Page last updated on February 14, 2025
AMERICAN INTERNATIONAL GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 16:49:44 EST.
Filings
10-K filed on 2025-02-13
AMERICAN INTERNATIONAL GROUP, INC. filed a 10-K at 2025-02-13 16:49:44 EST
Accession Number: 0000005272-25-000012
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C | Cybersecurity ITEM 1C | Cybersecurity CYBERSECURITY RISK MANAGEMENT We maintain a documented Information Security Program (the Program) that is informed by industry standards, frameworks and best practices and is designed to protect the confidentiality, integrity, and availability of our information assets and systems that store, process or transmit information. Our Chief Information Security Officer (CISO) oversees and directs the Program, including implementing adjustments in response to changes in technology, internal and external threats, business processes, and regulatory or statutory requirements and communicates our information security risk posture to senior management and the Board of Directors (the Board). The Program includes the following key elements: - Network, Systems and Data Security - Technical and organizational safeguards that are designed to protect our networks, systems, and data from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls. - Threat and Vulnerability Management - A threat and vulnerability management program that leverages continuous threat intelligence to seek to proactively identify, assess, and mitigate evolving cybersecurity risks. This program incorporates vulnerability scanning, remediation management, bug bounty, penetration testing, and threat response capabilities, all designed to safeguard our information assets and ensure business continuity. - Cybersecurity Incident Monitoring and Response - Incident response plans that address our response to a cybersecurity incident, utilizing a cross-functional approach. - Third-Party Assessment and Oversight - A third-party risk management program designed to identify and manage cybersecurity risks from third-party service providers, including initial due diligence as well as initial and periodic re-assessments of the service provider’s control environment. - Security Training and Awareness - Annual cybersecurity and awareness training for employees and contractors. The Program is evaluated on an ongoing basis, both internally and through third-party audit firms, to address and protect against the evolving cyber threat landscape. The Program seeks to align to industry standards such as the National Institute of Standards and Technology Cybersecurity Framework, as well as applicable legal and regulatory guidance and mandates applicable to all of our stakeholders, including investors, customers, and employees. Control adequacy and design are reviewed at least annually. Independent audits and penetration tests assist in identifying areas for continued focus, improvement and/or inclusion, and are designed to provide assurance that controls are appropriately designed and operating effectively. Additionally, our Internal Audit group performs independent testing of our control environment, including key components of the Program. We also operate a bug bounty program through a crowdsourced security platform to incentivize responsible disclosure of software defects. These independent evaluations help uncover potential security vulnerabilities for remediation by our cybersecurity team. Board Oversight Our Board oversees the Program and the management of risks from cybersecurity threats. The Board reviews and monitors our business and technology strategy, including the policies, processes, and practices that management implements to address risks from cybersecurity threats. The Board believes that all directors are responsible for oversight of these matters given the increasing importance of cybersecurity to our risk profile, as well as the significant role our technology strategy plays in our strategic priorities. The Chief Information Officer (CIO), CISO, and Chief Risk Officer provide updates to the Board as appropriate. Global Committees Group Risk Committee (GRC): The GRC is a committee comprised of senior management and is responsible for assessing significant risk issues on a global basis to protect our financial strength, optimize our intrinsic value, and protect our reputation. The risks considered by the GRC include those relating to cybersecurity. Technology Risk and Controls Committee (TRCC): The TRCC is used as a platform to assess risk and controls components across the information technology (IT) landscape including cybersecurity. It manages the risk assessment process, escalation, and implementation of risk acceptance thresholds with the help of the GRC. In addition, there are regional and country risk and IT risk committees, including in Asia Pacific, Europe, the Middle East and Africa, the United Kingdom, Latin America and the Caribbean. These committees engage with relevant IT leaders and functional leaders within Enterprise Risk Management, Legal, Compliance, and Internal Audit. AIG | 2024 Form 10-K 31 TABLE OF CONTENTS ITEM 1C | Cybersecurity Reporting and Governance The Board and regional and country leadership boards may receive periodic presentations and reports on cybersecurity risks. We have an established issue escalation protocol for technology incidents, including cyber related incidents. In the event of a material cybersecurity incident, the Board will receive prompt information and ongoing updates about the incident. Our technology incidents and risks are tracked and rated. Items that are rated as “critical” are discussed in the TRCC, and escalated to the GRC as appropriate. At least once each year, the Board discusses our approach to cybersecurity risk management with the CISO. The CISO and regional/country information security officers regularly present to the Company’s regional and country leadership boards on material cyber risks and our information security posture and strategy. The CISO works collaboratively with business and functional colleagues to implement a program designed to protect our information systems from cybersecurity threats and promptly respond to potential cybersecurity incidents. Multidisciplinary teams are deployed to respond to cybersecurity incidents in accordance with our incident response plans. Through ongoing communication with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and reports such incidents to senior management, who escalate to the Board as appropriate. The CISO reports to the CIO and is principally responsible for overseeing the Program, in partnership with other business leaders across the Company including regional information security and technology officers. Our cybersecurity personnel maintain current knowledge through specific training programs, professional certifications, and participation in industry groups (e.g., Financial Services Sector Coordinating Council, Financial Services Information Sharing and Analysis Center, Analysis and Resilience Center, Securities Industry and Financial Markets Association, Cybersecurity and Infrastructure Security Agency, etc.). Our CISO has extensive cybersecurity experience, maintains multiple professional certifications and has served in various roles in information technology and information security for over 25 years. There have been no material cybersecurity incidents that have affected the Company for the period covered by this annual report. For a discussion regarding risks associated with cybersecurity threats, see Part I, Item 1A. Risk Factors - Business and Operations - “Our risk management policies, standards and procedures may prove to be ineffective and leave us exposed to unidentified or unanticipated risk, which could adversely affect our businesses, results of operations, financial condition and liquidity” and “We are exposed to certain risks if we are unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data, which could compromise our ability to conduct business and adversely affect our consolidated business, results of operations, financial condition and liquidity.”
ITEM 1C | Cybersecurity CYBERSECURITY RISK MANAGEMENT We maintain a documented Information Security Program (the Program) that is informed by industry standards, frameworks and best practices and is designed to protect the confidentiality, integrity, and availability of our information assets and systems that store, process or transmit information. Our Chief Information Security Officer (CISO) oversees and directs the Program, including implementing adjustments in response to changes in technology, internal and external threats, business processes, and regulatory or statutory requirements and communicates our information security risk posture to senior management and the Board of Directors (the Board). The Program includes the following key elements: - Network, Systems and Data Security - Technical and organizational safeguards that are designed to protect our networks, systems, and data from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls. - Threat and Vulnerability Management - A threat and vulnerability management program that leverages continuous threat intelligence to seek to proactively identify, assess, and mitigate evolving cybersecurity risks. This program incorporates vulnerability scanning, remediation management, bug bounty, penetration testing, and threat response capabilities, all designed to safeguard our information assets and ensure business continuity. - Cybersecurity Incident Monitoring and Response - Incident response plans that address our response to a cybersecurity incident, utilizing a cross-functional approach. - Third-Party Assessment and Oversight - A third-party risk management program designed to identify and manage cybersecurity risks from third-party service providers, including initial due diligence as well as initial and periodic re-assessments of the service provider’s control environment. - Security Training and Awareness - Annual cybersecurity and awareness training for employees and contractors. The Program is evaluated on an ongoing basis, both internally and through third-party audit firms, to address and protect against the evolving cyber threat landscape. The Program seeks to align to industry standards such as the National Institute of Standards and Technology Cybersecurity Framework, as well as applicable legal and regulatory guidance and mandates applicable to all of our stakeholders, including investors, customers, and employees. Control adequacy and design are reviewed at least annually. Independent audits and penetration tests assist in identifying areas for continued focus, improvement and/or inclusion, and are designed to provide assurance that controls are appropriately designed and operating effectively. Additionally, our Internal Audit group performs independent testing of our control environment, including key components of the Program. We also operate a bug bounty program through a crowdsourced security platform to incentivize responsible disclosure of software defects. These independent evaluations help uncover potential security vulnerabilities for remediation by our cybersecurity team. Board Oversight Our Board oversees the Program and the management of risks from cybersecurity threats. The Board reviews and monitors our business and technology strategy, including the policies, processes, and practices that management implements to address risks from cybersecurity threats. The Board believes that all directors are responsible for oversight of these matters given the increasing importance of cybersecurity to our risk profile, as well as the significant role our technology strategy plays in our strategic priorities. The Chief Information Officer (CIO), CISO, and Chief Risk Officer provide updates to the Board as appropriate. Global Committees Group Risk Committee (GRC): The GRC is a committee comprised of senior management and is responsible for assessing significant risk issues on a global basis to protect our financial strength, optimize our intrinsic value, and protect our reputation. The risks considered by the GRC include those relating to cybersecurity. Technology Risk and Controls Committee (TRCC): The TRCC is used as a platform to assess risk and controls components across the information technology (IT) landscape including cybersecurity. It manages the risk assessment process, escalation, and implementation of risk acceptance thresholds with the help of the GRC. In addition, there are regional and country risk and IT risk committees, including in Asia Pacific, Europe, the Middle East and Africa, the United Kingdom, Latin America and the Caribbean. These committees engage with relevant IT leaders and functional leaders within Enterprise Risk Management, Legal, Compliance, and Internal Audit. AIG | 2024 Form 10-K 31 TABLE OF CONTENTS ITEM 1C | Cybersecurity Reporting and Governance The Board and regional and country leadership boards may receive periodic presentations and reports on cybersecurity risks. We have an established issue escalation protocol for technology incidents, including cyber related incidents. In the event of a material cybersecurity incident, the Board will receive prompt information and ongoing updates about the incident. Our technology incidents and risks are tracked and rated. Items that are rated as “critical” are discussed in the TRCC, and escalated to the GRC as appropriate. At least once each year, the Board discusses our approach to cybersecurity risk management with the CISO. The CISO and regional/country information security officers regularly present to the Company’s regional and country leadership boards on material cyber risks and our information security posture and strategy. The CISO works collaboratively with business and functional colleagues to implement a program designed to protect our information systems from cybersecurity threats and promptly respond to potential cybersecurity incidents. Multidisciplinary teams are deployed to respond to cybersecurity incidents in accordance with our incident response plans. Through ongoing communication with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and reports such incidents to senior management, who escalate to the Board as appropriate. The CISO reports to the CIO and is principally responsible for overseeing the Program, in partnership with other business leaders across the Company including regional information security and technology officers. Our cybersecurity personnel maintain current knowledge through specific training programs, professional certifications, and participation in industry groups (e.g., Financial Services Sector Coordinating Council, Financial Services Information Sharing and Analysis Center, Analysis and Resilience Center, Securities Industry and Financial Markets Association, Cybersecurity and Infrastructure Security Agency, etc.). Our CISO has extensive cybersecurity experience, maintains multiple professional certifications and has served in various roles in information technology and information security for over 25 years. There have been no material cybersecurity incidents that have affected the Company for the period covered by this annual report. For a discussion regarding risks associated with cybersecurity threats, see Part I, Item 1A. Risk Factors - Business and Operations - “Our risk management policies, standards and procedures may prove to be ineffective and leave us exposed to unidentified or unanticipated risk, which could adversely affect our businesses, results of operations, financial condition and liquidity” and “We are exposed to certain risks if we are unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data, which could compromise our ability to conduct business and adversely affect our consolidated business, results of operations, financial condition and liquidity.”
ITEM 1C | Cybersecurity Reporting and Governance The Board and regional and country leadership boards may receive periodic presentations and reports on cybersecurity risks. We have an established issue escalation protocol for technology incidents, including cyber related incidents. In the event of a material cybersecurity incident, the Board will receive prompt information and ongoing updates about the incident. Our technology incidents and risks are tracked and rated. Items that are rated as “critical” are discussed in the TRCC, and escalated to the GRC as appropriate. At least once each year, the Board discusses our approach to cybersecurity risk management with the CISO. The CISO and regional/country information security officers regularly present to the Company’s regional and country leadership boards on material cyber risks and our information security posture and strategy. The CISO works collaboratively with business and functional colleagues to implement a program designed to protect our information systems from cybersecurity threats and promptly respond to potential cybersecurity incidents. Multidisciplinary teams are deployed to respond to cybersecurity incidents in accordance with our incident response plans. Through ongoing communication with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and reports such incidents to senior management, who escalate to the Board as appropriate. The CISO reports to the CIO and is principally responsible for overseeing the Program, in partnership with other business leaders across the Company including regional information security and technology officers. Our cybersecurity personnel maintain current knowledge through specific training programs, professional certifications, and participation in industry groups (e.g., Financial Services Sector Coordinating Council, Financial Services Information Sharing and Analysis Center, Analysis and Resilience Center, Securities Industry and Financial Markets Association, Cybersecurity and Infrastructure Security Agency, etc.). Our CISO has extensive cybersecurity experience, maintains multiple professional certifications and has served in various roles in information technology and information security for over 25 years. There have been no material cybersecurity incidents that have affected the Company for the period covered by this annual report. For a discussion regarding risks associated with cybersecurity threats, see Part I, Item 1A. Risk Factors - Business and Operations - “Our risk management policies, standards and procedures may prove to be ineffective and leave us exposed to unidentified or unanticipated risk, which could adversely affect our businesses, results of operations, financial condition and liquidity” and “We are exposed to certain risks if we are unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data, which could compromise our ability to conduct business and adversely affect our consolidated business, results of operations, financial condition and liquidity.”
Company Information
| Name | AMERICAN INTERNATIONAL GROUP, INC. |
| CIK | 0000005272 |
| SIC Description | Fire, Marine & Casualty Insurance |
| Ticker | AIG - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |