Aflac 2021 Business & Sustainability Report: Protecting Our Customers and Data With Cybersecurity
At Aflac, safeguarding the information collected on behalf of the individuals and businesses we serve is of crucial importance. We are committed to the privacy of individuals and the protection of data, and we do this by placing great importance on information security to protect against threats both external and internal.
This commitment begins at the top of Aflac. Our Board provides oversight of Aflac’s Global Information Security Program and has approval rights for our governing policy. Responsibility for the program is vested in the office of the Global Chief Security Officer (GCSO). The GCSO updates the Board’s Audit and Risk Committee quarterly on the state of the program, compliance with applicable laws and regulations, current and evolving threats, and updates to the program strategy.
The GCSO is supported by a team of risk management and security professionals whose responsibilities encompass the development, implementation, operation, maintenance and continuous improvement of the Program. Aflac has a comprehensive set of information and cybersecurity policies and standards structured around the National Institute of Standards and Technology Cybersecurity Frameworks (NIST-CSF). Policies are reviewed and approved annually to ensure the organization is up to date with changing cybersecurity and privacy regulations, as well as any changes to technology and industry best practices.
Aflac has a comprehensive risk management program that performs initial evaluations and ongoing monitoring of the information security and privacy risk associated with data usage, the sharing of Aflac information with third parties and the system configuration of critical applications and infrastructure. The team carries out an initial assessment and evaluates mitigating controls to determine a final risk rating. Compliance processes are established to escalate identified risks and to ensure transparency and proper accountability for risk treatments. Reassessment cadence is determined in alignment with the risk rating process.
Aflac has processes in place to evaluate business practices against security and privacy policies and standards. We have a Cyber Security Assurance Program that regularly tests a comprehensive library of security controls that map to NIST-CSF. Additionally, we complete an annual SSAE 18 SOC 2 (Statements on Standards for Attestation Engagements No. 18 Service Organization Control 2 report) examination with an independent external firm.
Cybersecurity and privacy continue to be an area of evolving focus for legislation and regulatory activity. Aflac has a cross-functional team that tracks and monitors new and emerging legislation to ensure privacy and cybersecurity programs are evaluated and comply with regulatory requirements.
While Aflac has traditional systems and controls in place to ensure alignment with regulatory requirements and industry best practices, we constantly work to mature our security posture and keep pace with business changes. Our layered defenses, which include the use of identity and access management systems, role based access, multifactor authentication, key and certificate management services, firewalls, as well as cloud, network and end-point security tools are implemented to ensure the protection and availability of information. Regular access reviews are performed, and records are maintained and audited.
Aflac also leverages a host of intrusion detection, prevention and data protection tools to safeguard our most sensitive information and assets. Across the program, continuous monitoring is in place to support our ability to detect and respond to internal and external anomalies. We have mature vulnerability scanning and patch management processes and provide detailed dashboard readouts on remediation activities to business leads on a quarterly basis.
Our team actively participates in multiple threat intelligence sharing consortiums that involve collaboration with our peers in the financial services and insurance industries, as well as local and federal law enforcement. The team also operates as a contributing member in multiple open source intelligence forums and groups to monitor environmental changes of note.
Resiliency and response
Aflac’s business resilience program is based on leading practices and industry standards, primarily ISO22301. The program implements controls and measures to prepare the organization to manage disruptive events. It is a company-wide program that ensures Aflac employees, customers, shareholders, business partners, information, assets and business operations are adequately protected in the event of an unplanned business disruption. Resilience is accomplished through an integrated business continuity, disaster recovery and incident/crisis management structure. In 2021, Aflac completed a successful annual cyber incident response table top exercise which included broad participation from global executives and tested our response to a global cyber event.
Our incident response team is staffed by skilled security and forensics professionals who enact a comprehensive Incident Response Framework. The framework consists of coordinated procedures and tasks that are executed to ensure timely and accurate resolution of security and privacy incidents. Aflac has a formal process to investigate and notify individuals and authorities, as required by law, in the event that personal information has been compromised.
Security awareness and training
Aflac’s cyber security awareness training program is designed to help employees, contractors and producers recognize information, cybersecurity and privacy concerns and respond accordingly. Our program provides all personnel with the knowledge and skills to prevent, identify and escalate cybersecurity risks. In 2021, all employees, contractors and producers who had access to Aflac systems or data completed annual security and privacy training. In addition, role-based security training was required for individuals with elevated entitlements.
Aflac’s security operations and threat intelligence teams partner closely with our awareness program to send all users monthly phishing exercises that are representative of actual threats we see in our environment. Performance metrics are tracked to provide a real-time view of the risks associated with phishing susceptibility. Additional training is required if users fail an exercise. In 2021, our average performance in phishing exercises far outpaced the performance of our industry peers, with a more than 99% pass rate for employees and contractors.
Our security education approach extends beyond training and strives to embed security as a core part of Aflac’s culture. We maintain strong executive support and have 130 Cyber Security Ambassadors throughout the organization, helping to extend the reach of our awareness messaging. In 2021, we had more than 120 direct communications, portal stories, contest, panels and cyber events. For National Cyber Security Awareness Month, we hosted events attracting participation from over 1,600 individuals.