F&G Annuities & Life, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

F&G Annuities & Life, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:08:54 EST.

Filings

10-K filed on 2025-02-28

F&G Annuities & Life, Inc. filed a 10-K at 2025-02-28 16:08:54 EST
Accession Number: 0001934850-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Disclosure The Company’s Information Security team is responsible for executing the Company’s enterprise-wide cybersecurity strategy, which is based upon the Center for Internet Security’s best practice controls, including 74 providing subject matter expertise, accountability, and oversight in the areas of policy and standards development, security architecture, engineering, and development practices, third-party IT and Security risk, compliance with industry, state, and federal regulations, and security education, awareness, and training. The Information Security program is managed and overseen by a full-time Chief Information Security Officer (“CISO”) with over 25 years in information technology leadership, service management, operations, information security, risk management, and regulatory compliance. The CISO reports to the Company’s Chief Information Officer (“CIO”), who is an executive of the Company and oversees all of the Company’s information technology efforts. The Company’s CIO has over 33 years of information technology leadership experience within the insurance and financial services industries. The CIO provides regular updates to senior leadership, including reports to the Board on a periodic basis. In conjunction with CIO senior leadership updates and periodic reports to the Board, the Company’s ERM team also provides updates on the Company’s cyber risk and threats, status of key projects improving the Company’s security posture, and efforts reducing the Company’s attack surface. In addition, a cybersecurity working group reviews the status of the Company’s cybersecurity environment monthly with the senior managers of various departments including Information Technology, Information Security, ERM, Internal Audit, and Compliance. Based on the information received, the working group generates monthly reports and updates key stakeholders across the enterprise. To mitigate information and cybersecurity risks, the Company utilizes external firms to perform supplemental annual vulnerability and penetration testing to objectively assess and identify potential improvements to the Company’s security posture. Findings from such testing are tracked, prioritized, remediated, and reported accordingly. The Company also leverages a third-party to perform 24x7 Security Operations Center monitoring of its information assets. The Company has processes in-place to risk assess through initial due diligence, monitor throughout the third-party service provider lifecycle, and periodically re-evaluate the technology and security risks associated with the usage of third-party service providers. Additionally, the Company maintains cyber insurance coverage to reduce potential financial losses that may stem from security incidents. See Item 1A - Risk Factors for discussion of material risks faced by the Company, including risks related to cybersecurity. Governance Disclosure As set forth in the Company’s charter, our Audit Committee, comprised of fully independent directors, is responsible for reviewing with management of the Company, the Company’s policies and practices with respect to risk assessment and risk management, including cybersecurity risk. The CRO reports information and cybersecurity risks to the Audit Committee. F&G has adopted a “three lines of defense” governance model for information and cybersecurity risk management. The CISO is the first line of defense providing frontline business, operational, and technology controls and capabilities to protect against information and cybersecurity risks and responding to cyber incidents and data breaches. The information security team under the CISO is responsible for overseeing infrastructure defense and security controls, managing access controls, performing vulnerability assessments, facilitating independent external penetration testing, assessing third-party or vendor information security, implementing employee awareness and training programs, and handling security incident management. F&G’s ERM department serves as the Company’s second line of defense and considers Information Security risk alongside other company risks. ERM facilitates the quarterly risk self-assessment with the CISO and the CIO to identify and assess information and cybersecurity risks, evaluates the likelihood and impact of potential risk events to Information Assets, and assesses mitigation offered by the control environment to determine residual risk. The assessment results are presented at quarterly Operational Risk Sub-Committee (“ORSC”) and ERMC meetings. ERM, jointly with the Information Security professionals, annually conducts a Cybersecurity Risk Assessment based 75 on critical security controls set forth by the Center for Internet Security. The assessment is reported to the CRO, CISO and CIO. The Company’s Internal Audit department serves as the third line of defense and independently assures the effectiveness of the Company’s management of information and cybersecurity risk. As an added layer of defense, the Company has an incident response team in place to evaluate information and cybersecurity incidents on an on-going basis. Based on materiality, a security incident may be escalated to the Corporate Crisis Management Team (“CCMT”) for risk mitigation and recovery action s. Cybersecurity Incidents F&G did not experience a cybersecurity reporting incident during the year ended December 31, 2024. On June 30, 2023, F&G filed a Current Report on Form 8-K regarding a cybersecurity incident associated with the MOVEit file transfer system. As a result of this incident, F&G is a defendant in two putative class action lawsuits that allege certain of F&G’s customers’ personal information was disclosed due to a vulnerability in the MOVEit file transfer software. F&G’s vendor, Pension Benefit Information, LLC (“PBI”), used the MOVEit software in the course of providing audit and address research services to F&G and many other corporate customers. At this time, F&G does not believe the incident will have a material impact on its business, operations, or financial results. For more details on these lawsuits, refer to Note N - Commitment and Contingencies to the Consolidated Financial Statements included in Item 8 of Part II of this Annual Report on Form 10-K.

Company Information