Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We maintain an Information Security Program for Corebridge (the “Program”) that includes, among other things, conducting periodic risk assessments designed to evaluate potential security threats, to detect potential vulnerabilities, and to mitigate identified security risks. The Program is informed by industry standards and frameworks and is designed to protect the confidentiality, integrity, and availability of Corebridge’s information assets and systems that store, process, or transmit material non-public information. The Program is managed day-to-day by technology, information security, and operational personnel. Where appropriate, we also engage third parties to provide operational support for the Program and to evaluate our Program and our cybersecurity risk management. The Program includes the following key elements: •Network, Systems, and Data Security – Corebridge deploys technical and organizational safeguards that are designed to protect Corebridge’s networks, systems, and data from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, software security assessments, data leak protection, and access and identity management controls; •Threat and Vulnerability Management – Corebridge maintains a threat and vulnerability management program that leverages threat intelligence to proactively identify, assess, and address risks from cybersecurity threats and vulnerabilities in order to safeguard our information assets and ensure business continuity; •Cybersecurity Incident Monitoring and Response – Corebridge has established and maintains incident response plans that address Corebridge’s response to a cybersecurity incident, utilizing a cross-functional approach; •Third Party Assessment and Oversight – Corebridge maintains a third-party risk management program to identify and manage risks from third-party service providers, including initial due diligence, an assessment of the service provider’s control environment and periodic re-assessments; and •Security Training and Awareness – Corebridge provides ongoing education and training to employees regarding information security policies, procedures and best practices, including cyber threats, and their roles and responsibilities in identifying, reporting and responding to such threats. The Program is evaluated on an ongoing basis to address the evolving cyber threat landscape and to comply with applicable legal and regulatory obligations. See “Business—Regulation—U.S. Regulation—Privacy and Cybersecurity” and “Business—Regulation—International Regulation—Privacy and Cybersecurity” for further discussion. Control adequacy and design are reviewed periodically, and periodic audits assist in identifying areas for continued focus, improvement and/or inclusion, and are designed to provide assurance that controls are appropriately designed and operating effectively. Additionally, our Internal Audit group performs testing of Corebridge’s control environment, including the Program. Our Chief Information Security Officer (“CISO”) provides oversight and direction for the Program, including recommending adjustments in response to changes in technology, internal and external threats, business operations, and regulatory and statutory requirements. Our CISO also coordinates with other corporate functions and business segments to address various aspects of the Program managed by technology and operations personnel and communicates Corebridge’s information security risk posture to relevant personnel, senior management and governing bodies, including as further described below.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We maintain an Information Security Program for Corebridge (the “Program”) that includes, among other things, conducting periodic risk assessments designed to evaluate potential security threats, to detect potential vulnerabilities, and to mitigate identified security risks. The Program is informed by industry standards and frameworks and is designed to protect the confidentiality, integrity, and availability of Corebridge’s information assets and systems that store, process, or transmit material non-public information. The Program is managed day-to-day by technology, information security, and operational personnel. Where appropriate, we also engage third parties to provide operational support for the Program and to evaluate our Program and our cybersecurity risk management. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | We have implemented processes, to help facilitate oversight of information security risks by Corebridge’s senior management and Board of Directors. These processes enable our operations and risk management functions that monitor cybersecurity risks and examine control performance to report and escalate cybersecurity risks to our senior management and the Board of Directors, as appropriate. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | One of the main forums for reporting and escalating cybersecurity risks is the Corebridge Enterprise Risk Committee (“CERC”), which is comprised of senior management personnel and led by our Chief Risk Officer (“CRO”), who is the head of our ERM function. ERM supports the identification, measurement, management, monitoring and reporting of major risks, which include cybersecurity risks. The CERC is responsible for addressing significant reported risks and issues, including those related to cybersecurity, to protect Corebridge’s financial strength, optimize Corebridge’s intrinsic value, and protect Corebridge’s reputation. The Risk Committee of the Board of Directors (the “Risk Committee”) oversees Corebridge’s enterprise risk management framework and the policies and procedures established by management to identify, assess, measure and manage key risks facing Corebridge, including those related to cybersecurity, and the Risk Committee reports regularly to the Board. Corebridge’s CRO reports to the Risk Committee on risk issues, including cybersecurity risks, during quarterly meetings of the Risk Committee. In addition, Corebridge’s Chief Information Officer (“CIO”) and CISO provide updates to the Risk Committee regarding Corebridge’s management of information, technology, enterprise resiliency and cybersecurity risks at least once a year. The CIO, Chief Operations Officer, CISO and business segment specific CIOs and CISOs also report to Corebridge’s subsidiary boards and the CERC as needed on material cybersecurity risks and Corebridge’s security and resiliency posture and information security strategy. Corebridge’s cybersecurity and resiliency incident response plans and procedures establish response and escalation protocols in connection with a potential cybersecurity incident, pursuant to which incidents are responded to by multidisciplinary teams and are further escalated to the attention of senior management and our Board of Directors when applicable.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Risk Committee of the Board of Directors (the “Risk Committee”) oversees Corebridge’s enterprise risk management framework and the policies and procedures established by management to identify, assess, measure and manage key risks facing Corebridge, including those related to cybersecurity, and the Risk Committee reports regularly to the Board. Corebridge’s CRO reports to the Risk Committee on risk issues, including cybersecurity risks, during quarterly meetings of the Risk Committee. In addition, Corebridge’s Chief Information Officer (“CIO”) and CISO provide updates to the Risk Committee regarding Corebridge’s management of information, technology, enterprise resiliency and cybersecurity risks at least once a year. |
| Cybersecurity Risk Role of Management [Text Block] | One of the main forums for reporting and escalating cybersecurity risks is the Corebridge Enterprise Risk Committee (“CERC”), which is comprised of senior management personnel and led by our Chief Risk Officer (“CRO”), who is the head of our ERM function. ERM supports the identification, measurement, management, monitoring and reporting of major risks, which include cybersecurity risks. The CERC is responsible for addressing significant reported risks and issues, including those related to cybersecurity, to protect Corebridge’s financial strength, optimize Corebridge’s intrinsic value, and protect Corebridge’s reputation. The Risk Committee of the Board of Directors (the “Risk Committee”) oversees Corebridge’s enterprise risk management framework and the policies and procedures established by management to identify, assess, measure and manage key risks facing Corebridge, including those related to cybersecurity, and the Risk Committee reports regularly to the Board. Corebridge’s CRO reports to the Risk Committee on risk issues, including cybersecurity risks, during quarterly meetings of the Risk Committee. In addition, Corebridge’s Chief Information Officer (“CIO”) and CISO provide updates to the Risk Committee regarding Corebridge’s management of information, technology, enterprise resiliency and cybersecurity risks at least once a year. The CIO, Chief Operations Officer, CISO and business segment specific CIOs and CISOs also report to Corebridge’s subsidiary boards and the CERC as needed on material cybersecurity risks and Corebridge’s security and resiliency posture and information security strategy. Corebridge’s cybersecurity and resiliency incident response plans and procedures establish response and escalation protocols in connection with a potential cybersecurity incident, pursuant to which incidents are responded to by multidisciplinary teams and are further escalated to the attention of senior management and our Board of Directors when applicable. Corebridge’s CISO reports to our CIO.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | One of the main forums for reporting and escalating cybersecurity risks is the Corebridge Enterprise Risk Committee (“CERC”), which is comprised of senior management personnel and led by our Chief Risk Officer (“CRO”), who is the head of our ERM function. ERM supports the identification, measurement, management, monitoring and reporting of major risks, which include cybersecurity risks. The CERC is responsible for addressing significant reported risks and issues, including those related to cybersecurity, to protect Corebridge’s financial strength, optimize Corebridge’s intrinsic value, and protect Corebridge’s reputation. The Risk Committee of the Board of Directors (the “Risk Committee”) oversees Corebridge’s enterprise risk management framework and the policies and procedures established by management to identify, assess, measure and manage key risks facing Corebridge, including those related to cybersecurity, and the Risk Committee reports regularly to the Board. Corebridge’s CRO reports to the Risk Committee on risk issues, including cybersecurity risks, during quarterly meetings of the Risk Committee. In addition, Corebridge’s Chief Information Officer (“CIO”) and CISO provide updates to the Risk Committee regarding Corebridge’s management of information, technology, enterprise resiliency and cybersecurity risks at least once a year. The CIO, Chief Operations Officer, CISO and business segment specific CIOs and CISOs also report to Corebridge’s subsidiary boards and the CERC as needed on material cybersecurity risks and Corebridge’s security and resiliency posture and information security strategy. Corebridge’s cybersecurity and resiliency incident response plans and procedures establish response and escalation protocols in connection with a potential cybersecurity incident, pursuant to which incidents are responded to by multidisciplinary teams and are further escalated to the attention of senior management and our Board of Directors when applicable.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CISO has over 25 years of information security and risk management experience and has served in his current role since joining Corebridge in 2021. He previously served in numerous information security management roles, including as CISO, at various financial sector organizations. Our CIO also has over 25 years of experience and has served as CIO of Corebridge since 2020 and Executive Vice President since February 2022. Prior to joining Corebridge he served in various technology executive management roles at a peer U.S. insurance company, including Senior Vice President and Chief Information Officer for its U.S. business and Senior Vice President of U.S. Application Development. Corebridge’s cybersecurity personnel maintain current knowledge through training programs, professional certifications, and participation in industry and advisory groups. Company cybersecurity personnel expand and test their knowledge of cyber threats and countermeasures through additional on-the-job training to practice their response to real-life threats. In addition, and as part of performance development, certain of our cybersecurity personnel obtain industry approved certifications as appropriate for their roles and responsibilities. Examples of certifications held by Company’s cybersecurity personnel include CISSP (“Certified Information Systems Security Professional”) and CISM (“Certified Information Security Manager”).
|
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Corebridge’s CRO reports to the Risk Committee on risk issues, including cybersecurity risks, during quarterly meetings of the Risk Committee. In addition, Corebridge’s Chief Information Officer (“CIO”) and CISO provide updates to the Risk Committee regarding Corebridge’s management of information, technology, enterprise resiliency and cybersecurity risks at least once a year. The CIO, Chief Operations Officer, CISO and business segment specific CIOs and CISOs also report to Corebridge’s subsidiary boards and the CERC as needed on material cybersecurity risks and Corebridge’s security and resiliency posture and information security strategy. Corebridge’s cybersecurity and resiliency incident response plans and procedures establish response and escalation protocols in connection with a potential cybersecurity incident, pursuant to which incidents are responded to by multidisciplinary teams and are further escalated to the attention of senior management and our Board of Directors when applicable. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |