New York Life Cybersecurity and Information Security Program.

New York Life is committed to keeping data secure.

New York Life is entrusted with the personal information of a variety of stakeholders, including our customers, agents and employees. We have great respect for the trust placed in us and make every effort to safeguard the privacy of this information. As an insurance company, we are highly regulated and adhere to relevant laws and regulations as part of our program.

New York Life enhances its Cybersecurity and Information Security program on an ongoing basis. Assessments are regularly performed that take into account advances in technology, emerging threats, and our overall strategic direction, as well as other factors to determine the appropriate level of security controls. Audits of Information Security controls are included in New York Life’s internal audit department annual plan.

New York Life’s Information Security department reports to New York Life’s Chief Risk Officer and is headed by a Chief Information Security Officer. We have a risk governance structure in place to ensure effective management and oversight of risks and a clear path for escalation.

We have implemented a multi-layered security model that is aligned with internationally recognized industry standards for security including ISO 27002, NIST-CSF, and COBIT and provides a consistent way to manage capabilities, activities and risks.

New York Life has established written policies and standards that govern our Information Security Program. The Program’s goals are to maintain the confidentiality, integrity and availability of our information assets. These policies and standards are guided by security requirements specific to the operating environment, relevant laws and regulations, and information security leading practices.

Core to our security program is our defense-in-depth model, comprised of multiple layers of processes and technologies that help prevent, detect and respond to threats. At the outer layers of this model, preventative technologies such as malicious email blocking and secure network entry points are used to deflect cyber-threats before they become incidents. Event monitoring technologies run 24 hours a day, seven days a week, 365 days a year to detect and respond to potential intrusion attempts and generate alerts that are managed in accordance with established response protocol.

New York Life has relationships with law enforcement and other global leaders in the cybersecurity community. These relationships, in addition to daily security intelligence feeds from multiple sources, help provide us with notice of emerging threats, attacks and vulnerability trends to better ensure the protection of our systems.

Ongoing security training and awareness programs are directed by the Chief Information Security Officer to inform personnel on how to be alert and protect against potential security breaches and unauthorized disclosures.

Even with these controls and safeguards in place, we understand that the fluid nature of the cybersecurity environment requires us to constantly evaluate and improve these defenses. Consequently, we continually review and, when we determine necessary, enhance our controls, processes and tools.

While no method of security can fully ensure protection against all threats, New York Life has designed and implemented a robust cybersecurity program focused on protecting our systems and the clients and customers whose data they house.