AIG recognizes the importance of information security and privacy for our business. As our world becomes increasingly connected and globalized, our customers expect and deserve an experience and environment that values security and privacy.
AIG’s cross-functional cybersecurity and privacy teams work diligently to process and safeguard company and customer data appropriately. AIG maintains a suite of information security, privacy and data protection-related policies, standards, procedures and guidelines. These are informed by widely accepted industry frameworks such as National Institute of Standards and Technology Cybersecurity Framework, the International Organization for Standardization 27002 standard and the Cyber Risk Institute Profile. Our policies and procedures are reasonably designed to comply with all applicable laws, regulatory guidance and widely adopted industry best practices.
AIG’s Information Security Office prepares for and responds to cybersecurity threats by implementing a strategy that is designed to protect and preserve the confidentiality, integrity and availability of all information owned by, or in the care of, the company. This includes our Identity and Access Management program, which uses multi-factor authentication to provide an additional layer of defense against unauthorized access to our systems. AIG also maintains cyber and privacy incident response plans that outline the appropriate processes and procedures for incident management, including minimizing the impact of incidents, investigations and remediation. We also comply with applicable legal requirements, including timely and accurate reporting of any required cybersecurity or privacy incident, and conduct global cyber-incident response practice exercises to maintain our preparedness.
AIG continues to advance our cyber intelligence and analytic capabilities by proactively searching for and identifying evidence of malicious attacks while testing our cybersecurity defenses. In doing so, we are able to analyze how we should enhance our security program and reduce our attack surface. These efforts include comprehensive risk assessments, external security audits and program enhancements such as the launch of a Responsible Disclosure Program.
AIG’s cybersecurity efforts are not confined to our cybersecurity and privacy teams, although employees in those functions do receive role-specific cybersecurity and privacy training. We require all AIG employees to complete mandatory cybersecurity awareness and information handling and privacy training at the time of onboarding and on an annual basis. Non-employee workers with access to AIG systems must also complete compliance training that includes information handling and privacy training. This training must be completed at the beginning of their engagement, with follow-up training every 18 months. We regularly test our personnel using various techniques, such as simulated phishing campaigns, to validate the efficacy of our cybersecurity training.
AIG has several channels that provide information about our privacy practices and the individual rights of our customers and other relevant parties, as applicable. Privacy notices are provided to customers pursuant to various country and state laws, and our online privacy statements explain how we generally collect, use, share and safeguard personal information.
AIG’s Board of Directors is regularly briefed by management on AIG’s cybersecurity matters, including threats, policies, practices and ongoing efforts to improve security. These regular briefings include updates on matters such as the results of incident response readiness and maturity capability assessments that are periodically led by third parties who provide an independent assessment of our technical program and internal response preparedness.
For more than 20 years, AIG has helped our clients protect their data, networks and IT systems. Society’s increasing reliance on technology has underscored just how important this support can be, and future events like the spread of 5th generation wireless and virtual reality technologies will only increase the need for our clients to protect themselves against emerging cyber risks.
As a provider of cyber insurance, one of our important roles is to help companies better manage cyber risk at the onset and guide them on how to strengthen their controls to mitigate or avoid significant loss in the future. The cyber insurance we offer provides our clients with financial protection by means of risk transfer and supports our customers through the post-incident response.
AIG collaborates with our stakeholders, including customers, claims professionals, cyber risk advisory teams and leading cybersecurity experts, to understand the cyber threat landscape and root causes of reported events. We integrate these findings into the underwriting process and share this knowledge with cyber insurance customers and applicants.
We assess loss potential from “affirmative” cyber coverage by performing rigorous portfolio aggregation analysis using a proprietary QlikView-based “Cyber Portfolio App” and a proprietary stochastic scenario model. Should an incident occur, the AIG Claims team is on call and ready to respond. Our Claims staff is proud to have helped thousands of companies recover operations after damaging cyber security events such as data breaches, ransomware attacks and system outages.
AIG also enhances cyber insurance underwriting by acquiring externally observable data about an organization’s digital footprint from third parties. This data assists us in identifying precursor malware events or software vulnerabilities that may be exploited by criminal actors designed to cause substantial loss to victim companies.
We continue to lead the industry in addressing coverage challenges and critical risks, from increasing contract clarity through affirmative cyber coverage to advising clients on a constantly changing threat environment.
To individually evaluate potential cyber risks clients may face, AIG introduced a ransomware risk assessment that allows us to better ascertain a current or potential client’s specific cybersecurity controls. These assessment results combined with our advanced analytics and leading claims experience helps us identify critical vulnerabilities and exposures and provide our clients with unique solutions that can improve their ransomware risk management programs and inform their cybersecurity investments.