PRINCIPAL FINANCIAL GROUP INC 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

PRINCIPAL FINANCIAL GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:23:25 EST.

Filings

10-K filed on 2025-02-19

PRINCIPAL FINANCIAL GROUP INC filed a 10-K at 2025-02-19 16:23:25 EST
Accession Number: 0001410578-25-000160

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management is an essential component of our culture and business model. Guarding against the specific risks posed by cybersecurity threats has been and will continue to be very dynamic in nature, requiring that we remain agile and aware of internal and external changes. We recognize that cybersecurity threats can be among the most critical risks facing large companies. As a result, cybersecurity is treated as a Board-level matter and overseen by the Board. However, both the Board and management have an integral role in the identification , assessment and management of cybersecurity risk. The Board oversees management’s execution and performance of its risk management responsibilities, which includes cybersecurity threats. The Board receives at least one cybersecurity report every quarter from our Chief Information Officer, our Chief Information Security Officer, our Chief Risk Officer or other professionals. The Board also reviews and approves the business resiliency and information security programs intended to guard against cybersecurity and related risks. Lastly, the Board receives input on cybersecurity issues from external entities such as our independent auditor, regulators and consultants. Each of these steps further the Board’s efforts to ensure we have established and are proactively maintaining an enterprise-wide cybersecurity risk program with appropriate policies, practices and controls designed to ensure resiliency in the face of emerging threats. Management holds relevant expertise in assessing and managing cybersecurity threats. Numerous members of management and employees across the information security and risk functions hold nationally recognized designations and certifications, including the Certified Information Systems Security Professional designation, Global Information Assurance Certifications and Amazon Web Services Cloud Certifications. We also provide role-based security training to workers with assigned information security-related roles and responsibilities. This includes topics on social engineering tactics and other general threats posed for system compromise and data loss. The initiatives and processes discussed further below also contribute to the expertise and experience of management. The framework for our overall process for managing risk encompasses the management of risks posed by cybersecurity threats. Management’s role, responsibilities and processes for identifying, assessing, monitoring, reporting and managing risks, which includes cybersecurity risks, is discussed further in Item 1. “Business - Risk Management.” As a general matter, we take a proactive approach to assessing and monitoring cybersecurity-specific risks that is oriented around monitoring emerging external threats, ensuring controls are in place to identify and manage risk within our technology environment and creating a culture of vigilance across the organization. We test for and resolve vulnerabilities within our systems and applications by using network and infrastructure vulnerability testing and adversary emulation, also known as red teaming and hire a third party to do the same at least once a year. We maintain a vulnerability disclosure program to enhance discovery and remediation of external-facing vulnerabilities. We also undergo a third party maturity assessment of our information security program every two years and a third party enterprise penetration test annually. We leverage external resources to help define information security and technology standards for our environment. Our cybersecurity controls are monitored and refined based on learnings from regular red team engagements and analysis by third party threat hunters. All cyber defense operations are supported through a dedicated cybersecurity threat intelligence function. We collaborate with information security peers across the industry to augment threat intelligence. Our threat intelligence program helps create awareness and understanding of potential cybersecurity threats and adversaries. We proactively assess potential risks presented by new services or systems integrated with our network or data and ensure appropriate controls are applied under such circumstances. We have proactive security controls built into our software development life cycle that help engineers identify and resolve security issues at every stage of software development. Our identity verification processes, which include multi-factor authentication and other identity verification technologies, provide further protection for clients and customers. We perform due diligence and monitor third party relationships to assess the suitability of their cybersecurity controls and protocols based on risk profile for the business operations or services for which they are engaged. Our awareness and training program is designed to create a risk-aware culture to ensure employees understand cybersecurity threats and are accountable for completing required training. We have trained our employees to recognize and resist phishing attempts with our simulated phishing program. At least quarterly, our employees are presented with simulated phishing scenarios that deliver hands-on experience and on-the-spot education opportunities. All engineers and employees holding equivalent roles who are involved in software development also receive mandated secure software development training. We have an enterprise incident management plan that provides a framework for preparing for, managing and responding to cybersecurity incidents that may arise. The plan ensures stakeholders across the organization are identified who have the appropriate experience, training and expertise in incident management and that the organization is well positioned to address incidents. For example, we carry out cybersecurity incident response exercises to develop widespread familiarity and experience in responding to cybersecurity incidents. No risks from any known cybersecurity incidents have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For further discussion related to how cybersecurity risks may impact our performance in the future, see Item 1A. “Risk Factors.”

Company Information