Corebridge Financial, Inc. 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

Corebridge Financial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 15:40:53 EST.

Filings

10-K filed on 2025-02-13

Corebridge Financial, Inc. filed a 10-K at 2025-02-13 15:40:53 EST
Accession Number: 0001889539-25-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. | Cybersecurity CYBERSECURITY RISK MANAGEMENT W e have developed and implemented an Information Security Program for Corebridge (the “Program”) that includes, among other things, conducting periodic risk assessments designed to evaluate potential security threats, to detect potential vulnerabilities, and to mitigate identified security risks. The Program is informed by industry standards and frameworks and is designed to protect the confidentiality, integrity, and availability of Corebridge’s information assets and systems that store, process, or transmit material non-public information. The Program is managed day-to-day by technology, information security, and operational personnel. W here appropriate, we also engage third-parties to provide operational support for the Program and to evaluate our Program and our cybersecurity risk management. The Program includes the following key elements: - Network, Systems, and Data Security - Corebridge deploys technical and organizational safeguards that are designed to protect Corebridge’s networks, systems, and data from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, software security assessments, data leak protection, and access and identity management controls; - Threat and Vulnerability Management -Corebridge maintains a threat and vulnerability management program that leverages threat intelligence to proactively identify, assess, and address cybersecurity risks. This program incorporates vulnerability scanning, risk-based remediation and mitigation, penetration testing, and threat response capabilities to safeguard our information assets and ensure business continuity; - Cybersecurity Incident Monitoring and Response - Corebridge has established and maintains incident response plans that address Corebridge’s response to a cybersecurity incident, utilizing a cross-functional approach; - Third Party Assessment and Oversight - Corebridge maintains a third-party risk management program to identify and manage risks from third-party service providers, including initial due diligence, an assessment of the service provider’s control environment and periodic re-assessments; and - Security Training and Awareness - Corebridge provides ongoing education and training to employees regarding information security policies, procedures and best practices, including cyber threats, and their roles and responsibilities in identifying, reporting and responding to such threats. The Program is evaluated on an ongoing basis to address the evolving cyber threat landscape and to comply with applicable legal and regulatory obligations. See “Business-Regulation-U.S. Regulation-Privacy and Cybersecurity” and Business-Regulation-International Regulation-Privacy and Cybersecurity for further discussion. Control adequacy and design are reviewed periodically, and periodic audits assist in identifying areas for continued focus, improvement and/or inclusion, and are designed to provide assurance that controls are appropriately designed and operating effectively. Additionally, our Internal Audit group performs testing of Corebridge’s control environment, including the Program. Our Chief Information Security Officer (“CISO”) provides oversight and direction for the Program, including recommending adjustments in response to changes in technology, internal and external threats, business operations, and regulatory and statutory requirements, coordinates with other corporate functions and business segments to address various aspects of the Program managed by technology and operational personnel, an d communicates Corebridge’s information security risk posture to relevant personnel, senior management and governing bodies, including as further described below. Board Oversight and Governance We have implemented processes, to help facilitate oversight of information security risks by Corebridge’s senior management and Board of Directors. These processes enable our operations and risk management functions that monitor cybersecurity risks and examine control performance to report and escalate cybersecurity risks to our senior management and the Board of Directors, as appropriate. Corebridge | 2024 Form 10-K 66 TABLE OF CONTENTS ITEM 1B | Unresolved Staff Comments One of the main forums for reporting and escalating cybersecurity risks is the Corebridge Risk and Capital Committee (“RCC”), which is comprised of senior management personnel and led by our Chief Risk Officer (“CRO”) , who is the head of our ERM function. ERM supports the identification, measurement, management, monitoring and reporting of major risks, which include cybersecurity risks. The RCC is responsible for addressing significant risk issues reported by ERM, including those related to cybersecurity, to protect Corebridge’s financial strength, optimize Corebridge’s intrinsic value, and protect Corebridge’s reputation. Corebridge’s CRO reports to the Board Audit Committee on risk issues, including cybersecurity risks. In addition to the foregoing, we have implemented a practice whereby Corebridge’s Chief Information Officer (“CIO”), Chief Operations Officer (“COO”) and/or CISO report Corebridge’s approach to technology, resiliency and cybersecurity risk management directly to the Board of Directors at least once a year. The CIO, COO, CISO and business segment specific CIOs and CISOs also report to Corebridge’s subsidiary boards and the RCC as needed on material cyber risks and Corebridge’s security and resiliency posture and information security strategy. Corebridge’s cyber incident response plans and procedures establish escalation protocols in connection with a potential cybersecurity incident, pursuant to which incidents are responded to by multidisciplinary teams and are further escalated to the attention of senior management and our Board of Directors when applicable. Corebridge’s CISO reports to our CIO. Our CISO has over 25 years of information security and risk management experience and has served in his current role since joining Corebridge in 2021. He previously served in numerous information security management roles, including as CISO, at various financial sector organizations. Our CIO also has over 25 years of experience and has served as CIO of Corebridge since 2020 and Executive Vice President since February 2022. Previously he served in various technology executive management roles at MetLife, Inc., including Senior Vice President and Chief Information Officer for its U.S. business and Senior Vice President of U.S. Application Development. Corebridge’s cybersecurity personnel maintain current knowledge through training programs, professional certifications, and participation in industry and advisory groups (e.g., the Financial Services Information Sharing and Analysis Center and the Securities Industry and Financial Markets Association). Company cybersecurity personnel expand and test their knowledge of cyber threats and countermeasures through additional on-the-job training to practice their response to real-life threats. In addition, and as part of performance development, certain of our cybersecurity personnel obtain industry approved certifications as appropriate for their roles and responsibilities. Examples of certifications held by Company’s cybersecurity personnel include CISSP (“Certified Information Systems Security Professional”) and CISM (“Certified Information Security Manager”). There have been no cybersecurity incidents that have had a material adverse effect on our business, operations, or financial results for the period covered by this annual report. On June 16, 2023, one of our former vendors, PBI, notified us that data specific to Corebridge customers had been compromised in a security incident that PBI experienced targeting a zero-day vulnerability in PBI’s instance of the MOVEit Transfer Application, a managed file transfer software used by thousands of organizations. We continue to monitor potential liabilities arising from this incident, including as related to a pending multi-district litigation ( IN RE: MOVEit Customer Data Security Breach Litigation , 1:23-md-03083-ADB) in which Corebridge Financial, Inc. and American General Life Insurance Co. have been named as defendants. We do not currently believe this incident or pending litigation arising from this incident will have a material adverse effect on our business, operations, or financial results. For a discussion regarding risks associated with cybersecurity threats, see “Risk Factors-Risks Relating to Business and Operations-We may be unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data” and “Risk Factors-Risks Relating to Business and Operations - Our risk management policies, standards and procedures may prove to be ineffective and leave us exposed to unidentified or unanticipated risk.”

Company Information