Brighthouse Financial, Inc. - (BHF)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management Program and Strategy
We understand the importance of maintaining a robust cybersecurity program to assess, identify, and manage the material risks associated with cybersecurity threats.
Managing Cybersecurity Risks; Cybersecurity Risk Management Strategy
Our cybersecurity risk management program is integrated into the Company’s enterprise risk management framework, and our strategy focuses on implementing effective and efficient processes, technologies, and controls to assess, identify, and manage cybersecurity risks. Our cybersecurity program is designed to be aligned with the National Institute of Standards and Technology (“NIST”) framework, which organizes the management of cybersecurity risks into five categories: identify, protect, detect, respond, and recover.
Our Chief Technology Officer (“CTO”) has overall responsibility for our information technology program, which includes the Company’s cybersecurity program. Our Chief Information Security Officer (“CISO”) is directly responsible for the Company’s cybersecurity program, which is designed to protect and preserve the integrity, confidentiality, and continued availability of the information owned by, or in the care of, the Company. Our CTO has over 25 years of information technology experience, including systems development, technology strategy, and vendor management; our CISO has over 30 years of information technology and cybersecurity program management experience. Prior to joining Brighthouse Financial, both our CTO and CISO previously served in roles that involved leading and overseeing information technology and cybersecurity programs at other public companies in the financial services industry. In addition, our CTO serves on a cross-departmental, management-level risk committee that oversees the Company’s enterprise risks, including cybersecurity risks. This enterprise-level risk committee is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents.
Our cybersecurity team regularly assesses the threat landscape and takes an enterprise-wide view of cybersecurity risks. We monitor issues that are internally discovered or externally reported that may affect our business, and we employ a range of tools and third-party services to effectuate our cybersecurity risk identification and assessments, including regular network and endpoint monitoring, threat and vulnerability assessments, and external penetration testing. In addition, our cybersecurity team conducts regular reviews, conducts tabletop exercises, performs internal testing, and leverages the audits performed by our internal audit team, as well as the services of third-party consultants, to assess and evaluate the effectiveness of our controls (in alignment with the NIST framework) and to improve our security measures and strategy. The cybersecurity team has also engaged a third party to measure our cybersecurity program against the NIST cybersecurity framework. The results of this assessment confirmed the rigor of our cybersecurity risk management practices.
Our cybersecurity team has also established Company-wide policies and procedures that cover cybersecurity matters, which are designed to enable us to effectively identify, evaluate, and respond to events that have the potential to impact our business. In the event of a cybersecurity incident, the Company utilizes a well-defined incident response plan that coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations (including relevant securities laws) and mitigate brand and reputational damage. This plan includes immediate actions to mitigate the impact, as well as long-term strategies for the remediation and prevention of future incidents. In accordance with this plan, we have established a cross-departmental Brighthouse Response Team that is responsible for coordinating enterprise-wide responses to cybersecurity incidents, as applicable. This Brighthouse Response Team provides reports regarding cybersecurity incidents to the enterprise-level risk committee referenced above.
Further, employees outside of our technology organization have a role in our cybersecurity defenses, and we encourage a corporate culture supportive of security, which we believe improves the effectiveness of our cybersecurity risk management program. Through our Security Awareness Program, we provide our employees with regular cybersecurity training and educational resources to help ensure that they remain vigilant against threats. These include frequent simulations, newsletters, alerts, e-mail reminders, and a mandatory annual cybersecurity awareness training course for all employees. In addition to company policies that we make available to all employees, our awareness training provides clear reporting and escalation processes in the event of suspicious activity.
58


Third-Party Risk Management
Our processes also address the cybersecurity risks associated with our use of third-party vendors, some of whom have access to our customer and employee data. We conduct security assessments of all third-party vendors that have access to our systems, our data and/or the facilities that house such systems or data. As part of our third-party risk management program, our cybersecurity risk management and third-party risk management teams collaborate to monitor our third-party vendors’ compliance with our cybersecurity standards. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Risks from Cybersecurity Threats
Our systems and our third-party vendors’ systems periodically experience directed attacks intended to lead to (i) interruptions or delays in our operations or (ii) the loss, misuse or theft of personal information and other data, including confidential information or intellectual property. We have not experienced any cybersecurity incidents to date, directly or indirectly, that have materially impacted our business, financial condition, or results of operations. For more information regarding our risks from cybersecurity threats, see “Risk Factors — Operational Risks — Any failure in cyber- or other information security systems, as well as the occurrence of events unanticipated in Brighthouse Financial’s or our third-party service providers’ disaster recovery systems and business continuity planning could result in a loss or disclosure of confidential information, damage to our reputation and impairment of our ability to conduct business effectively” and “Risk Factors —Operational Risks — Any failure to protect the confidentiality of customer, employee, or other third-party information could adversely affect our reputation and have a material adverse effect on our business, financial condition and results of operations.”
Governance
Board of Directors - Oversight and Management Reporting
The Audit Committee of the Board of Directors (the “Audit Committee”) is primarily responsible for overseeing cybersecurity risks, and the Board of Directors is actively engaged with respect to these risks. The Audit Committee and/or the Board of Directors generally meet with our CTO and CISO on a quarterly basis to review our information technology and cybersecurity risk profile and to discuss our activities to manage the related risks, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, tabletop exercises, and other areas of importance. In addition to these regular meetings, we have an escalation process in place to timely inform the Board of Directors of any significant cybersecurity incidents, including any updates relating thereto, to ensure that the Board of Directors’ oversight is proactive and responsive. Our Chief Compliance Officer also regularly reports to the Audit Committee regarding the Company’s compliance with applicable regulations relating to cybersecurity.