Corebridge Financial, Inc. - (CRBG)
10-K Filing Date: February 15, 2024
Item 1C. | Cybersecurity
CYBERSECURITY RISK MANAGEMENT
We have historically been dependent on AIG’s risk management, cybersecurity and privacy policies, standards and procedures to identify, monitor, mitigate and communicate to us and our Board of Directors the cybersecurity risks to which we are exposed and manage. As a result, during 2023, we primarily relied on AIG to provide cybersecurity risk management and cybersecurity services to us pursuant to the Transition Services Agreement with AIG. While we remain reliant on AIG for the provision of certain of these services, as part of our separation from, and in cooperation with, AIG, we have developed and are in the process of implementing an Information Security Program for Corebridge (the “Program”) that includes, among other things, conducting periodic risk assessments designed to evaluate potential security threats, to detect potential vulnerabilities, and to mitigate identified security risks. The Program is informed by industry standards and frameworks and is designed to protect the confidentiality, integrity, and availability of Corebridge’s information assets and systems that store, process, or transmit material non-public information. Where appropriate, we also engage third-parties to evaluate our Program and our cybersecurity risk management and to provide operational support for the Program.
The Program includes the following key elements:
•Network, Systems, and Data Security – Corebridge deploys technical and organizational safeguards that are designed to protect Corebridge’s networks, systems, and data from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, software security assessments, and access and identity management controls;
•Threat and Vulnerability Management –Corebridge maintains a threat and vulnerability management program that leverages threat intelligence to proactively identify, assess, and address cybersecurity risks. This program incorporates vulnerability scanning, risk-based remediation and mitigation, penetration testing, and threat response capabilities to safeguard our information assets and ensure business continuity;
•Cybersecurity Incident Monitoring and Response – Corebridge has established and maintains incident response plans that address Corebridge’s response to a cybersecurity incident, utilizing a cross-functional approach;
•Third Party Assessment and Oversight – Corebridge maintains a third-party risk management program to identify and manage risks from third-party service providers, including initial due diligence, an assessment of the service provider’s control environment and periodic re-assessments; and
•Security Training and Awareness – Corebridge provides ongoing education and training to employees regarding information security threats, and their role and responsibility in detecting and responding to such threats.
The Program is evaluated on an ongoing basis to address the evolving cyber threat landscape and to comply with applicable legal and regulatory obligations. See “Business—Regulation—U.S. Regulation—Privacy, Data Protection and Cybersecurity” for further discussion. Control adequacy and design are reviewed periodically, and periodic audits assist in identifying areas for continued focus, improvement and/or inclusion, and are designed to provide assurance that controls are appropriately designed and operating effectively. Additionally, our Internal Audit group performs testing of Corebridge’s control environment, including the Program.
Our Chief Information Security Officer (“CISO”) provides oversight and direction for the Program and coordinates with other corporate functions and business segments to address all aspects of the Program, including recommending adjustments in response to changes in technology, internal or external threats, business processes, and regulatory or statutory requirements, and communicates the information security risk posture of Corebridge to the relevant internal individuals, committees and departments, including as further described below.
Board Oversight and Governance
As discussed above, we have historically relied upon AIG to provide oversight of cybersecurity risk management and cybersecurity services that AIG provides to us pursuant to the Transition Services Agreement. In connection with our separation from AIG we are in the process of implementing certain processes, including training and reporting, to help facilitate oversight of information security risks by Corebridge’s senior management and Board of Directors. These processes will enable our operations and risk management functions that monitor cybersecurity risks and examine control performance to report and escalate cybersecurity risks to senior management and the Board of Directors, as appropriate.
Corebridge | 2023 Form 10-K 69
ITEM 1B | Unresolved Staff Comments
One of the main forums for reporting and escalating cybersecurity risks is the Corebridge Risk and Capital Committee (“RCC”), which is comprised of senior management personnel and led by our Chief Risk Officer (“CRO”), who is the head of our ERM function. ERM supports the identification, measurement, management, monitoring and reporting of major risks, which include cybersecurity risks. The RCC is responsible for addressing significant risk issues reported by ERM, including those related to cybersecurity, to protect Corebridge’s financial strength, optimize Corebridge’s intrinsic value, and protect Corebridge’s reputation. Corebridge’s CRO reports to the Board Audit Committee on risk issues, including cybersecurity risks. In addition to the foregoing, we are implementing a practice whereby Corebridge’s Chief Information Officer (“CIO”) and/or CISO discuss Corebridge’s approach to cybersecurity risk management directly with the Board of Directors at least once a year. The CIO, CISO and business segment specific CIOs and CISOs also report to Corebridge’s subsidiary boards and the RCC as needed on material cyber risks and Corebridge’s security posture and information security strategy.
Corebridge’s CISO reports to our CIO and is principally responsible for overseeing the Program, in partnership with other business leaders across Corebridge including the respective business segments’ CIO, CISO and Chief Technology Officer. Our CISO has over 25 years of information security and risk management experience and has served in his current role since joining Corebridge in 2021. He previously served in numerous information security management roles, including as CISO, at various financial sector organizations. Our CIO also has over 25 years of experience and has served as CIO of Corebridge since 2020 and Executive Vice President since February 2022. Previously he served in various technology executive management roles at MetLife, Inc., including Senior Vice President and Chief Information Officer for its U.S. business and Senior Vice President of U.S. Application Development.
Corebridge’s cybersecurity personnel maintain current knowledge through training programs, professional certifications, and participation in industry and advisory groups (e.g., the Financial Services Information Sharing and Analysis Center and the Securities Industry and Financial Markets Association). Company cybersecurity personnel expand and test their knowledge of cyber threats and countermeasures through additional on-the-job training to practice their response to real-life threats. In addition, and as part of performance development, certain of our cybersecurity personnel obtain industry approved certifications as appropriate for their roles and responsibilities. Examples of certifications held by Company’s cybersecurity personnel include CISSP (“Certified Information Systems Security Professional”) and CISM (“Certified Information Security Manager”).
As one of our new processes, we have implemented a cybersecurity incident response plan that sets forth a specific framework for responding to and managing potential and actual cybersecurity incidents, provides guidance on the roles of, and interactions with, various departments within Corebridge, and defines certain processes and procedures for cybersecurity incident response and management. Our cybersecurity incident response plan and procedures also establish escalation protocols in connection with a potential cybersecurity incident. These protocols vary depending upon the specific factors involved, including the materiality of an incident, the related harms and risks associated therewith, any undertakings required to mitigate and remediate any such incident and any corresponding legal or regulatory actions. Under the cybersecurity incident response plan and its protocols, incidents are responded to by multidisciplinary teams and are further escalated to the attention of senior management and our Board of Directors when applicable.
While there have been no material cybersecurity incidents that have affected Corebridge for the period covered by this annual report, on June 16, 2023, our vendor, Pension Benefit Information, LLC (“PBI”), notified us that data specific to Corebridge customers had been compromised in a security incident that PBI experienced targeting a zero-day vulnerability in PBI’s instance of the MOVEit Transfer Application, a managed file transfer software used by thousands of organizations. While we continue to measure the impact of this incident, including certain remediation expenses and other potential liabilities, we do not currently believe this incident will have a material adverse effect on our business, operations, or financial results.
Fora discussion regarding risks associated with cybersecurity threats, see “Risk Factors—Risks Relating to Business and Operations—We may be unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data” and “Risk Factors—Risks Relating to Business and Operations — Our risk management policies, standards and procedures may prove to be ineffective and leave us exposed to unidentified or unanticipated risk.”