BRIGHTHOUSE LIFE INSURANCE Co 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 4, 2025

BRIGHTHOUSE LIFE INSURANCE Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 17:47:23 EST.

Filings

10-K filed on 2025-03-03

BRIGHTHOUSE LIFE INSURANCE Co filed a 10-K at 2025-03-03 17:47:23 EST
Accession Number: 0000733076-25-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management Program and Strategy We understand the importance of maintaining a robust cybersecurity risk management program to assess, identify, and manage the material risks associated with cybersecurity threats. Managing Cybersecurity Risks; Cybersecurity Risk Management Strategy Our cybersecurity risk management program is integrated into the Brighthouse Financial enterprise risk management framework, and our strategy focuses on implementing effective and efficient processes, technologies, and controls to assess, identify, and manage cybersecurity risks. Our cybersecurity risk management program, which is managed at an enterprise level, is designed to be aligned with the National Institute of Standards and Technology Cybersecurity Framework (“NIST Framework”), which provides standards, guidelines and best practices on managing cybersecurity risk, as well as the organization, improvement and assessment of Brighthouse Financial’s cybersecurity risk management program. The Chief Technology Officer of BHF (the “CTO”) has overall responsibility for our information technology program, which includes the Company’s cybersecurity risk management program. The Chief Information Security Officer of BHF (the “CISO”) is directly responsible for the Brighthouse Financial cybersecurity risk management program, which is designed to protect and preserve the integrity, confidentiality, and continued availability of the information owned by, or in the care of, the Company. The CTO has over 25 years of information technology experience, including systems development, technology strategy, and vendor management; the CISO has over 30 years of information technology and cybersecurity risk management program management experience. Prior to joining Brighthouse Financial, both the CTO and CISO previously served in roles that involved leading and overseeing information technology and cybersecurity risk management programs at other public companies in the financial services industry. In addition, the CTO serves on a cross-departmental, management-level risk committee that oversees Brighthouse Financial’s enterprise risks, including cybersecurity risks. This enterprise-level risk committee is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents. The Brighthouse Financial cybersecurity team regularly assesses the threat landscape and takes an enterprise-wide view of cybersecurity risks. We monitor issues that are internally discovered or externally reported that may affect our business, and we employ a range of tools and third-party services to effectuate our cybersecurity risk identification and assessments, including regular network and endpoint monitoring, threat and vulnerability assessments, and external penetration testing. In addition, the Brighthouse Financial cybersecurity team conducts regular reviews, conducts tabletop exercises, performs internal testing, and leverages the audits performed by our internal audit team. Brighthouse Financial also engages the services of third-party consultants to assess and evaluate the effectiveness of our controls (in alignment with the NIST Framework), to improve our security measures and strategy, and to review the Brighthouse Financial cybersecurity risk management program against the NIST Framework. The results of the most recent assessment of Brighthouse Financial cybersecurity risk management program confirmed the rigor of our cybersecurity risk management practices. The cybersecurity team has also established company-wide policies and procedures that cover cybersecurity matters, which are designed to enable us to effectively identify, evaluate, and respond to events that have the potential to impact our business. In the event of a cybersecurity incident, Brighthouse Financial utilizes a well-defined incident response plan that is designed to coordinate the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations (including relevant securities laws) and mitigate brand and reputational damage. This plan includes immediate actions to mitigate the impact of the incident, as well as long-term strategies for the remediation and prevention of future incidents. In accordance with this plan, we have established a cross-departmental Brighthouse Response Team that is responsible for coordinating enterprise-wide responses to cybersecurity incidents. This Brighthouse Response Team provides reports regarding cybersecurity incidents to the enterprise-level risk committee referenced above. Further, associates outside of our information technology organization have a role in our cybersecurity defenses, and we encourage a corporate culture supportive of security, which we believe improves the effectiveness of our cybersecurity risk management program. Through our Security Awareness Program, our associates are provided with regular cybersecurity training and educational resources to help ensure that they remain vigilant against threats. These include frequent simulated phishing campaigns, newsletters, alerts, e-mail reminders, and a mandatory annual cybersecurity awareness training course for all associates. In addition to Company policies that we make available to all associates, our cybersecurity awareness training provides clear reporting and escalation processes in the event of suspicious activity. Third-Party Risk Management Brighthouse Financial processes also address the cybersecurity risks associated with the use of third-party vendors, some of which have access to our customer and associate data. We conduct security assessments of all third-party vendors that have access to our systems, our data and/or the facilities that house such systems or data. As part of our third-party risk management program, the cybersecurity risk management and third-party risk management teams collaborate to monitor our third-party vendors’ compliance with our cybersecurity standards. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. Risks from Cybersecurity Threats Brighthouse Financial systems and our third-party vendors’ systems periodically experience directed attacks intended to lead to (i) interruptions or delays in our operations or (ii) the loss, misuse or theft of personal information and other data, including confidential information or intellectual property. Based on the information available as of the filing date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents, directly or indirectly, that have materially affected or are reasonably likely to materially affect our business, results of operations, or financial condition. For more information regarding our risks from cybersecurity threats, see “Risk Factors - Operational Risks - Any failure in our cybersecurity risk management program, as well as the occurrence of events unanticipated in Brighthouse Financial’s or our third-party service providers’ disaster recovery systems and business continuity planning, could result in a loss or disclosure of confidential information, damage to our reputation and impairment of our ability to conduct business effectively” and “Risk Factors -Operational Risks - Any failure to protect the confidentiality of customer, associates, or other third-party information could adversely affect our reputation and have a material adverse effect on our business, financial condition and results of operations.” Governance Board of Directors - Oversight and Management Reporting The Audit Committee of the Board of Directors of Brighthouse Financial, Inc. (the “Audit Committee”) is primarily responsible for overseeing cybersecurity risks, and the Board of Directors of Brighthouse Financial, Inc. (the “Board”) is actively engaged with respect to these risks. The Audit Committee and/or the Board of Directors generally meet with our CTO and CISO on a quarterly basis to review our information technology and cybersecurity risk profile and to discuss our activities to manage the related risks, including risk assessments, mitigation strategies, areas of emerging risks, incidents, industry trends, tabletop exercises, and other areas of importance. Our board of directors also receives regular technology and cybersecurity updates. In addition to these regular meetings, we have an escalation process in place to timely inform the Board of Directors of any significant cybersecurity incidents, including any updates relating thereto, to ensure that the Board of Directors’ oversight is proactive and responsive. The Chief Compliance Officer of BHF also regularly reports to the Audit Committee and our board of directors regarding the Company’s compliance with applicable regulations relating to cybersecurity.

Company Information