PRINCIPAL FINANCIAL GROUP INC - (PFG)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity

Risk management is an essential component of our culture and business model. Guarding against the specific risks posed by cybersecurity threats has been and will continue to be very dynamic in nature, requiring that we remain agile and aware of internal and external changes. We recognize that cybersecurity threats can be among the most critical risks facing large companies. As a result, cybersecurity is treated as a Board-level matter and overseen by the Board. However, both the Board and management have an integral role in the identification, assessment and management of cybersecurity risk.

38

The Board oversees management’s execution and performance of its risk management responsibilities, which includes cybersecurity threats. The Board receives at least one cybersecurity report every quarter from our Chief Information Officer, our Chief Information Security Officer, our Chief Risk Officer or other professionals. The Board also reviews and approves the business resiliency and information security programs intended to guard against cybersecurity and related risks. Lastly, the Board receives input on cybersecurity issues from external entities such as our independent auditor, regulators and consultants. Each of these steps further the Board’s efforts to ensure we have established and are proactively maintaining an enterprise-wide cybersecurity risk program with appropriate policies, practices and controls designed to ensure resiliency in the face of emerging threats.

Management holds relevant expertise in assessing and managing cybersecurity threats. Numerous members of management and employees across the information security and risk functions hold nationally recognized designations or certifications, including the Certified Information Systems Security Professional designation, Global Information Assurance Certifications or Amazon Web Services Cloud Certifications. We also provide role-based security training to workers with assigned information security-related roles and responsibilities. This includes topics on social engineering tactics and other general threats posed for system compromise and data loss. The initiatives and processes discussed further below also contribute to the expertise and experience of management.

The framework for our overall process for managing risk encompasses the management of risks posed by cybersecurity threats and is discussed further in Item 1. “Business, Risk Management.” As a general matter, we take a proactive approach to assessing and monitoring cybersecurity-specific risks that is oriented around monitoring emerging external threats, ensuring controls are in place to identify and manage risk within our technology environment and creating a culture of vigilance across the organization.

We test for and resolve weaknesses and vulnerabilities within our systems and applications by using network and infrastructure vulnerability testing and adversary emulation, also known as red teaming, and hire a third party to do the same at least once a year. We also undergo a third party maturity assessment of our information security program every two years and a third party enterprise penetration test annually. We leverage external resources to help define information security and technology standards for our environment.

Our cybersecurity controls are monitored and refined based on learnings from regular red team engagements and analysis by threat hunters. All cyber defense operations are enriched through a dedicated cybersecurity threat intelligence function. We collaborate with information security peers across the industry to maximize threat intelligence. Our threat intelligence program helps create awareness and understanding of potential cybersecurity threats and adversaries. We proactively assess potential risks presented by new services or systems integrated with our network or data and ensure appropriate controls are applied under such circumstances. We perform due diligence and monitor third party relationships based on risk profile to assess the suitability of their cybersecurity controls and protocols for the business operations or services for which they are engaged.

Our awareness and training program creates a risk-aware culture to ensure employees understand cybersecurity threats and are accountable for completing required training. We have empowered and conditioned our global workforce to recognize and resist phishing attempts with our simulated phishing program. At least quarterly, our employees are presented with simulated phishing scenarios that deliver hands-on experience and on-the-spot education opportunities. All engineers and employees holding equivalent roles who are involved in software development also receive mandated secure software development training.

We have an enterprise incident management plan that provides a framework for preparing for, managing and responding to cybersecurity incidents that may arise. The plan ensures stakeholders across the organization are identified who have the appropriate experience, training and expertise in incident management, and that the organization is well positioned to address incidents. For example, we carry out cybersecurity incident response exercises to develop widespread familiarity and experience in responding to cybersecurity incidents.

No risks from any known cybersecurity incidents have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For further discussion related to how cybersecurity risks may impact our performance in the future, see Item 1A. “Risk Factors.”