METLIFE INC - (MET)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Cybersecurity Management & Strategy
We manage information security risk through, and as part of, MetLife’s Information Security Program (the “Program”), which institutes and maintains controls for the systems, applications, and databases of the Company and of its third-party providers. The primary goal of the Program is to protect the confidentiality, integrity and availability of all data MetLife owns or possesses, as well as its technology assets, through physical, technical, and administrative safeguards. This includes controls and procedures for monitoring, detecting, reporting, containing, managing, and remediating cyber threats. The Program aims to prevent data exfiltration, manipulation, and destruction, as well as system and transactional disruption. The Program’s threat-centric and risk-based approach for securing the MetLife environment takes into consideration applicable guidelines from the cybersecurity framework developed by the U.S. Government’s National Institute of Standards and Technology, and is managed by MetLife’s CISO, in collaboration across lines of business and corporate functions. Our Board of Directors oversees the Program.
The key features of the Program include:
•A cybersecurity incident response team under the CISO’s direction, which is responsible for monitoring and responding to threats, vulnerabilities, and incidents.
•An incident response plan that is managed by the CISO and our Privacy Office and tested through cross-functional annual exercises in various geographical regions of the Company, many of which include participation from senior executives and the Board of Directors.
•Information security policies and procedures that are reviewed at least annually and updated to reflect applicable changes in law, technology, practice and emerging threats.
•Regular network and application testing and surveillance.
•Periodic review of threats, vulnerabilities and other cybersecurity risks, internal and external.
•Risk mitigation strategies, including annual internal and third-party risk assessments, as well as cybersecurity and privacy liability insurance intended to defray costs associated with an information security breach.
•Vendor management procedures designed to identify and address potential risks associated with the use of third-party service providers.
•Employee training programs on information security, data security, and cybersecurity practices and protection of data against cyber threats, at least annually.
•A cross-functional approach to addressing cybersecurity risk, with participation from Global Technology & Operations, Risk, Compliance, Legal, Privacy and Internal Audit functions.
We exercise risk-based due diligence in selecting our third-party service providers, including, as appropriate, review of vendor applications, general IT controls and the IT facilities used to service MetLife’s business. Third parties are governed by the MetLife Third-Party Risk Management program, which includes risk assessment prior to onboarding. Based on the assessment of risk, certain third-party service providers must periodically update relevant assessment documentation and be reevaluated by MetLife relative to their internal controls. Vendors deemed critical and high risk are continuously monitored by various industry solutions and services designed to identify cybersecurity risks.
We also work with third parties, such as independent assessors (for example, for industry maturity assessments, penetration testing, application security reviews, and independent audits), external legal counsel and other consultants as part of the design and implementation of the Program. The Program is periodically evaluated by external experts, and the results of those reviews are reported to the Board of Directors.
During the period covered by this report, we have not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect MetLife, including its business strategy, results of operations or financial condition. For further discussion of MetLife’s risks related to cybersecurity, see “Risk Factors — Operational Risks — We May Fail to Protect the Confidentiality and Integrity of Our Data, Including As a Result of a Failure in Our Cybersecurity or Other Information Security Systems or Our Disaster Recovery Plans or Those of Our Vendors.”
43
Cybersecurity Governance
The CISO is a senior-level executive responsible for establishing and executing the Company’s information security strategy. Management provides regular reports to the CISO detailing on-going cybersecurity risk management. The CISO and the head of Global Technology & Operations present updates to the Audit Committee quarterly and, as necessary, to our full Board of Directors. These regular reports include updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Audit Committee also reviews with management, as necessary, but at least annually, the adequacy and effectiveness of the Company’s policies and internal controls regarding information security and cybersecurity. Additionally, the CISO periodically and on an event-driven basis informs and updates the Board of Directors about information security incidents and the related risks posed to the Company.
The Program is subject to MetLife’s risk management framework and operates under the “Three Lines of Defense” model MetLife uses. The CISO regularly reports about information security risk to the Enterprise Risk Committee (“ERC”), including the Chief Risk Officer (“CRO”), and other members of the senior management team. See “Management’s Discussion and Analysis of Financial Condition and Results of Operations — Risk Management.”
The CISO, who oversees an organization that supports the day-to-day operation of the Program, is qualified in the areas of data protection and cybersecurity, having more than twenty years of professional IT experience in financial services. Prior to his current role, the CISO previously served as MetLife’s Global Chief Technology Officer with accountability for the Company’s global infrastructure, engineering, service operations, quality assurance, application maintenance, and production management functions; he also served variously as the chief technology officer, CISO, chief information officer and global head of telecommunications engineering at other financial institutions prior to joining MetLife in 2012.