LINCOLN NATIONAL LIFE INSURANCE CO /IN/ 10-K Cybersecurity GRC - 2024-03-15

Page last updated on July 16, 2024

LINCOLN NATIONAL LIFE INSURANCE CO /IN/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 15:51:49 EDT.


10-K filed on 2024-03-15

LINCOLN NATIONAL LIFE INSURANCE CO /IN/ filed a 10-K at 2024-03-15 15:51:49 EDT
Accession Number: 0000726865-24-000086

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Operational Risk Management and Strategy Identifying, assessing and managing material risks from cybersecurity threats is a core component of our overall operational risk management. LNC’s Information Security team is the primary group responsible for cybersecurity and consists of four divisions with specific mandates: - The security engineering division, which leads our “security by design” efforts to help ensure cybersecurity considerations are taken into account in our applications, cloud architecture and infrastructure; - The governance, risk and compliance division, which includes responsibility for developing cybersecurity-related policies and procedures, training and supplier security review; - The cybersecurity response and investigations (“CSRI”) division; and - The identity access management division, which is responsible for managing access to our data and technology infrastructure. The work done by each of these divisions is applied both tactically and strategically to operations, as well as to broader risk management activities. The governance, risk and compliance division of the Information Security team includes a dedicated information technology (“IT”) and Cyber operation risk assessment team. This team conducts assessments that are focused on the company’s most significant IT and cyber risks, the results of which are leveraged by IT leadership, among other inputs, to mitigate, reduce and/or manage against such risks. While it is not possible to be certain that all risks, threats and vulnerabilities to our information and systems have been identified, our cybersecurity risk management processes are designed to, using a risk-based approach, identify reasonably known risks from cybersecurity threats and ensure material risks are managed appropriately. The work done by the Information Security team integrates into the LNC’s overall Enterprise Risk Management (“ERM”) program. Data is contributed to the ERM team in support of our broader operational risk framework and processes through completion of the Risk and Control Self-Assessment for IT and cyber, which is aggregated into the larger operational risk program. Members of IT and Information Security senior leadership participate on LNC’s Operational Risk Committee (“ORC”), which is a standing committee whose purpose is to review and monitor threats to our business operations and strategy that manifest from inadequate or failed internal processes, controls, people or systems or from external events. In addition, LNC’s Internal Audit team performs an annual security audit that focuses on cybersecurity risks, the results of which are reported to the IT leadership team and the Audit Committee of LNC’s Board of Directors. This audit process provides an additional layer of support to help ensure that cybersecurity risks are managed and responded to appropriately. While the Information Security team uses some third-party resources as part of its efforts to assess, identify and manage material risks from cybersecurity threats (e.g., certain third-party software tools, threat intelligence and periodic penetration testing), our cybersecurity efforts are predominantly conducted through our internal resources. Monitoring and Incident Response The CSRI division of the Information Security team is responsible for the operation of LNC’s internal Security Operations Center (“SOC”), which performs monitoring and alerting for security events 24 hours a day, 7 days a week, 365 days a year. The CSRI division also actively seeks out cybersecurity threats that might affect the organization and/or our customers. The CSRI team is a component of LNC’s formal security incident response team (“SIRT”) and process. In addition to the Information Security team, the SIRT also includes representatives from LNC’s legal and compliance teams (including Privacy), office of business resiliency, chief risk office, corporate communications, as well as the information technology team. While the CSRI division is responsible for cybersecurity responses generally, should a critical event arise, such an event would be raised to and addressed by the SIRT. The Privacy team, which is part of the compliance function, has a dedicated incident response team responsible for assessing, identifying and managing risks from cybersecurity threats involving personal information. The team follows documented processes for investigation, research, assessment, notification, regulatory reporting and, if necessary, escalation to management, and such processes have been integrated into the Information Security incident response program. The Information Security team works closely with the Privacy team to respond to any cybersecurity incidents involving personal information. The Privacy team engages third parties to assist with incident assessment and notification. Supplier Risk Management and Strategy Within the governance, risk and compliance division of the Information Security team, LNC operates a formal supplier security assessment program, with a team dedicated to evaluating the cybersecurity risk associated with third party suppliers with whom we have contracted and who we believe may pose a cybersecurity threat to the company, our customers or our business partners due to the type of services they provide and/or confidential information they may be handling. This team assesses the security posture of the supplier, as well as the security of the systems and services provided. In addition, the team works closely with the procurement and legal teams to help ensure that appropriate security requirements are included in our contractual arrangements with the suppliers. The team conducts an assessment both at the outset of the engagement of a new supplier, and then periodically thereafter, based on assigned risk levels, as well as in the event of any new services or changes to the engagement. The Information Security team’s process for conducting periodic security reviews of third parties is a component of the operational risk management team’s broader periodic review of third parties. Risks from Cybersecurity Threats Although our computer systems and the computer systems of third parties on which we rely have in the past been, and will likely in the future be, subject to or targets of unauthorized or fraudulent access, to date the Company, including our business strategy, results of operations or financial condition, has not been materially affected by a cybersecurity breach. There are risks from cybersecurity threats that if they were to occur could materially affect the Company, including its business strategy, results of operations or financial condition, as discussed in “Item 1A. Risk Factors - Operational Matters - Our information systems or the information systems of third parties on which we rely may experience interruptions, breaches in security and/or a failure of disaster recovery systems that could result in a loss or disclosure of confidential information, damage to our reputation, impairment of our ability to conduct business effectively and increased expenses” and ‘Item 1A. Risk Factors - Legislative, Regulatory and Tax - Compliance with existing and emerging privacy laws and regulations could result in increased compliance costs and/or lead to changes in business practices and policies, and any failure to protect the confidentiality of personal information could adversely affect our reputation and have a material adverse effect on our business, financial condition and results of operations." Governance LNC’s Board of Directors is responsible for regular oversight of LNC’s overall risk management process. The Board reviews the most significant risks the company faces and the manner in which our executives manage these risks. The Board has also delegated certain of its risk oversight efforts to its committees. Oversight of cybersecurity risk has been delegated to the Audit Committee of the LNC Board of Directors. LNC’s senior management is primarily responsible for establishing policies and procedures designed to identify, assess and manage the Company’s significant risks, with LNC’s Chief Information Security Officer (“CISO”) having primary responsibility with respect to material risks from cybersecurity threats. LNC also has a Corporate Enterprise Risk and Capital Committee, made up of members of senior management and LNC’s Chief Risk Officer, which provides oversight of our enterprise-wide risk structure and of our processes to identify, measure, monitor and manage significant risks, including, but not limited to, cybersecurity risk. The Information Security organization is led by the CISO. The head of each of the four divisions of the Information Security team reports directly to the CISO. The CISO reports directly to LNC’s Chief Information Officer and Head of IT (“CIO”), who is a member of LNC’s Senior Management Committee. As a result, all information security personnel report into the CISO, and ultimately the CIO. The CISO also reports indirectly to the Audit Committee of the LNC Board of Directors. Biannually, the CISO reports to the Audit Committee on the cybersecurity risks facing the company and cybersecurity developments generally. In addition, as discussed above, LNC’s Internal Audit team reports to the LNC Audit Committee the results of its annual security audit focused on cybersecurity risks. LNC’s Chief Compliance Officer reports key Privacy risk indicators and statistics (including those related to cybersecurity risks) to the LNC Audit Committee on a quarterly basis. The current CISO has over 20 years of experience in the field of cybersecurity and holds a Certified Information Security Systems Professional designation. The CISO has a staff of more than 100 employees dedicated to protecting the data and systems belonging to the Company, our customers, business partners and consumers.

Company Information

SIC DescriptionLife Insurance
CategoryNon-accelerated filer
Fiscal Year EndDecember 30