Cybersecurity and Data Privacy

MetLife’s customers, employees and business partners around the world provide us with their personal information and other confidential information every day. MetLife is committed to protecting, responsibly using and processing such information in compliance with applicable laws and regulations.

Our policies and procedures are designed to protect the confidentiality and security of personal information and create effective mechanisms to handle information appropriately worldwide, which includes key areas such as safeguards and risk management, monitoring, data incident response, cybersecurity and e-discovery investigation, and threat intelligence. Our Global Privacy & Information Security Program establishes enterprise-wide principles and global minimum standards, among other things, around the collection and use of personal information in compliance with applicable privacy laws and regulations. The objectives of the program are to:

  • Protect the privacy and security of individuals’ personal information and our customers’ confidential information by adopting and implementing administrative, technical and physical safeguards;
  • Protect against known and unknown threats or hazards to the availability, confidentiality and integrity of personal information and other confidential information; and
  • Protect against loss or destruction or unauthorized access to personal information and other confidential information.

Data Privacy Compliance Risk Management1

MetLife’s Privacy Compliance Group, headed by the Chief Privacy Officer, has oversight of MetLife’s Privacy Compliance Risk Program and is responsible for establishing and maintaining the internal Global Privacy and Data Protection Policy (Global Privacy Policy), overseeing the implementation of and ongoing compliance with the Global Privacy Policy and advising business management on privacy risks.

The Global Privacy Policy establishes enterprise-wide principles and global minimum standards designated to facilitate compliance with applicable privacy laws and regulations in the countries in which MetLife operates. 

Two internal committees, the Business Information Security Officers and the Policy Voting Board, which include members from Technology, Law, Internal Audit, HR, Compliance and other lines of business, oversee our IT security policies, emerging risks and compliance requirements.

Cybersecurity and Privacy Training

Every year, we conduct mandatory cybersecurity and privacy training for all employees to raise awareness about potential threats and provide clear, actionable guidelines to inform everyday tasks and decision making. Every MetLife employee is required to complete yearly privacy training and comply with applicable privacy laws and regulations when processing personal data held by the company. 

MetLife raises awareness about the importance of cybersecurity and provides employees with resources to protect themselves, our customers and MetLife. We participate in industry cybersecurity groups and events, such as Cybersecurity Awareness Month each October, a national campaign sponsored by the Department of Homeland Security that was created to raise awareness about cybersecurity and staying safe.  During the 2022 event, we launched our new Report Phishing recognition program to award Center Stage internal recognition badges to employees who report confirmed malicious emails.

We have established reporting processes and escalation pathways from our businesses and functions to identify, assess and manage potential personal data incidents in a timely manner—including reporting to senior management, as needed.

Information Security

MetLife’s Information Security (InfoSec) program has a mission to protect our information and technology assets, personal and confidential information, and technology-dependent business processes from known and unknown risks and security threats, and to provide enterprise-wide IT risk identification, prioritization, reporting and mitigation services. 

InfoSec pursues this mission through programs to protect against, monitor and/or report threats to MetLife’s information and technology assets associated with risks of operational disruption and unauthorized or accidental access, modification, destruction, exposure and/or disclosure. 

The authority and responsibility for managing the InfoSec program resides with MetLife’s Enterprise Chief Information Security Officer (CISO). The Enterprise CISO is a senior-level executive responsible for establishing and maintaining the vision, strategy and program so that information and technology assets are protected among all MetLife affiliates and that IT risks are reported, remediated and managed.

Up next: Supplier Management

Continue Reading

Want the full report?

Download for comprehensive insights and strategies.

Please see MetLife’s 2023 Proxy Statement to learn more.