Cybersecurity Program Overview

Voya’s comprehensive Cybersecurity Program is designed to safeguard our clients’ and customers’ personal wealth, health and investment information entrusted to us across all our enterprise businesses. Through a layered, strategic approach, Voya focuses on protecting critical data, maintaining business continuity, addressing potential vulnerabilities, ensuring regulatory compliance and continuously adapting to an evolving threat landscape. Voya incorporates industry-leading standards, frameworks and best practices to provide a holistic security solution. Cybersecurity is “built-in” to all our business practices and products and represents a considerable investment of the corporation’s information technology budget.

Key components:

Governance and Executive Oversight

Strong governance is essential to effective cybersecurity. Our program includes active executive oversight of cybersecurity initiatives to align with business objectives. Senior leadership is regularly updated by our chief information security officer (CISO) who reports to our chief technology and operations officer (CTOO) on risk assessments, security posture and key metrics. This proactive involvement of cybersecurity is a strategic priority at every level of the organization.

Risk management and compliance

Voya integrates NIST 800-53 controls to strengthen cybersecurity standards. Additionally, Voya follows the Department of Labor’s (DOL) best practices of having SOC 1 and SOC 2 Type II reports, attesting that internal controls, processes and systems are evaluated for both security and operational effectiveness. Voya has also completed a rigorous ISO 27001:2022 review of our controls. Our program also integrates elements of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technologies (COBIT) frameworks to help ensure technology supports enterprise risk management efforts. Our comprehensive compliance framework provides assurance to participants, clients and regulators.

Vulnerability management

Voya employs an automated patch management system to promptly identify and patch critical software and hardware vulnerabilities. Internal and external-party penetration testing is a cornerstone of our proactive security measures to remediate vulnerabilities. We complement this with internal monthly vulnerability scans, and tabletop exercises to simulate both offensive and defensive security scenarios.

Secure Software Development Lifecycle

Security is embedded throughout the Software Development Lifecycle (SDLC). Voya’s applications and systems undergo rigorous security assessments during development. The process includes code reviews, static and dynamic analysis, and secure coding practices. This reduces the risk of vulnerabilities in production, so security is built into every phase of the software lifecycle.

Data protection and encryption

Voya’s mature cybersecurity program employs end-to-end encryption and data masking techniques to protect sensitive data both at rest and in transit. We also implement access controls and least privilege principles, so that only authorized personnel can access critical systems and data, minimizing the attack surface and potential for unauthorized access.

Incident response and legal oversight

In the event of a security incident, our incident response framework provides a quick and coordinated response to mitigate damage. We work closely with Voya’s legal department, including Voya’s chief privacy officer, to advise on relevant regulations, data breach notification requirements and other legal considerations.

Employee training and awareness

A secure environment begins with an informed workforce. Our employee training programs raise awareness on critical issues such as phishing, social engineering, reporting incidents, password security and safe computing practices. Regular training of employees so they remain vigilant and understand how their actions impact the overall security of the organization.

Third-party and supply chain

One of the critical functions within information security is our team dedicated to evaluating, assessing and addressing third-party risks. The goal of the team is protecting sensitive information, the security of our operations and systems supported by vendors and providers using a risk-based approach. This team conducts due diligence on third-party vendors and service providers, including evaluating their information security controls and related measures, to identify potential risks and implement appropriate controls.

Business continuity and disaster recovery

In addition to incident response, we implement strong business continuity and disaster recovery plans, to enable Voya to quickly recover from a disruption. Our plans include regular testing to validate that systems and data can be restored in the event of a cyber incident.

Continuous improvement and adaptation

Cybersecurity is a dynamic field. Our program is dynamic, risk-driven and embedded into the Voya culture, continuously evolving through monitoring, feedback and adoption to emerging threats and technologies and the evolving regulatory landscape. Voya’s cybersecurity program is a critical part of the overall mission to keep the Voya enterprise information secure. Other entities within the corporation play a critical role in this endeavor. Our Compliance, Human Resources, Internal Audit, Legal, Privacy and Enterprise Risk Management teams are essential in making information security our priority.