Cybersecurity and Data Privacy
Cybersecurity and Data Privacy
MetLife’s customers, employees and business partners around the world provide us with their personal information and other confidential information every day. MetLife is committed to protecting, responsibly using and processing such information in compliance with applicable laws and regulations.
Our policies and procedures are designed to protect the confidentiality and security of personal information and create effective mechanisms to handle information appropriately worldwide, which includes key areas such as safeguards and risk management, monitoring, data incident response, cybersecurity and e-discovery investigation, and threat intelligence. Our Global Privacy and Information Security Programs establish enterprise-wide principles and global minimum standards, among other things, around the collection and use of personal information in compliance with applicable privacy laws and regulations. The objectives of the programs are to:
- Protect the privacy and security of individuals’ personal information and our customers’ confidential information by adopting and implementing administrative, technical and physical safeguards;
- Protect against known and unknown threats or hazards to the availability, confidentiality and integrity of personal information and other confidential information; and
- Protect against loss or destruction or unauthorized access to personal information and other confidential information.
Privacy Compliance Risk Management
MetLife’s Privacy Compliance Group, headed by the Chief Privacy Officer, has oversight of MetLife’s Privacy Compliance Risk Program and is responsible for establishing and maintaining the internal Global Privacy and Data Protection Policy (Global Privacy Policy), overseeing the implementation of and ongoing compliance with the Global Privacy Policy and advising business management on privacy risks.
The Global Privacy Policy establishes enterprise-wide principles and global minimum standards designed to facilitate compliance with applicable privacy laws and regulations in the countries in which MetLife operates.
Cybersecurity and Privacy Training
Every year, we conduct mandatory cybersecurity and privacy training for all employees to raise awareness about potential threats and provide clear, actionable guidelines to inform everyday tasks and decision making. Every MetLife employee is required to complete yearly privacy training and comply with applicable privacy laws and regulations when processing personal data held by the company.
MetLife raises awareness about the importance of cybersecurity and provides employees with resources to protect themselves, our customers and MetLife. We participate in industry cybersecurity groups and events, such as Cybersecurity Awareness Month each October, a national campaign sponsored by the Department of Homeland Security that was created to raise awareness about cybersecurity and staying safe. During the 2023 event, MetLife published thought leader articles internally highlighting insider risk, employee responsibility, identity protection and cybersecurity leadership.
We have established reporting processes and escalation pathways from our businesses and functions to identify, assess and manage potential personal data incidents in a timely manner—including reporting to senior management, as needed.
Information Security
We manage information security risk through, and as part of, MetLife’s Information Security (InfoSec) Program that management has instituted to maintain controls for the systems, applications and databases of MetLife and our third-party providers. The primary goal of the program is to protect the confidentiality, integrity and availability of all data MetLife owns or possesses, as well as our technology assets, through physical, technical and administrative safeguards. This includes controls and procedures for monitoring, detecting, reporting, containing, managing and remediating cyber threats. The program aims to prevent data exfiltration, manipulation and destruction, as well as system and transactional disruption.
MetLife’s Enterprise Chief Information Security Officer (CISO) manages the program, collaborating with lines of business and corporate functions. The Enterprise CISO is a senior-level executive responsible for establishing and executing MetLife’s information security strategy.