AMERICAN INTERNATIONAL GROUP, INC. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

AMERICAN INTERNATIONAL GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 15:48:01 EST.

Filings

10-K filed on 2024-02-14

AMERICAN INTERNATIONAL GROUP, INC. filed an 10-K at 2024-02-14 15:48:01 EST
Accession Number: 0000005272-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C | Cybersecurity CYBERSECURITY RISK MANAGEMENT AIG maintains a documented Information Security Program (the Program) that includes risk assessments regularly conducted by us and third-party experts to evaluate potential security threats that may have a negative impact on the organization, detect potential vulnerabilities and mitigate any identified security risks. The Program is informed by industry standards and frameworks and is designed to protect the confidentiality, integrity, and availability of AIG s information assets and systems that store, process or transmit information. The AIG Chief Information Security Officer (CISO) provides oversight and direction for the Program, including adjustments in response to changes in technology, internal or external threats, business processes, and regulatory or statutory requirements and communicates the information security risk posture of AIG to senior management and the AIG Board of Directors. The Program includes the following key elements: Network, Systems and Data Security The Company deploys technical and organizational safeguards that are designed to protect the Company s networks, systems, and data from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls. Threat and Vulnerability Management The Company maintains a threat and vulnerability management program that leverages continuous threat intelligence to seek to proactively identify, assess, and mitigate evolving cybersecurity risks. This program incorporates vulnerability scanning, remediation management, bug bounty, penetration testing, and threat response capabilities, all designed to safeguard our information assets and ensure business continuity. Cybersecurity Incident Monitoring and Response The Company has established and maintains incident response plans that address the Company s response to a cybersecurity incident, utilizing a cross-functional approach. Third Party Assessment and Oversight The Company maintains a third-party risk management program designed to identify and manage cybersecurity risks from third-party service providers, including initial due diligence and assessment of the service provider s control environment as well as periodic re-assessments. Security Training and Awareness The Company provides ongoing education and training to employees regarding information security threats, and their role and responsibility in detecting and responding to such threats. In addition to the above, where appropriate, AIG employs third-party experts to evaluate our cybersecurity risk management program. The Company conducts annual external penetration tests to simulate real-world attacks against the Company s networks and applications which supplement our continuous internal application security assessments. These independent evaluations help uncover potential security vulnerabilities for remediation by our cybersecurity team. We also operate a bug bounty program through a crowdsourced security platform to incentivize responsible disclosure of software defects by global security researchers. The Program is evaluated on an ongoing basis both internally and through the use of third-party audit firms to address and protect against the evolving cyber threat landscape and seeks to align to industry standards such as the National Institute of Standards and Technology Cybersecurity Framework, as well as applicable legal and regulatory guidance and mandates related to all AIG stakeholders, including investors, customers, and employees. Control adequacy and design are reviewed at least annually, and independent audits and penetration tests assist in identifying areas for continued focus, improvement and/or inclusion, and are designed to provide assurance that controls are appropriately designed and operating effectively. Additionally, the Company’s Internal Audit group performs independent testing of the Company s control environment, including key components of the Program. Board Oversight and Governance AIG’s Board of Directors (the Board) oversees the Program and management of risks from cybersecurity threats and reviews and monitors AIG’s business and technology strategy, including the policies, processes and practices that the Company s management implements to address risks from cybersecurity threats. The Board believes that all directors are responsible for oversight of these matters given the increasing importance of cybersecurity to AIG s risk profile, as well as the significant role the Company s technology strategy plays in its strategic priorities. The Chief Information Officer (CIO), CISO and Chief Risk Officer provide updates to the Board as appropriate. Global Committees Group Risk Committee (GRC): The GRC is a committee comprised of senior management and is responsible for assessing significant risk issues on a global basis to protect AIG s financial strength, optimize AIG s intrinsic value, and protect AIG s reputation. The risks considered by the GRC include those relating to cybersecurity. 38 AIG | 2023 Form 10-K TABLE OF CONTENTS ITEM 1C | Cybersecurity Technology Risk and Controls Committee (TRCC): The TRCC is used as a platform to assess risk and controls components across the information technology (IT) landscape including cybersecurity. It manages the risk assessment process, escalation and implementation of risk acceptance thresholds with the help of the GRC. Regional, Country Risk and IT Risk Committees Asia Pacific (APAC) Technology Risk and Controls (TRC) Forum APAC - TRC Zone / Country Monthly Forums Japan IT Risk Committee Europe, Middle East and Africa region/UK and Latin America and Caribbean TRC Forum The above forums are set up for regional focus on IT, cybersecurity, regulations and overall issue management. The forums engage with the Company’s relevant IT leaders and functional leaders within Enterprise Risk Management, Legal, Compliance, and Internal Audit. Each of the Board and regional and country leadership boards may receive periodic presentations and reports on cybersecurity risks. In the event of a material cybersecurity incident, the Board will receive prompt information and ongoing updates about the incident. The Company has an established issue escalation protocol for technology incidents, including cyber related incidents. The Company s technology incidents and risks are tracked and rated. Items that are rated as “critical” are discussed in the TRCC, and escalated to the GRC as appropriate. At least once each year, the Board discusses the Company s approach to cybersecurity risk management with the Company s Global Chief Information Security Officer. The CISO and regional/country information security officers regularly present to the Company s regional and country leadership boards on material cyber risks and the Company s information security posture and strategy. The CISO works collaboratively with business and functional colleagues to implement a program designed to protect the Company s information system from cybersecurity threats and promptly respond to potential cybersecurity incidents. Multidisciplinary teams are deployed to respond to cybersecurity incidents in accordance with the Company s incident response plans. Through ongoing communication from these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and reports such incidents to the Board when appropriate. The CISO reports to the CIO and is principally responsible for overseeing the Program, in partnership with other business leaders across the Company including regional information security and technology officers. The Company s cybersecurity personnel maintain current knowledge through specific training programs, professional certifications, and participation in industry groups (e.g., Financial Services Sector Coordinating Council, Financial Services Information Sharing and Analysis Center, Analysis and Resilience Center, Securities Industry and Financial Markets Association, Cybersecurity and Infrastructure Security Agency, etc.). Company cybersecurity personnel expand and test their knowledge of cyber threats and countermeasures through additional on-the-job training and quarterly sponsored simulated exercises to practice their response to real-life threats. In addition, personnel are encouraged to obtain industry approved certifications as appropriate for their roles and responsibilities. Below are some examples of certifications held by the Company s cybersecurity personnel: Certified in the Governance of Enterprise IT, Certified Information Systems Security Professional, Certified Information Security Manager, Certified Risk Information Systems Control, Global Information Assurance Certification (GIAC) Certified Incident Handler, GIAC Assessing and Auditing Wireless Networks, and GIAC Continuous Monitoring Certification. Our CISO has more than 30 years leadership experience in the field of information technology, cybersecurity, and adjacent roles spanning both military, corporate, and advisory roles. He maintains multiple professional certifications and has completed various academic and professional training courses, including the Federal Bureau of Investigation CISO Academy. In addition, he continues to serve on cybersecurity advisory councils and on the faculty of educational institutions focused on network security and information technology. There have been no material cybersecurity incidents that have affected AIG for the period covered by this annual report. For a discussion regarding risks associated with cybersecurity threats, see Part I, Item 1A. Risk Factors Business and Operations “Our risk management policies, standards and procedures may prove to be ineffective and leave us exposed to unidentified or unanticipated risk, which could adversely affect our businesses, results of operations, financial condition and liquidity” and We are exposed to certain risks if we are unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data, which could compromise our ability to conduct business and adversely affect our consolidated business, results of operations, financial condition and liquidity. AIG | 2023 Form 10-K 39 TABLE OF CONTENTS
ITEM 1C | Cybersecurity Technology Risk and Controls Committee (TRCC): The TRCC is used as a platform to assess risk and controls components across the information technology (IT) landscape including cybersecurity. It manages the risk assessment process, escalation and implementation of risk acceptance thresholds with the help of the GRC. Regional, Country Risk and IT Risk Committees Asia Pacific (APAC) Technology Risk and Controls (TRC) Forum APAC - TRC Zone / Country Monthly Forums Japan IT Risk Committee Europe, Middle East and Africa region/UK and Latin America and Caribbean TRC Forum The above forums are set up for regional focus on IT, cybersecurity, regulations and overall issue management. The forums engage with the Company’s relevant IT leaders and functional leaders within Enterprise Risk Management, Legal, Compliance, and Internal Audit. Each of the Board and regional and country leadership boards may receive periodic presentations and reports on cybersecurity risks. In the event of a material cybersecurity incident, the Board will receive prompt information and ongoing updates about the incident. The Company has an established issue escalation protocol for technology incidents, including cyber related incidents. The Company s technology incidents and risks are tracked and rated. Items that are rated as “critical” are discussed in the TRCC, and escalated to the GRC as appropriate. At least once each year, the Board discusses the Company s approach to cybersecurity risk management with the Company s Global Chief Information Security Officer. The CISO and regional/country information security officers regularly present to the Company s regional and country leadership boards on material cyber risks and the Company s information security posture and strategy. The CISO works collaboratively with business and functional colleagues to implement a program designed to protect the Company s information system from cybersecurity threats and promptly respond to potential cybersecurity incidents. Multidisciplinary teams are deployed to respond to cybersecurity incidents in accordance with the Company s incident response plans. Through ongoing communication from these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and reports such incidents to the Board when appropriate. The CISO reports to the CIO and is principally responsible for overseeing the Program, in partnership with other business leaders across the Company including regional information security and technology officers. The Company s cybersecurity personnel maintain current knowledge through specific training programs, professional certifications, and participation in industry groups (e.g., Financial Services Sector Coordinating Council, Financial Services Information Sharing and Analysis Center, Analysis and Resilience Center, Securities Industry and Financial Markets Association, Cybersecurity and Infrastructure Security Agency, etc.). Company cybersecurity personnel expand and test their knowledge of cyber threats and countermeasures through additional on-the-job training and quarterly sponsored simulated exercises to practice their response to real-life threats. In addition, personnel are encouraged to obtain industry approved certifications as appropriate for their roles and responsibilities. Below are some examples of certifications held by the Company s cybersecurity personnel: Certified in the Governance of Enterprise IT, Certified Information Systems Security Professional, Certified Information Security Manager, Certified Risk Information Systems Control, Global Information Assurance Certification (GIAC) Certified Incident Handler, GIAC Assessing and Auditing Wireless Networks, and GIAC Continuous Monitoring Certification. Our CISO has more than 30 years leadership experience in the field of information technology, cybersecurity, and adjacent roles spanning both military, corporate, and advisory roles. He maintains multiple professional certifications and has completed various academic and professional training courses, including the Federal Bureau of Investigation CISO Academy. In addition, he continues to serve on cybersecurity advisory councils and on the faculty of educational institutions focused on network security and information technology. There have been no material cybersecurity incidents that have affected AIG for the period covered by this annual report. For a discussion regarding risks associated with cybersecurity threats, see Part I, Item 1A. Risk Factors Business and Operations “Our risk management policies, standards and procedures may prove to be ineffective and leave us exposed to unidentified or unanticipated risk, which could adversely affect our businesses, results of operations, financial condition and liquidity” and We are exposed to certain risks if we are unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data, which could compromise our ability to conduct business and adversely affect our consolidated business, results of operations, financial condition and liquidity. AIG | 2023 Form 10-K 39 TABLE OF CONTENTS ITEM 2 | Properties

Company Information