|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
We maintain an information security program that seeks to comply with applicable regulatory requirements. The information security team, led by the Chief Information Security Officer ("CISO"), implements appropriate measures designed to safeguard sensitive information and protect our operations and systems against cyber threats. The information security team carries out continuous monitoring and evaluation of Voya’s technology and digital infrastructure with the goal of identifying and assessing threats and proactively mitigating potential risks. The CISO and the information security team provide regular updates to Voya's senior management, as further described under Cybersecurity Governance below.
In addition, as part of its risk management strategy, Voya has an established and integrated cybersecurity incident response plan that focuses on incident detection, management and response. The information security team periodically reviews and updates the plan and tests playbooks within the plan through tabletop exercises.
Voya's information security team is responsible for identifying, assessing, and managing cyber risk, with support from Voya's operational risk management team. Information security control tasks are performed under the direction and guidance of the CISO, who is designated under Voya’s risk management principles and policies to oversee the evaluation and mitigation of information security risks. Information security management is integrated into Voya’s overall risk management framework, which provides for a coordinated approach to addressing cybersecurity risk.
As part of Voya’s overall information security program, we may engage and retain external assessors and consultants to help improve our security, stay aligned with industry best practices, evaluate external threats and, on an as-needed basis, perform forensic reviews of cybersecurity-related incidents or independent security assessments.
With regard to risks posed by third-party vendors and service providers, Voya has a dedicated team that is responsible for evaluating, assessing, and addressing those risks, with the ultimate goal of protecting sensitive information and the security of our operations and systems supported by those vendors and providers using a risk-based approach. This team conducts due diligence on third-party vendors and service providers, including evaluating their information security controls and related measures, to identify potential risks and implement appropriate controls.
Technology risks, including cybersecurity threats, undergo a thorough risk management assessment. We evaluate risks quantitatively and qualitatively to determine both the probability and potential severity of such risks and whether any such risks could materially affect Voya. We have experienced and may continue to experience cybersecurity incidents and threats that could materially affect our business strategy, results of operations or financial condition. There have been no known cybersecurity incidents that have materially affected us in the past three years. For more information about the cybersecurity related risks that we face, see Interruption or other operational failures in telecommunication, cybersecurity, information technology and other operational systems, including as a result of human and process error or a failure to maintain the security, integrity, confidentiality, or privacy of such systems, could harm our business in Risk Factors in Item 1A of this Annual Report on Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Voya's information security team is responsible for identifying, assessing, and managing cyber risk, with support from Voya's operational risk management team. Information security control tasks are performed under the direction and guidance of the CISO, who is designated under Voya’s risk management principles and policies to oversee the evaluation and mitigation of information security risks. Information security management is integrated into Voya’s overall risk management framework, which provides for a coordinated approach to addressing cybersecurity risk.
As part of Voya’s overall information security program, we may engage and retain external assessors and consultants to help improve our security, stay aligned with industry best practices, evaluate external threats and, on an as-needed basis, perform forensic reviews of cybersecurity-related incidents or independent security assessments.
With regard to risks posed by third-party vendors and service providers, Voya has a dedicated team that is responsible for evaluating, assessing, and addressing those risks, with the ultimate goal of protecting sensitive information and the security of our operations and systems supported by those vendors and providers using a risk-based approach. This team conducts due diligence on third-party vendors and service providers, including evaluating their information security controls and related measures, to identify potential risks and implement appropriate controls.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Technology risks, including cybersecurity threats, undergo a thorough risk management assessment. We evaluate risks quantitatively and qualitatively to determine both the probability and potential severity of such risks and whether any such risks could materially affect Voya. We have experienced and may continue to experience cybersecurity incidents and threats that could materially affect our business strategy, results of operations or financial condition. There have been no known cybersecurity incidents that have materially affected us in the past three years.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
As detailed above, the CISO and the information security team regularly assess and manage cybersecurity risks. Voya's information security leadership team has extensive information technology and information security experience, and the full team comprises over 100 employees with over 150 certifications from leading information security certification organizations. The CISO, who oversees the organization supporting the day-to-day operations of our information security program, brings over 30 years of professional IT experience in financial services. Before assuming his current role, the CISO served as Voya's Chief Technology Officer, where he was responsible for our infrastructure, cloud, and business resiliency office. Additional management of cybersecurity risks is conducted by Voya's Technology and Operational Risk Committee ("TORC"), which has been delegated authority by Voya's Management Risk Committee to provide oversight of operational risk, including information and technology risk, as well as related legal, compliance and regulatory risks. Members of the TORC include senior management with relevant expertise in operations, technology, information security, legal, compliance, data privacy and operational risk management. The information security team participates in the TORC meetings to discuss cybersecurity risks and mitigation treatment. The TORC provides guidance and direction in assessing, addressing, mitigating and monitoring cybersecurity risks within Voya.Voya’s Board committees include the Risk Committee, which provides support to the Board in its oversight of information technology, including cybersecurity risk. To assist the Board in fulfilling its oversight function, the Risk Committee is responsible for overseeing cybersecurity risk and collaborates with the Audit Committee on the related disclosures. The Risk Committee receives regular updates from the CISO on cybersecurity-related matters and reports regularly to the full Board.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Voya’s Board committees include the Risk Committee, which provides support to the Board in its oversight of information technology, including cybersecurity risk. To assist the Board in fulfilling its oversight function, the Risk Committee is responsible for overseeing cybersecurity risk and collaborates with the Audit Committee on the related disclosures. The Risk Committee receives regular updates from the CISO on cybersecurity-related matters and reports regularly to the full Board.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Voya’s Board committees include the Risk Committee, which provides support to the Board in its oversight of information technology, including cybersecurity risk. To assist the Board in fulfilling its oversight function, the Risk Committee is responsible for overseeing cybersecurity risk and collaborates with the Audit Committee on the related disclosures. The Risk Committee receives regular updates from the CISO on cybersecurity-related matters and reports regularly to the full Board.
|Cybersecurity Risk Role of Management [Text Block]
|
As detailed above, the CISO and the information security team regularly assess and manage cybersecurity risks. Voya's information security leadership team has extensive information technology and information security experience, and the full team comprises over 100 employees with over 150 certifications from leading information security certification organizations. The CISO, who oversees the organization supporting the day-to-day operations of our information security program, brings over 30 years of professional IT experience in financial services. Before assuming his current role, the CISO served as Voya's Chief Technology Officer, where he was responsible for our infrastructure, cloud, and business resiliency office. Additional management of cybersecurity risks is conducted by Voya's Technology and Operational Risk Committee ("TORC"), which has been delegated authority by Voya's Management Risk Committee to provide oversight of operational risk, including information and technology risk, as well as related legal, compliance and regulatory risks. Members of the TORC include senior management with relevant expertise in operations, technology, information security, legal, compliance, data privacy and operational risk management. The information security team participates in the TORC meetings to discuss cybersecurity risks and mitigation treatment. The TORC provides guidance and direction in assessing, addressing, mitigating and monitoring cybersecurity risks within Voya.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The CISO, who oversees the organization supporting the day-to-day operations of our information security program, brings over 30 years of professional IT experience in financial services. Before assuming his current role, the CISO served as Voya's Chief Technology Officer, where he was responsible for our infrastructure, cloud, and business resiliency office. Additional management of cybersecurity risks is conducted by Voya's Technology and Operational Risk Committee ("TORC"), which has been delegated authority by Voya's Management Risk Committee to provide oversight of operational risk, including information and technology risk, as well as related legal, compliance and regulatory risks. Members of the TORC include senior management with relevant expertise in operations, technology, information security, legal, compliance, data privacy and operational risk management. The information security team participates in the TORC meetings to discuss cybersecurity risks and mitigation treatment. The TORC provides guidance and direction in assessing, addressing, mitigating and monitoring cybersecurity risks within Voya.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Voya's information security leadership team has extensive information technology and information security experience, and the full team comprises over 100 employees with over 150 certifications from leading information security certification organizations. The CISO, who oversees the organization supporting the day-to-day operations of our information security program, brings over 30 years of professional IT experience in financial services. Before assuming his current role, the CISO served as Voya's Chief Technology Officer, where he was responsible for our infrastructure, cloud, and business resiliency office.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Risk Committee receives regular updates from the CISO on cybersecurity-related matters and reports regularly to the full Board.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef