GENWORTH FINANCIAL INC 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

GENWORTH FINANCIAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:17:52 EST.

Filings

10-K filed on 2026-02-27

GENWORTH FINANCIAL INC filed a 10-K at 2026-02-27 16:17:52 EST
Accession Number: 0001628280-26-012828

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have identified technology and cybersecurity risk as some of the most significant risk types to our business. Related to these identified risk types, we have classified our top risks and report them to both senior management and the risk committee of Genworth Financial's Board of Directors, which in turn reports to the Board of Directors. For additional information regarding the risks associated with these matters, see "Item 1A-Risk Factors." Risk Management and Strategy Genworth's risk management framework recognizes the significant operational risk, including risk of losses, from cybersecurity incidents and the importance of a strong cybersecurity program for effective risk management. As part of our overall risk management, we have implemented a formal Data Security and Cybersecurity Program (the "DSCP") which sets policy expectations, ensures broad coverage over technology and cybersecurity risks, integrates the Technology Risk Management Framework into our broader risk management systems, establishes clear roles and governance, and aligns control expectations to the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. Under the DSCP, we have processes for identifying, assessing, escalating and managing technology and cybersecurity risk. The DSCP employs various controls and policies to secure our operations and information, which include monitoring, reporting, managing and remediating cybersecurity threats and incidents. Key features of the DSCP include access controls, security training, system security testing, dedicated security personnel, security event monitoring and regular consultation with third-party data security experts. Through a cross-functional team, we assess and mitigate risks associated with our third-party providers and have processes in place to regularly monitor and evaluate cybersecurity risks, threats and incidents associated with the use of third-party providers, as well as monitoring rights, as appropriate. Our information security team, overseen by our Chief Information Security Officer ("CISO"), conducts annual, role-based information security awareness training for employees. We also conduct periodic cybersecurity awareness training with management and the Board of Directors, including regular cybersecurity preparedness and response exercises. In addition, the DSCP includes an incident response plan, which coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to assess the materiality of the incident, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal reporting and other obligations and to mitigate reputational damage. We also carry insurance that provides protection against certain losses arising from a cybersecurity incident. Additionally, we have procedures set forth in the DSCP for reporting and responding to potential cybersecurity incidents as well as determining applicable disclosure requirements, including timely incident reporting. As of the date of this report, no known cybersecurity threats have had or, in our assessment, are reasonably likely to have a material adverse effect on our business strategy, results of operations or financial condition. See "Item 1A-Risk Factors- Our computer systems, as well as those of our third-party service providers, have experienced failures or security compromises in the past and may do so again in the future, including as a result of cybersecurity incidents; we may experience issues from new and complex technology methodologies such as artificial intelligence; and unanticipated problems could materially adversely impact our disaster recovery systems and business continuity plans, any of which could expose confidential information such as personal information of our customers or employees, damage our reputation, impair our ability to conduct business effectively, result in enforcement action or litigation, and materially adversely affect our business, financial condition and results of operations ." Governance Our Board of Directors recognizes the importance of maintaining the privacy and security of customer information, as well as the availability and integrity of our systems, and consequently dedicates meaningful time and attention to the oversight of cybersecurity risk. In light of these risks, our Board of Directors is actively engaged in the oversight of the Company's technology, which includes periodic briefings on cybersecurity threats and participation in cybersecurity preparedness exercises. Our Board of Directors has established a technology committee to assist in its oversight responsibilities relating to Genworth's technology initiatives, strategy, investments and innovation, and the DSCP. Furthermore, under its charter, the Board's risk committee has primary responsibility for technology and cybersecurity risk oversight. In this capacity, the risk committee oversees the Company's processes for identifying, assessing and managing technology and cybersecurity risk, including a risk-based escalation process, which requires that the risk committee be notified by management and, as necessary, receive regular briefings on the matter, and work with management, including Genworth's CISO and Chief Risk Officer ("CRO"), to assess and manage the risk and implement the Company's response to the incident, as appropriate. Genworth's Chief Information Officer ("CIO"), CISO and CRO, all members of management , support the cybersecurity risk oversight responsibilities of the Board and its committees and involve relevant management personnel in cybersecurity risk management. The technology committee receives regular reports from the CIO on technology initiatives and strategy, periodically reviews and oversees Genworth's DSCP and receives regular updates, at least annually, related to data security and cybersecurity matters from the CISO. The risk committee receives periodic reports from the CRO on the Company's risks related to technology and cybersecurity. Additionally, the CRO follows a formal risk-based escalation process to notify the risk committee outside of the regular reporting cycle when actual or potential substantive cybersecurity risks or issues are identified. Genworth's CISO is an information technology and security professional with over 25 years of experience and 15 years of service at Genworth. In his more than 25 years of experience, he has held roles in information technology infrastructure administration, information technology infrastructure, security consulting and security administration. He received a Bachelor of Science Degree in Business Administration from Regent University and is a Certified Information Systems Security Professional (CISSP). Genworth's CRO has served in technology and risk management leadership roles for over 20 years, including oversight of enterprise risk management and operational risk, as well as oversight for financial reporting systems, operational and technology systems, and testing and quality assurance programs. He received a Bachelor of Science Degree in Decision Support Systems from Virginia Polytechnic Institute (Virginia Tech) and graduated from the Tuck Global Executive Leadership Program through Dartmouth in 2020. For more information about our CRO, see "Part III-Item 10-Directors, Executive Officers and Corporate Governance." Genworth's CIO has served in technology leadership roles for over 30 years, including oversight of technology strategy, business development, modernization and cybersecurity matters. He received a Bachelor of Science Degree in Finance from Virginia Commonwealth University. For more information about our CIO, see "Part III-Item 10-Directors, Executive Officers and Corporate Governance."

Company Information