VOYA RETIREMENT INSURANCE & ANNUITY Co 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

VOYA RETIREMENT INSURANCE & ANNUITY Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:15:54 EST.

Filings

10-K filed on 2024-03-07

VOYA RETIREMENT INSURANCE & ANNUITY Co filed an 10-K at 2024-03-07 16:15:54 EST
Accession Number: 0000837010-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Voya Financial maintains an information security program that seeks to comply with applicable regulatory requirements. The information security team, led by Voya Financial s Chief Information Security Officer (“CISO”), implements appropriate measures designed to safeguard sensitive information and protect our operations and systems against cyber threats. The information security team carries out continuous monitoring and evaluation of Voya Financial s technology and digital infrastructure with the goal of identifying and assessing threats and proactively mitigating potential risks. The CISO and the information security team provide regular updates to Voya Financial’s senior management, as further described under Cybersecurity Governance below. In addition, as part of its risk management strategy, Voya Financial has an established and integrated cybersecurity incident response plan that focuses on incident detection, management and response. The information security team periodically reviews and updates the plan and tests playbooks within the plan through tabletop exercises. Voya Financial’s information security team is responsible for identifying, assessing, and managing cyber risk, with support from Voya Financial’s operational risk management team. Information security control tasks are performed under the direction and guidance of Voya Financial s CISO, who is designated under Voya Financial s risk management principles and policies to oversee the evaluation and mitigation of information security risks. Information security management is integrated into Voya Financial s overall risk management framework, which provides for a coordinated approach to addressing cybersecurity risk. As part of Voya Financial s overall information security program, it may engage and retain external assessors and consultants to help improve our security, stay aligned with industry best practices, evaluate external threats and, on an as-needed basis, perform forensic reviews of cybersecurity-related incidents or independent security assessments. With regard to risks posed by third-party vendors and service providers, Voya Financial has a dedicated team that is responsible for evaluating, assessing, and addressing those risks, with the ultimate goal of protecting sensitive information and the security of our operations and systems supported by those vendors and providers using a risk-based approach. This team conducts due diligence on third-party vendors and service providers, including evaluating their information security controls and related measures, to identify potential risks and implement appropriate controls. Technology risks, including cybersecurity threats, undergo a thorough risk management assessment. Voya Financial evaluates risks quantitatively and qualitatively to determine both the probability and potential severity of such risks and whether any such risks could materially affect Voya Financial or its subsidiaries, including VRIAC. We have experienced and may continue to experience cybersecurity incidents and threats that could materially affect our business strategy, results of operations or financial condition. There have been no known cybersecurity incidents that have materially affected us in the past three years. For more information about the cybersecurity related risks that we face, see Interruption or other operational failures in 28 Table of Contents telecommunication, cybersecurity, information technology and other operational systems, including as a result of human and process error or a failure to maintain the security, integrity, confidentiality, or privacy of such systems, could harm our business in Risk Factors in Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance As detailed above, Voya Financial s CISO and the information security team regularly assess and manage cybersecurity risks. Voya Financial’s information security leadership team has extensive information technology and information security experience, and the full team comprises over 100 employees with over 150 certifications from leading information security certification organizations. Additional management of cybersecurity risks is conducted by Voya Financial’s Technology and Operational Risk Committee (“TORC”), which has been delegated authority by Voya Financial’s Management Risk Committee to provide oversight of operational risk, including information and technology risk, as well as related legal, compliance and regulatory risks. Members of the TORC include senior management with relevant expertise in operations, technology, information security, legal, compliance, data privacy and operational risk management. The information security team participates in the TORC meetings to discuss cybersecurity risks and mitigation treatment. The TORC provides guidance and direction in assessing, addressing, mitigating and monitoring cybersecurity risks within Voya Financial. Voya Financial s Board committees include the Technology, Innovation and Operations (“TIO”) Committee, which provides support to the Voya Financial Board in its oversight of information technology, including cybersecurity risks. In addition, the TIO Committee supports the Voya Financial Audit Committee in reviewing cybersecurity risks and disclosures thereof, and collaborates with both the Audit Committee and the Risk, Investment and Finance (“RIF”) Committee of Voya Financial s Board to oversee material risks. Management, including the CISO, regularly updates the TIO Committee on cybersecurity-related matters.

Company Information