Page last updated on July 16, 2024
METROPOLITAN LIFE INSURANCE CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 18:20:37 EST.
Filings
10-K filed on 2024-03-06
METROPOLITAN LIFE INSURANCE CO filed a 10-K at 2024-03-06 18:20:37 EST
Accession Number: 0000937834-24-000004
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity Cybersecurity Management & Strategy MetLife manages information security risk through, and as part of, MetLife’s Information Security Program (the “Program”), which institutes and maintains controls for the systems, applications, and databases of MetLife and of its third-party providers. The primary goal of the Program is to protect the confidentiality, integrity and availability of all data MetLife owns or possesses, as well as its technology assets, through physical, technical, and administrative safeguards. This includes controls and procedures for monitoring, detecting, reporting, containing, managing, and remediating cyber threats. The Program aims to prevent data exfiltration, manipulation, and destruction, as well as system and transactional disruption. The Program’s threat-centric and risk-based approach for securing the MetLife environment takes into consideration applicable guidelines from the cybersecurity framework developed by the U.S. Government’s National Institute of Standards and Technology, and is managed by MetLife’s CISO, in collaboration across lines of business and corporate functions. The Board of Directors of MetLife, Inc. (the “Board” or “Board of Directors”) oversees the Program. The key features of the Program include: - A cybersecurity incident response team under the CISO’s direction, which is responsible for monitoring and responding to threats, vulnerabilities, and incidents. - An incident response plan that is managed by the CISO and MetLife’s Privacy Office and tested through cross-functional annual exercises in various geographical regions of MetLife, many of which include participation from senior executives and the Board of Directors. - Information security policies and procedures that are reviewed at least annually and updated to reflect applicable changes in law, technology, practice and emerging threats. - Regular network and application testing and surveillance. - Periodic review of threats, vulnerabilities and other cybersecurity risks, internal and external. - Risk mitigation strategies, including annual internal and third-party risk assessments, as well as cybersecurity and privacy liability insurance intended to defray costs associated with an information security breach. - Vendor management procedures designed to identify and address potential risks associated with the use of third-party service providers. - Employee training programs on information security, data security, and cybersecurity practices and protection of data against cyber threats, at least annually. - A cross-functional approach to addressing cybersecurity risk, with participation from Global Technology & Operations, Risk, Compliance, Legal, Privacy and Internal Audit functions. We exercise risk-based due diligence in selecting our third-party service providers, including, as appropriate, review of vendor applications, general IT controls and the IT facilities used to service MetLife’s business. Third parties are governed by the MetLife Third-Party Risk Management program, which includes risk assessment prior to onboarding. Based on the assessment of risk, certain third-party service providers must periodically update relevant assessment documentation and be reevaluated by MetLife relative to their internal controls. Vendors deemed critical and high risk are continuously monitored by various industry solutions and services designed to identify cybersecurity risks. MetLife also works with third parties, such as independent assessors (for example, for industry maturity assessments, penetration testing, application security reviews, and independent audits), external legal counsel and other consultants as part of the design and implementation of the Program. The Program is periodically evaluated by external experts, and the results of those reviews are reported to the Board of Directors. During the period covered by this report, we have not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For further discussion of our risks related to cybersecurity, see “Risk Factors - Operational Risks - We May Fail to Protect the Confidentiality and Integrity of Our Data, Including As a Result of a Failure in Our Cybersecurity or Other Information Security Systems or Our Disaster Recovery Plans or Those of Our Vendors.” Cybersecurity Governance The CISO is a senior-level executive responsible for establishing and executing MetLife’s information security strategy. Management provides regular reports to the CISO detailing on-going cybersecurity risk management. The CISO and the head of Global Technology & Operations present updates to the Audit Committee of MetLife, Inc. (the “Audit Committee”) quarterly and, as necessary, to the full Board of Directors. These regular reports include updates on MetLife’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Audit Committee also reviews with management, as necessary, but at least annually, the adequacy and effectiveness of MetLife’s policies and internal controls regarding information security and cybersecurity. Additionally, the CISO periodically and on an event-driven basis informs and updates the Board of Directors about information security incidents and the related risks posed to MetLife. The Program is subject to MetLife’s risk management framework and operates under the “Three Lines of Defense” model MetLife uses. The CISO regularly reports about information security risk to the Enterprise Risk Committee (“ERC”), including the Chief Risk Officer (“CRO”), and other members of the senior management team. See “Management’s Discussion and Analysis of Financial Condition and Results of Operations - Risk Management.” The CISO, who oversees an organization that supports the day-to-day operation of the Program, is qualified in the areas of data protection and cybersecurity, having more than twenty years of professional IT experience in financial services. Prior to his current role, the CISO previously served as MetLife’s Global Chief Technology Officer with accountability for MetLife’s global infrastructure, engineering, service operations, quality assurance, application maintenance, and production management functions; he also served variously as the chief technology officer, CISO, chief information officer and global head of telecommunications engineering at other financial institutions prior to joining MetLife in 2012.
Company Information
Name | METROPOLITAN LIFE INSURANCE CO |
CIK | 0000937834 |
SIC Description | Life Insurance |
Ticker | |
Website | |
Category | Non-accelerated filer |
Fiscal Year End | December 30 |