Data Privacy Compliance Risk Management1
Two internal committees, the Business Information Security Officers and the Policy Voting Board, which include members from Technology, Law, Internal Audit, HR, Compliance and other lines of business, oversee our IT security policies, emerging risks and compliance requirements.
Cybersecurity and Privacy Training
Every year, we conduct mandatory cybersecurity and privacy training for all employees to raise awareness about potential threats and provide clear, actionable guidelines to inform everyday tasks and decision making. Every MetLife employee is required to complete yearly privacy training and comply with applicable privacy laws and regulations when processing personal data held by the company.
MetLife raises awareness about the importance of cybersecurity and provides employees with resources to protect themselves, our customers and MetLife. We participate in industry cybersecurity groups and events, such as Cybersecurity Awareness Month each October, a national campaign sponsored by the Department of Homeland Security that was created to raise awareness about cybersecurity and staying safe. During the 2022 event, we launched our new Report Phishing recognition program to award Center Stage internal recognition badges to employees who report confirmed malicious emails.
We have established reporting processes and escalation pathways from our businesses and functions to identify, assess and manage potential personal data incidents in a timely manner—including reporting to senior management, as needed.
MetLife’s Information Security (InfoSec) program has a mission to protect our information and technology assets, personal and confidential information, and technology-dependent business processes from known and unknown risks and security threats, and to provide enterprise-wide IT risk identification, prioritization, reporting and mitigation services.
InfoSec pursues this mission through programs to protect against, monitor and/or report threats to MetLife’s information and technology assets associated with risks of operational disruption and unauthorized or accidental access, modification, destruction, exposure and/or disclosure.
The authority and responsibility for managing the InfoSec program resides with MetLife’s Enterprise Chief Information Security Officer (CISO). The Enterprise CISO is a senior-level executive responsible for establishing and maintaining the vision, strategy and program so that information and technology assets are protected among all MetLife affiliates and that IT risks are reported, remediated and managed.