AFLAC INC 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 18, 2025

AFLAC INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 12:26:15 EST.

Company Summary

Aflac Insurance Services provides life insurance, consulting, and financial services.

Filings

10-K filed on 2025-02-26

AFLAC INC filed a 10-K at 2025-02-26 12:26:15 EST
Accession Number: 0000004977-25-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company’s board of directors maintains an information security policy directing management to establish and operate a global information security program with the goals of identifying, assessing and monitoring existing and emerging cybersecurity threats and ensuring that the Company’s information assets and data, and the data of its customers, are appropriately protected from loss or theft. The Board has delegated oversight of the Company’s information security program to the Audit and Risk Committee . The Company’s senior officers, including its Global Security and Chief Information Security Officer (GSCISO) , are responsible for the operation of the global information security program and communicate quarterly with the Audit and Risk Committee on the program, including with respect to the state of the program, compliance with applicable regulations, risks associated with current and evolving threats, and recommendations for changes in the information security program. The global information security program includes a cybersecurity incident response plan that is designed to provide a management framework across Company functions for a coordinated assessment and response to potential security incidents. This framework establishes a protocol to report certain incidents to the GSCISO and other senior officers, with the goal of timely assessing such incidents, determining applicable disclosure requirements and communicating with the Board of Directors. The incident response plan directs the executive officers to report certain incidents immediately and directly to the Lead Non-Management Director and/or the Chair of the Audit and Risk Committee. The above framework tracks and allows team members to monitor each incident throughout its lifecycle to ensure the Company is informed about and following cybersecurity incidents as they are mitigated and remediated. Post-incident reviews are also performed to determine if there are any additional controls that may feasibly be implemented to prevent recurrence. As a part of the global information security program, an enterprise cybersecurity risk assessment is performed annually in coordination with the GSCISO to identify and assess material cybersecurity risks and mitigating controls. The assessment results are incorporated into a risk register managed by the Company’s overall enterprise risk management group to integrate the risks into the overall risk management processes. The Company engages with independent firms to conduct operational control assessments, which cover information protection. Every three years, the Company engages independent consultants specifically for cyber matters. Additionally, the Company performs third-party risk assessments to evaluate security controls and identify inherent and residual risks associated with third-party engagements. Issues identified during third-party risk assessments are documented and escalated to Company management through an established committee structure based on the risk ratings associated with each issue. The Company also utilizes professionals from the Company’s legal team and GSCISO’s leadership team, a majority of whom have specialized skills and knowledge in cybersecurity risk management based on their prior work experience and relevant industry certifications, such as Certified Information Systems Security Professional and Certified Information Security Manager, to assist in employee awareness and training, as well as assessing cybersecurity risks, materiality of cybersecurity incidents and disclosures of the same. Specifically, the GSCISO has security experience in the public sector and private sector financial services industry holding positions in areas such as business continuity, information assurance, and technology risk management as well as being a Certified Information Systems Security Professional, Certified Information Security Manager and Certified Project Manager as well as being certified in Risk and Information 27 Item 1B. Unresolved Staff Comments Systems Control. The GSCISO and his direct reports have an average of over 20 years of experience in the field of cybersecurity. As of the date of this Form 10-K, the Company is not aware of any cybersecurity incidents that occurred during the year ended December 31, 2024 that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition and that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents, see Item 1A. Risk Factors for the risk factor titled “Interruption in telecommunication, information technology and other operational systems, or a failure to maintain the security, confidentiality, integrity or privacy of sensitive data residing on such systems, could harm the Company’s business” for additional information regarding how the Company’s business strategy, results of operations, and financial condition could be adversely affected by risks from cybersecurity threats.

Company Information