|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
FLIAC prioritizes the security of its electronic information systems and the data residing therein. In order to respond to the risks posed by a variety of cybersecurity threats, including security breaches, cyber-attacks, and other cybersecurity incidents, FLIAC has implemented a Cybersecurity Program (the “Program”) managed by our Chief Information Security Officer (“CISO”) and the CISO’s Information Security Team. The Program is designed to protect and preserve the confidentiality, integrity, and continued availability of the electronic information systems that we own or use, and all electronic information owned by or in the care of the Company. The Program is based on industry leading frameworks including the National Institute of Standards and Technology (“NIST”) Cyber Security Framework (“CSF”) and NIST 800-53. The NIST CSF provides standards, guidelines, and best practices on managing cybersecurity risk and for the organization, improvement, and assessment of the Program.
The Program governs all FLIAC internal systems, as well as third parties providing service to the Company, and is based on the following five pillars:
•Identify - The first pillar of the Program is to identify the organization's critical assets, vulnerabilities, and potential threats. This involves conducting a thorough quantitative and qualitative risk assessment and asset inventory based on the organization's information systems, data repositories, and network infrastructure. Additionally, it involves categorizing and classifying the importance of different assets, assessing their potential impact on the organization if compromised, and identifying applicable regulatory compliance requirements. This pillar of the Program also involves regular engagement with the broader security community and monitoring of new and emerging cyber threat information.
•Protect - After identifying the assets and vulnerabilities, FLIAC applies comprehensive asset protection methods allowing for accurate risk mitigation techniques. This includes deploying a range of security controls such as firewalls, intrusion detection systems, antivirus software, encryption mechanisms, and access controls. The goal is to establish multiple layers of defense to prevent unauthorized access, data breaches, cyber-attacks, and other cybersecurity incidents. Employee awareness training (including phishing simulation exercises to train employees to recognize and report phishing attacks) and secure coding practices also fall under this component to ensure a culture of security throughout the Company.
•Detect – The Program focuses on the timely detection of any suspicious activities or security breaches. This involves implementing security monitoring systems, intrusion detection systems, and log analysis tools to continuously monitor network traffic, system logs, and user behavior. Real-time alerts and security incident management processes help in identifying potential security incidents promptly.
•Respond – If a security incident is detected, a response plan is triggered to minimize the impact and contain the threat. This component involves establishing an incident response team and defining incident response procedures. The team is trained to respond promptly, investigate the incident, mitigate the damage or harm, and restore normal operations. Communication plans, escalation protocols, legal considerations, regulatory requirements, (including appropriate and timely reporting and disclosure of cybersecurity incidents to regulators and affected individuals), and coordination with external entities, like regulators, law enforcement, vendors and other key stakeholders, are also part of the response process.
•Recover - The final pillar of the Program focuses on recovering from a security incident and restoring normal operations. This includes activities such as system restoration, data recovery, and analyzing the incident to identify lessons learned and improve future incident response capabilities. It also involves assessing residual risks, updating security controls, and continuously monitoring and testing the Company's security posture to ensure readiness for potential future incidents.
Cybersecurity risk management under the Program is an integrated part of the Company’s overall management of operational risk, as described further below under “Cybersecurity Risk Management Governance.” The Company did not experience any material cybersecurity incidents during the period covered by this report. Nor did the Company identify any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, the Company recognizes that cybersecurity risks are constantly evolving, and the Company continuously monitors and adapts to these risks to protect its systems and data. It is possible that the Company will experience a material cybersecurity incident in the future. For more information on operational and cybersecurity risks, see “Item 1A. Risk Factors – Operational Risk” earlier in this report.
Vendor Risk ManagementThe Program seeks to ensure that each vendor (or third-party service provider) with whom the Company does business meets the Company’s standards for protecting and preserving the confidentiality, integrity, and continued availability of electronic information systems and data. The Company requires vendors to meet threshold requirements for cybersecurity controls, such as access controls, logging and monitoring, and encryption. The Company’s contracts with vendors require the implementation and maintenance of such controls, and obligate vendors to promptly report all cybersecurity incidents to the Company. Based on the overall risk level associated with a particular vendor, the Company’s contract with a service provider may require enhanced or heightened controls. The CISO’s Information Security Team performs risk-based initial and periodic due diligence of vendors, during which the Information Security Team evaluates, assesses, and otherwise reviews vendor cybersecurity controls. The results of such reviews are reported to the CISO. Any cybersecurity incidents involving vendors will be escalated and acted upon in accordance with the Program.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risk management under the Program is an integrated part of the Company’s overall management of operational risk, as described further below under “Cybersecurity Risk Management Governance.”
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board of Directors (the “Board”) is responsible for oversight of the Company’s management of operational risks, including cybersecurity threats. The Board receives a comprehensive report at least annually from the Chief Information Officer and the CISO. The comprehensive annual report covers matters related to the Program, such as enhancements, incident reporting, performance metrics, status reports, oversight of third-party service providers, and the results of Program reviews, including exercises and response readiness assessments led by external consultants. The report also includes information about significant and emerging cybersecurity threats that may affect the Company. In addition to a comprehensive annual cybersecurity report,
the Board receives periodic interim reports from the Chief Information Officer and the CISO. To the extent cybersecurity controls are related to internal controls over financial reporting, such controls are also considered in the context of Management’s annual assessment of the effectiveness of internal controls over financial reporting.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CISO is responsible for managing the Program
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The CISO is responsible for managing the Program. The CISO reports to the Company’s Chief Information Officer and regularly engages with the Chief Risk Officer on matters related to the Program. Cybersecurity risks are evaluated by Company management alongside and consistent with other operational risks, with the CISO and the Information Security Team providing subject matter expertise on the identification, assessment, and tracking of cybersecurity risks under the Program. In addition, the Company regularly engages external consultants in connection with evaluating and enhancing the Program and the Company’s overall management of cybersecurity threats. For example, the Company engages external consultants to assist the Company in identifying evolving technologies and threats, developing action plans, performing penetration tests, conducting exercises, and conducting periodic reviews.
|Cybersecurity Risk Role of Management [Text Block]
|
The CISO is responsible for managing the Program. The CISO reports to the Company’s Chief Information Officer and regularly engages with the Chief Risk Officer on matters related to the Program. Cybersecurity risks are evaluated by Company management alongside and consistent with other operational risks, with the CISO and the Information Security Team providing subject matter expertise on the identification, assessment, and tracking of cybersecurity risks under the Program. In addition, the Company regularly engages external consultants in connection with evaluating and enhancing the Program and the Company’s overall management of cybersecurity threats. For example, the Company engages external consultants to assist the Company in identifying evolving technologies and threats, developing action plans, performing penetration tests, conducting exercises, and conducting periodic reviews.The CISO, supported by the Information Security Team, is responsible for implementing and managing the Program. The CISO has served in various roles in information technology and information security for over 25 years and has broad and extensive experience in multiple industries including financial services, healthcare, and higher education. The CISO holds a graduate degree in IT management and has attained the professional certifications of Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Boardroom Certified Qualified Technology Expert (QTE), and is a Distinguished Fellow with the Information Systems Security Association (ISSA).
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The CISO is responsible for managing the Program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO, supported by the Information Security Team, is responsible for implementing and managing the Program. The CISO has served in various roles in information technology and information security for over 25 years and has broad and extensive experience in multiple industries including financial services, healthcare, and higher education. The CISO holds a graduate degree in IT management and has attained the professional certifications of Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Boardroom Certified Qualified Technology Expert (QTE), and is a Distinguished Fellow with the Information Systems Security Association (ISSA).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The CISO is responsible for managing the Program. The CISO reports to the Company’s Chief Information Officer and regularly engages with the Chief Risk Officer on matters related to the Program. Cybersecurity risks are evaluated by Company management alongside and consistent with other operational risks, with the CISO and the Information Security Team providing subject matter expertise on the identification, assessment, and tracking of cybersecurity risks under the Program. In addition, the Company regularly engages external consultants in connection with evaluating and enhancing the Program and the Company’s overall management of cybersecurity threats. For example, the Company engages external consultants to assist the Company in identifying evolving technologies and threats, developing action plans, performing penetration tests, conducting exercises, and conducting periodic reviews.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef