AFLAC INC - (AFL)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Due to the ever-changing cybersecurity landscape, the Company’s board of directors has adopted an information security policy directing management to establish and operate a global information security program with the goals of identifying, assessing and monitoring existing and emerging cybersecurity threats and ensuring that the Company’s information assets and data, and the data of its customers, are appropriately protected from loss or theft. The Board has delegated oversight of the Company’s information security program to the Audit and Risk Committee.
The Company’s senior officers, including its Global Security and Chief Information Security Officer (GSCISO), are responsible for the operation of the global information security program and communicate quarterly with the Audit and Risk Committee on the program, including with respect to the state of the program, compliance with applicable regulations, risks associated with current and evolving threats, and recommendations for changes in the information security program. The global information security program includes a cybersecurity incident response plan that is designed to provide a management framework across Company functions for a coordinated assessment and response to potential security incidents. This framework establishes a protocol to report certain incidents to the GSCISO and other senior officers, with the goal of timely assessing such incidents, determining applicable disclosure requirements and communicating with the Audit and Risk Committee. The incident response plan directs the executive officers to report certain incidents immediately and directly to the Lead Non-Management Director or the Chair of the Audit and Risk Committee. The above framework tracks and allows team members to monitor each incident throughout its lifecycle to ensure the Company is informed about and following cybersecurity incidents as they are mitigated and remediated. Post-incident reviews are also performed to determine if there are any additional controls that may feasibly be implemented to prevent recurrence.
As a part of the global information security program, an enterprise cybersecurity risk assessment is performed annually in coordination with the GSCISO to identify and assess material cybersecurity risks and mitigating controls. The assessment results are incorporated into a risk register managed by the Company’s overall enterprise risk management group to integrate the risks into the overall risk management processes. The Company engages with independent firms to conduct operational control assessments, which cover information protection. Every three years, the Company engages independent consultants specifically for cyber matters. Additionally, the Company performs third-party risk assessments to evaluate security controls and identify inherent and residual risks associated with third-party engagements. Issues identified during third-party risk assessments are documented and escalated to Company management through an established committee structure based on the risk ratings associated with each issue.
The Company also utilizes professionals from the Company’s legal team and GSCISO's leadership team, a majority of whom have specialized skills and knowledge in cybersecurity risk management based on their prior work experience and relevant industry certifications, such as Certified Information Systems Security Professional and Certified Information Security Manager, to assist in assessing cybersecurity risks, materiality of cybersecurity incidents and disclosures of the same. Specifically, the GSCISO has security experience in the public sector and private sector financial services industry holding positions in areas such as business continuity, information assurance, and technology risk management as well as being a Certified Information Systems Security Professional, Certified Information Security Manager and Certified Project
27
Manager as well as being certified in Risk and Information Systems Control. The GSCISO and his direct reports have an average of approximately 23 years of experience in the field of cybersecurity.
See Item 1A. Risk Factors for the risk factor titled "Interruption in telecommunication, information technology and other operational systems, or a failure to maintain the security, confidentiality, integrity or privacy of sensitive data residing on such systems, could harm the Company's business" for additional information regarding how the Company's business strategy, results of operations, and financial condition could be adversely affected by risks from cybersecurity threats.