Page last updated on July 16, 2024
BRIGHTHOUSE LIFE INSURANCE Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:21:22 EST.
Filings
10-K filed on 2024-02-29
BRIGHTHOUSE LIFE INSURANCE Co filed a 10-K at 2024-02-29 16:21:22 EST
Accession Number: 0000733076-24-000007
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity Cybersecurity Risk Management Program and Strategy We understand the importance of maintaining a robust cybersecurity program to assess, identify, and manage the material risks associated with cybersecurity threats. Managing Cybersecurity Risks; Cybersecurity Risk Management Strategy Our cybersecurity risk management program is integrated into the Brighthouse Financial enterprise risk management framework, and our strategy focuses on implementing effective and efficient processes, technologies, and controls to assess, identify, and manage cybersecurity risks. Our cybersecurity program, which is managed at an enterprise level, is designed to be aligned with the National Institute of Standards and Technology (“NIST”) framework, which organizes the management of cybersecurity risks into five categories: identify, protect, detect, respond, and recover. The Chief Technology Officer of Brighthouse Financial (the “CTO”) has overall responsibility for our information technology program, which includes the Company’s cybersecurity program. The Chief Information Security Officer of Brighthouse Financial (the “CISO”) is directly responsible for the Brighthouse Financial cybersecurity program, which is designed to protect and preserve the integrity, confidentiality, and continued availability of the information owned by, or in the care of, the Company. The CTO has over 25 years of information technology experience, including systems development, technology strategy, and vendor management; the CISO has over 30 years of information technology and cybersecurity program management experience. Prior to joining Brighthouse Financial, both the CTO and CISO previously served in roles that involved leading and overseeing information technology and cybersecurity programs at other public companies in the financial services industry. In addition, the CTO serves on a cross-departmental, management-level risk committee that oversees Brighthouse Financial’s enterprise risks, including cybersecurity risks. This enterprise-level risk committee is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents. The Brighthouse Financial cybersecurity team regularly assesses the threat landscape and takes an enterprise-wide view of cybersecurity risks. We monitor issues that are internally discovered or externally reported that may affect our business, and we employ a range of tools and third-party services to effectuate our cybersecurity risk identification and assessments, including regular network and endpoint monitoring, threat and vulnerability assessments, and external penetration testing. In addition, the Brighthouse Financial cybersecurity team conducts regular reviews, conducts tabletop exercises, performs internal testing, and leverages the audits performed by our internal audit team, as well as the services of third-party consultants, to assess and evaluate the effectiveness of our controls (in alignment with the NIST framework) and to improve our security measures and strategy. The cybersecurity team has also engaged a third party to measure the Brighthouse Financial cybersecurity program against the NIST cybersecurity framework. The results of this assessment confirmed the rigor of our cybersecurity risk management practices. The cybersecurity team has also established company-wide policies and procedures that cover cybersecurity matters, which are designed to enable us to effectively identify, evaluate, and respond to events that have the potential to impact our business. In the event of a cybersecurity incident, Brighthouse Financial utilizes a well-defined incident response plan that coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations (including relevant securities laws) and mitigate brand and reputational damage. This plan includes immediate actions to mitigate the impact, as well as long-term strategies for the remediation and prevention of future incidents. In accordance with this plan, we have established a cross-departmental Brighthouse Response Team that is responsible for coordinating enterprise-wide responses to cybersecurity incidents, as applicable. This Brighthouse Response Team provides reports regarding cybersecurity incidents to the enterprise-level risk committee referenced above. Further, associates outside of our technology organization have a role in our cybersecurity defenses, and we encourage a corporate culture supportive of security, which we believe improves the effectiveness of our cybersecurity risk management program. Through our Security Awareness Program, our associates are provided with regular cybersecurity training and educational resources to help ensure that they remain vigilant against threats. These include frequent simulations, newsletters, alerts, e-mail reminders, and a mandatory annual cybersecurity awareness training course for all employees. In addition to company policies that we make available to all employees, our awareness training provides clear reporting and escalation processes in the event of suspicious activity. Third-Party Risk Management Brighthouse Financial processes also address the cybersecurity risks associated with the use of third-party vendors, some of whom have access to our customer and employee data. We conduct security assessments of all third-party vendors that have access to our systems, our data and/or the facilities that house such systems or data. As part of our third-party risk management program, the cybersecurity risk management and third-party risk management teams collaborate to monitor our third-party vendors’ compliance with our cybersecurity standards. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. Risks from Cybersecurity Threats Brighthouse Financial systems and our third-party vendors’ systems periodically experience directed attacks intended to lead to (i) interruptions or delays in our operations or (ii) the loss, misuse or theft of personal information and other data, including confidential information or intellectual property. We have not experienced any cybersecurity incidents to date, directly or indirectly, that have materially impacted our business, financial condition, or results of operations. For more information regarding our risks from cybersecurity threats, see “Risk Factors - Operational Risks - Any failure in cyber- or other information security systems, as well as the occurrence of events unanticipated in Brighthouse Financial’s or our third-party service providers’ disaster recovery systems and business continuity planning could result in a loss or disclosure of confidential information, damage to our reputation and impairment of our ability to conduct business effectively” and “Risk Factors -Operational Risks - Any failure to protect the confidentiality of customer, associates, or other third-party information could adversely affect our reputation and have a material adverse effect on our business, financial condition and results of operations.” Governance Board of Directors - Oversight and Management Reporting The Audit Committee of the Board of Directors of Brighthouse Financial, Inc. (the “Audit Committee”) is primarily responsible for overseeing cybersecurity risks, and the Board of Directors of Brighthouse Financial, Inc. (the “Board”) is actively engaged with respect to these risks. The Audit Committee and/or the Board of Directors generally meet with our CTO and CISO on a quarterly basis to review our information technology and cybersecurity risk profile and to discuss our activities to manage the related risks, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, tabletop exercises, and other areas of importance. Our board of directors also receives regular technology and cybersecurity updates. In addition to these regular meetings, we have an escalation process in place to timely inform the Board of Directors of any significant cybersecurity incidents, including any updates relating thereto, to ensure that the Board of Directors’ oversight is proactive and responsive. Our Chief Compliance Officer also regularly reports to the Audit Committee and our board of directors regarding the Company’s compliance with applicable regulations relating to cybersecurity.
Company Information
Name | BRIGHTHOUSE LIFE INSURANCE Co |
CIK | 0000733076 |
SIC Description | Life Insurance |
Ticker | |
Website | |
Category | Non-accelerated filer |
Fiscal Year End | December 30 |