitoring cybersecurity risks within Voya.
Voya’s Board committees include the Technology, Innovation and Operations ("TIO") Committee, which provides support to the Board in its oversight of information technology, including cybersecurity risks. In addition, the TIO Committee supports the Audit Committee in reviewing cybersecurity risks and disclosures thereof, and collaborates with both the Audit Committee and the Risk, Investment and Finance ("RIF") Committee of the Board to oversee material risks. Management, including the CISO, regularly updates the TIO Committee on cybersecurity-related matters.