LINCOLN NATIONAL CORP - (LNC)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Operational Risk Management and Strategy
Identifying, assessing and managing material risks from cybersecurity threats is a core component of our overall operational risk management. The Company’s Information Security team is the primary group responsible for cybersecurity and consists of four divisions with specific mandates:
•The security engineering division, which leads our “security by design” efforts to help ensure cybersecurity considerations are taken into account in our applications, cloud architecture and infrastructure;
•The governance, risk and compliance division, which includes responsibility for developing cybersecurity-related policies and procedures, training and supplier security review;
•The cybersecurity response and investigations (“CSRI”) division; and
•The identity access management division, which is responsible for managing access to our data and technology infrastructure.
The work done by each of these divisions is applied both tactically and strategically to operations, as well as to broader risk management activities.
The governance, risk and compliance division of our Information Security team includes a dedicated information technology (“IT”) and Cyber operation risk assessment team. This team conducts assessments that are focused on the Company’s most significant IT and cyber risks, the results of which are leveraged by the Company’s IT leadership, among other inputs, to mitigate, reduce and/or manage against such risks. While it is not possible to be certain that all risks, threats and vulnerabilities to our information and systems have been identified, our cybersecurity risk management processes are designed to, using a risk-based approach, identify reasonably known risks from cybersecurity threats and ensure material risks are managed appropriately.
The work done by the Information Security team integrates into the Company’s overall Enterprise Risk Management (“ERM”) program. Data is contributed to the ERM team in support of our broader operational risk framework and processes through completion of the Risk and Control Self-Assessment for IT and cyber, which is aggregated into the larger operational risk program. Members of IT and Information Security senior leadership participate on the Company’s Operational Risk Committee (“ORC”), which is a standing committee whose purpose is to review and monitor threats to our business operations and strategy that manifest from inadequate or failed internal processes, controls, people or systems or from external events. In addition, the Company’s Internal Audit team performs an annual security audit that focuses on cybersecurity risks, the results of which are reported to the Company’s IT leadership team and the
34
Audit Committee of the Company’s Board of Directors. This audit process provides an additional layer of support to help ensure that cybersecurity risks are managed and responded to appropriately.
While our Information Security team uses some third-party resources as part of its efforts to assess, identify and manage material risks from cybersecurity threats (e.g., certain third-party software tools, threat intelligence and periodic penetration testing), our cybersecurity efforts are predominantly conducted through our internal resources.
Monitoring and Incident Response
The CSRI division of our Information Security team is responsible for the operation of our internal Security Operations Center (“SOC”), which performs monitoring and alerting for security events 24 hours a day, 7 days a week, 365 days a year. The CSRI division also actively seeks out cybersecurity threats that might affect the organization and/or our customers. The CSRI team is a component of Lincoln’s formal security incident response team (“SIRT”) and process. In addition to the Information Security team, the SIRT also includes representatives from the Company’s legal and compliance teams (including Privacy), office of business resiliency, chief risk office, corporate communications, as well as the information technology team. While the CSRI division is responsible for cybersecurity responses generally, should a critical event arise, such an event would be raised to and addressed by the SIRT.
Our Privacy team, which is part of the Company’s compliance function, has a dedicated incident response team responsible for assessing, identifying and managing risks from cybersecurity threats involving personal information. The team follows documented processes for investigation, research, assessment, notification, regulatory reporting and, if necessary, escalation to management, and such processes have been integrated into our Information Security incident response program. The Information Security team works closely with our Privacy team to respond to any cybersecurity incidents involving personal information. The Privacy team engages third parties to assist with incident assessment and notification.
Supplier Risk Management and Strategy
Within the governance, risk and compliance division of our Information Security team, we operate a formal supplier security assessment program, with a team dedicated to evaluating the cybersecurity risk associated with third party suppliers with whom we have contracted and who we believe may pose a cybersecurity threat to the Company, our customers or our business partners due to the type of services they provide and/or confidential information they may be handling. This team assesses the security posture of the supplier, as well as the security of the systems and services provided. In addition, the team works closely with our procurement and legal teams to help ensure that appropriate security requirements are included in our contractual arrangements with the suppliers. The team conducts an assessment both at the outset of the engagement of a new supplier, and then periodically thereafter, based on assigned risk levels, as well as in the event of any new services or changes to the engagement. The Information Security team’s process for conducting periodic security reviews of third parties is a component of our operational risk management team’s broader periodic review of third parties.
Risks from Cybersecurity Threats
Although our computer systems and the computer systems of third parties on which we rely have in the past been, and will likely in the future be, subject to or targets of unauthorized or fraudulent access, to date the Company, including our business strategy, results of operations or financial condition, has not been materially affected by a cybersecurity breach. There are risks from cybersecurity threats that if they were to occur could materially affect the Company, including its business strategy, results of operations or financial condition, as discussed in “Item 1A. Risk Factors – Operational Matters – Our information systems or the information systems of third parties on which we rely may experience interruptions, breaches in security and/or a failure of disaster recovery systems that could result in a loss or disclosure of confidential information, damage to our reputation, impairment of our ability to conduct business effectively and increased expenses” and ‘Item 1A. Risk Factors – Legislative, Regulatory and Tax – Compliance with existing and emerging privacy laws and regulations could result in increased compliance costs and/or lead to changes in business practices and policies, and any failure to protect the confidentiality of personal information could adversely affect our reputation and have a material adverse effect on our business, financial condition and results of operations.”
Governance
The Company’s Board of Directors is responsible for regular oversight of the Company’s overall risk management process. The Board reviews the most significant risks the Company faces and the manner in which our executives manage these risks. The Board has also delegated certain of its risk oversight efforts to its committees. Oversight of cybersecurity risk has been delegated to the Audit Committee of the Board of Directors.
The Company’s senior management is primarily responsible for establishing policies and procedures designed to identify, assess and manage the Company’s significant risks, with our Chief Information Security Officer (“CISO”) having primary responsibility with respect to material risks from cybersecurity threats. We also have a Corporate Enterprise Risk and Capital Committee, made up of members of
35
senior management and the Company’s Chief Risk Officer, which provides oversight of our enterprise-wide risk structure and of our processes to identify, measure, monitor and manage significant risks, including, but not limited to, cybersecurity risk.
The Information Security organization is led by our CISO. The head of each of the four divisions of our Information Security team reports directly to the CISO. The CISO reports directly to the Company’s Chief Information Officer and Head of IT (“CIO”), who is a member of the Company’s Senior Management Committee. As a result, all information security personnel report into the CISO, and ultimately the CIO. The CISO also reports indirectly to the Audit Committee of the Board of Directors. Biannually, the CISO reports to the Audit Committee on the cybersecurity risks facing the Company and cybersecurity developments generally. In addition, as discussed above, the Company’s Internal Audit team reports to the Audit Committee the results of its annual security audit focused on cybersecurity risks. The Company’s Chief Compliance Officer reports key Privacy risk indicators and statistics (including those related to cybersecurity risks) to the Audit Committee on a quarterly basis.
Our current CISO has over 20 years of experience in the field of cybersecurity and holds a Certified Information Security Systems Professional designation. The CISO has a staff of more than 100 employees dedicated to protecting the data and systems belonging to the Company, our customers, business partners and consumers.