Jackson Financial Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Jackson Financial Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:19:08 EST.

Filings

10-K filed on 2024-02-28

Jackson Financial Inc. filed an 10-K at 2024-02-28 16:19:08 EST
Accession Number: 0001822993-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have an enterprise-wide risk management framework for identifying, assessing, managing, monitoring, and reporting our material risks, including cybersecurity risks. Our risk identification and risk and control self-assessment (“RCSA”) process assesses the potential likelihood and impact of, among other things, cybersecurity risks to the Company, and the control environment in place to mitigate identified risks. See Item 1A. Risk Factors Risks Related to Information Technology, Security and Data for a description of the cybersecurity risks we face. The Company is committed to attaining the highest standards for information security and data privacy programs through disciplined governance and risk management practices. We have a written JFI Information Security Policy setting forth our expectations with respect to the receipt, handling and management of information, and setting forth our process, procedures and standards for achieving those expectations. Our Information Security Policy is reviewed and updated by management at least annually, to align with multiple industry standards, including the National Institute of Standards and Technology Cyber Security Framework and relevant state regulations, including New York s Department of Financial Services Cybersecurity Requirements for Financial Services Companies, and federal regulatory requirements. The JFI Privacy Policy is also annually reviewed and updated by management to align with industry best practices and state and federal regulatory requirements. Our cybersecurity program includes a threat and vulnerability management program to identify, assess, prevent, detect, monitor and remediate internal and external threats to, and vulnerabilities of, the Company s electronic systems, applications and data. Key components of this security program include a 24/7 Security Operations Center, which is managed internally at Jackson, with staff augmentation from third-party service vendors. The Security Operations Center monitors threats and attacks and initiates the incident response management process and associated notifications, as needed. In addition to monitoring threats and attacks, our internal management team reviews daily external threat intelligence and oversees, at least quarterly, external penetration testing of our Company s electronic systems. We provide training to all associates and regularly audit and assess our program with both internal and external resources, and through benchmarking studies and assessments against our Information Security and Privacy Policies and Standards. We have a third-party vendor management program that oversees the identification and assessment of cybersecurity risk for the Company s use of all third-party service providers. This program evaluates third-party vendors based on their level of access to the Company s data and the level of potential risk the third-party service providers create for the organization through reviews of their security program and systems architecture. The Company identifies monitoring and mitigating controls and implements such controls where appropriate for any identified risks, including adding robust security terms in agreed contracts. We also monitor and periodically reassess third-party service vendors to ensure controls are maintained to expectations. 39 Part I | Item 1C. Cybersecurity Cybersecurity Incidents As previously disclosed in Item 2. Management s Discussion and Analysis of Financial Condition and Results of Operations Macroeconomic, Industry and Regulatory Trends Cybersecurity Event in our Form 10-Q for the quarter ended June 30, 2023, Jackson determined that its information at one of our third-party vendors, Pension Benefit Information, LLC ( PBI ), was impacted by a cybersecurity breach involving Progress Software Corporation s MOVEit Transfer software. The PBI service helps Jackson to identify possible beneficiaries for death benefits. According to PBI, an unknown actor exploited a MOVEit software flaw to access PBI s systems and download certain data. Our assessment indicated that personally identifiable information relating to approximately 850,000 of Jackson s customers was obtained by that unknown actor from PBI s systems. PBI informed Jackson that it rectified the MOVEit vulnerability. Separately, Jackson experienced unauthorized access to two servers as a result of the MOVEit flaw; however, the scope and nature of the data accessed on those servers was significantly less than the PBI impact. Our assessment was that a subset of information relating to certain partner organizations and individuals, including certain customers of Jackson, was obtained from the two affected servers. At this time, we do not believe the incidents or related litigation will have a material adverse effect on the business, operations, or financial results of Jackson Financial. Governance JFI s Board Oversight of Risks from Cybersecurity Threats: JFI s Board approved both the Company s initial JFI Information Security Policy and the JFI Privacy Policy. The Finance and Risk Committee of the JFI Board assists the Board with oversight of the Company s risk framework and its effectiveness. The Finance and Risk Committee regularly reviews top risks identified by management, the Company s risk appetite, and financial and non-financial risks, including information security and cybersecurity. The committee also reviews activity reports on the status of our cybersecurity program, including material policy changes, breaches, and remediation actions. At least annually, and more often as needed, the committee meets with our Chief Information Security Officer ( CISO ) in a dedicated session to review and discuss in-depth cybersecurity risks facing the Company. JFI s Board of Directors receives periodic reports from its Finance and Risk Committee regarding the committee s actions in respect of cybersecurity and related regulatory developments and receives from our CISO regular updates about cybersecurity threats and our cybersecurity and privacy programs. Management s Role in Assessing and Managing Material Risks from Cybersecurity Threats: Our CISO is a member of the senior leadership team and oversees our Information Security and Privacy Team. The CISO provides regular updates to the Board on cybersecurity threats facing the organization, including developments in our ongoing information security and privacy programs. As noted, the CISO meets in dedicated sessions with the Finance and Risk Committee to review and discuss in-depth cybersecurity risks facing the Company. Our Information Security and Privacy Team includes 70 full-time positions with at least 50% of our associates holding industry certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Privacy Professional (CIPP). All associates and contractors with access to our Company s systems receive comprehensive initial and ongoing annual training on responsible information security, data security, and cybersecurity practices and how to protect against cyber threats. Regular independent third-party assessments, penetration testing, and internal audits are conducted to validate controls and to position our cybersecurity maturity level at or ahead of industry trends in meeting stringent security standards. We regularly assess our security program internally and externally, through benchmarking studies and assessments against our Information Security and Privacy Policies and Standards and conduct assessments of the effectiveness of relevant internal control activities designed to restrict inappropriate access to our IT systems, support data integrity within our IT systems, and ensure ongoing availability of our IT systems. Certain of these control activities are also subject to an assessment by our external auditor to support its opinion on the effectiveness of our internal control over financial reporting. 40 Part I | Item 2. Properties
Item 1C. Cybersecurity Cybersecurity Incidents As previously disclosed in Item 2. Management s Discussion and Analysis of Financial Condition and Results of Operations Macroeconomic, Industry and Regulatory Trends Cybersecurity Event in our Form 10-Q for the quarter ended June 30, 2023, Jackson determined that its information at one of our third-party vendors, Pension Benefit Information, LLC ( PBI ), was impacted by a cybersecurity breach involving Progress Software Corporation s MOVEit Transfer software. The PBI service helps Jackson to identify possible beneficiaries for death benefits. According to PBI, an unknown actor exploited a MOVEit software flaw to access PBI s systems and download certain data. Our assessment indicated that personally identifiable information relating to approximately 850,000 of Jackson s customers was obtained by that unknown actor from PBI s systems. PBI informed Jackson that it rectified the MOVEit vulnerability. Separately, Jackson experienced unauthorized access to two servers as a result of the MOVEit flaw; however, the scope and nature of the data accessed on those servers was significantly less than the PBI impact. Our assessment was that a subset of information relating to certain partner organizations and individuals, including certain customers of Jackson, was obtained from the two affected servers. At this time, we do not believe the incidents or related litigation will have a material adverse effect on the business, operations, or financial results of Jackson Financial. Governance JFI s Board Oversight of Risks from Cybersecurity Threats: JFI s Board approved both the Company s initial JFI Information Security Policy and the JFI Privacy Policy. The Finance and Risk Committee of the JFI Board assists the Board with oversight of the Company s risk framework and its effectiveness. The Finance and Risk Committee regularly reviews top risks identified by management, the Company s risk appetite, and financial and non-financial risks, including information security and cybersecurity. The committee also reviews activity reports on the status of our cybersecurity program, including material policy changes, breaches, and remediation actions. At least annually, and more often as needed, the committee meets with our Chief Information Security Officer ( CISO ) in a dedicated session to review and discuss in-depth cybersecurity risks facing the Company. JFI s Board of Directors receives periodic reports from its Finance and Risk Committee regarding the committee s actions in respect of cybersecurity and related regulatory developments and receives from our CISO regular updates about cybersecurity threats and our cybersecurity and privacy programs. Management s Role in Assessing and Managing Material Risks from Cybersecurity Threats: Our CISO is a member of the senior leadership team and oversees our Information Security and Privacy Team. The CISO provides regular updates to the Board on cybersecurity threats facing the organization, including developments in our ongoing information security and privacy programs. As noted, the CISO meets in dedicated sessions with the Finance and Risk Committee to review and discuss in-depth cybersecurity risks facing the Company. Our Information Security and Privacy Team includes 70 full-time positions with at least 50% of our associates holding industry certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Privacy Professional (CIPP). All associates and contractors with access to our Company s systems receive comprehensive initial and ongoing annual training on responsible information security, data security, and cybersecurity practices and how to protect against cyber threats. Regular independent third-party assessments, penetration testing, and internal audits are conducted to validate controls and to position our cybersecurity maturity level at or ahead of industry trends in meeting stringent security standards. We regularly assess our security program internally and externally, through benchmarking studies and assessments against our Information Security and Privacy Policies and Standards and conduct assessments of the effectiveness of relevant internal control activities designed to restrict inappropriate access to our IT systems, support data integrity within our IT systems, and ensure ongoing availability of our IT systems. Certain of these control activities are also subject to an assessment by our external auditor to support its opinion on the effectiveness of our internal control over financial reporting. 40 Part I | Item 2. Properties

Company Information