GENWORTH FINANCIAL INC 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

GENWORTH FINANCIAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 13:57:37 EST.

Filings

10-K filed on 2025-02-28

GENWORTH FINANCIAL INC filed a 10-K at 2025-02-28 13:57:37 EST
Accession Number: 0001193125-25-041860

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have identified information technology and cybersecurity risk as some of the most significant risk types to our business. Related to these identified risk types, we have classified our top risks and report them to both senior management and the risk committee of Genworth Financial’s Board of Directors, which in turn reports to the Board of Directors. For additional information regarding the risks associated with these matters, see “Item 1A-Risk Factors.” Risk Management and Strategy Genworth’s risk management framework recognizes the significant operational risk, including risk of losses, from cybersecurity incidents and the importance of a strong cybersecurity program for effective risk management. As part of our overall risk management, we have implemented a Data Security and Cybersecurity Program (the “DSCP”) which sets policy expectations, ensures broad coverage over information technology risks, integrates the Information Security and Information Technology Risk Management Framework into our broader risk management systems, establishes clear roles and governance, and aligns control expectations to the National Institute of Standards and Technology (“NIST”). Under the DSCP, we have processes for identifying, assessing, escalating and managing technology and cybersecurity risk. The DSCP employs various controls and policies to secure our operations and information, which include monitoring, reporting, managing and remediating cybersecurity threats and incidents. Key features of the DSCP include access controls, security training, system security testing, dedicated security personnel, security event monitoring, and when necessary, consultation with third-party data security experts. Through a cross-functional team, we assess and mitigate risks associated with our third-party providers and have processes in place to regularly monitor and evaluate cybersecurity risks, threats and incidents associated with the use of third-party providers, as well as monitoring rights, as appropriate. Our information security team, overseen by our Chief Information Security Officer (“CISO”), conducts annual information security awareness training for employees involved in our systems and processes that handle customer data. We also conduct periodic cybersecurity awareness training with management and the Board of Directors, including cybersecurity preparedness exercises. In addition, the DSCP includes an incident response plan, which coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to assess the materiality of the incident, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal reporting and other obligations and mitigate reputational damage. We also carry insurance that provides protection against certain losses arising from a cybersecurity incident. Additionally, we have procedures set forth in the DSCP for reporting and responding to potential cybersecurity incidents as well as determining applicable disclosure requirements, including timely incident reporting. For example, as disclosed in our Form 8-K filed on June 22, 2023 and our Annual Report on Form 10-K filed on February 29, 2024, after being notified of the MOVEit Cybersecurity Incident, we, together with PBI, promptly launched an investigation to determine whether and to what extent personal information had been unlawfully accessed as a result of that incident. We determined that approximately 2.5 million to 2.7 million of our policyholders’ or other customers’ personal information, including social security numbers, was exposed to and obtained by the threat actor as a result of the MOVEit Cybersecurity Incident. We do not believe the MOVEit Cybersecurity Incident has had any impact on any of our information systems, including our financial systems, and there has not been any material interruption of our business operations. While we are continuing to measure the impact of remediation expenses and other potential liabilities, neither this incident, nor other known cybersecurity threats, has had or is reasonably likely to have a material adverse effect on our business strategy, results of operations or financial condition. See “Item 1A-Risk Factors-Our computer systems and those of our third-party service providers have in the past failed or been compromised and may in the future fail or be 6 compromised, including through cybersecurity breaches; we may experience issues from new and complex information technology methodologies such as artificial intelligence; and unanticipated problems could materially adversely impact our disaster recovery systems and business continuity plans, any of which could expose confidential information such as personal information of our customers or employees, damage our reputation, impair our ability to conduct business effectively, result in enforcement action or litigation, and materially adversely affect our business, financial condition and results of operations.” Governance Our Board of Directors recognizes the importance of maintaining the privacy and security of customer information, as well as the availability and integrity of our systems, and consequently dedicates meaningful time and attention to the oversight of cybersecurity risk. In light of these risks, our Board of Directors is actively engaged in the oversight of the Company’s information technology, which includes periodic briefings on cybersecurity threats and participation in cybersecurity preparedness exercises. Furthermore, under its charter, the Board’s risk committee has primary responsibility for information technology risk oversight, including as it relates to cybersecurity and data security matters. In this capacity, the risk committee oversees the Company’s processes for identifying, assessing and managing technology and cybersecurity risk, including a risk-based escalation process, which requires that the risk committee be notified by management and, as necessary, receive regular briefings on the matter, and work with management, including Genworth’s CISO and Chief Risk Officer (“CRO”), to assess and manage the risk and implement the Company’s response to the incident, as appropriate. Genworth’s CISO and CRO, both members of management , support the cybersecurity risk oversight responsibilities of the Board and the risk committee and involve applicable management personnel in cybersecurity risk management. The risk committee receives periodic reports from the CISO and CRO on the Company’s technology and cybersecurity risk profiles, information security program and key cybersecurity initiatives. Additionally, the CISO and CRO follow a risk-based escalation process to notify the risk committee outside of the regular reporting cycle when they identify actual or potential substantive cybersecurity risks or issues. Genworth’s CISO is an information technology and security professional with 24 years of experience and 12 years of service at Genworth. In his 24 years of experience, he has held roles in information technology infrastructure administration, information technology infrastructure, security consulting and security administration. He received a Bachelor of Science Degree in Business Administration from Regent University and is a Certified Information Systems Security Professional (CISSP). Genworth’s CRO has served in information technology and risk management leadership roles for over twenty years, including oversight of enterprise risk management and operational risk, as well as oversight for financial reporting systems, operational and technology platforms, and testing and quality assurance programs. He received a Bachelor of Science Degree in Decision Support Systems from Virginia Polytechnic Institute (Virginia Tech) and graduated from the Tuck Global Executive Leadership Program through Dartmouth in 2020. For more information about our CRO, see “Part III-Item 10-Directors, Executive Officers and Corporate Governance.”

Company Information