Symetra Financial Corporation - Business Continuity and Technology Resilience Statement
Symetra Financial Corporation and its subsidiaries (Symetra) are committed to reducing the risks and impacts engendered by a potential disruption through the continuing support of our Business Continuity Management (BCM) program.
Symetra has developed a Business Continuity Management (BCM) program that encompasses four major components: Crisis and Incident Management, Emergency Preparedness and Response, Business Continuity Planning and IT Resilience (Disaster Recovery). Each of these components consists of dedicated plans, procedures, and communication paths.
BCM Program Overview:
Program Governance and Oversight
The Symetra Business Continuity and Technology Resilience policy and plans were developed, and are maintained, with senior management oversight and approval for the methodology, processes, and procedures necessary to protect our employees, to continue or resume business during a major event, and to restore access to information and services for our customers and producers. The plans were developed using the guidelines for best practices from respected sources such as the Disaster Recovery Institute International (DRII), the Occupational Safety and Health Administration (OSHA), Federal Emergency Management Agency (FEMA) and other recognized organizations for business continuity and disaster recovery. Senior management formally reviews and approves the Symetra policy and plans annually.
Crisis and Incident Management
The Crisis Management Team (CMT) acts as the central communication and decision-making hub for the organization in the event of a major disaster that impacts business operations. The CMT is comprised of executive management and business leaders from across the organization, and provides strategy and resources as required to ensure the safety and security of our employees, contractors, visitors, customers and partners, to recover critical business processes or IT systems in a timely and efficient manner during a disaster or major incident, and to maintain communication with our stakeholders. The Crisis Management Team Plan is reviewed and exercised through variety of scenarios on an annual basis.
Emergency Preparedness and Response
Symetra understands the importance of sustainability and strives to make conscience business decisions that protect the health, safety and well-being of our employees, contractors, visitors, customers, partners and those in the communities in which we operate.
Our Emergency Response Plans integrate into our overall BCM program and address life safety issues such as medical emergencies, shelter in place, and emergency evacuations.
In the event of a building emergency, Symetra Workplace Services works in conjunction with Property Management resources and Symetra CMT to mitigate issues within the workplace environment. Life safety processes and procedures exist to protect employees and guests located at our facility during an emergency. In alignment with local building code and property management requirements, Symetra sites may perform evacuation drills.
Business Continuity Planning
Symetra’s Business Continuity Planning focuses on plans for each business unit. The Business Continuity Plans cover emergency response, notification, and work-around procedures for the loss of internal or external dependencies to critical business processes. Business Continuity Plans are exercised through a variety of scenarios on an annual basis. The exercise scope, objective, and approach are designed with guidance from senior management.
Business processes are ranked by recovery priority. Business units are required to participate in a Business Impact Analysis (BIA) to determine and identify the impacts of an outage or interruption of a business process to the company. The BIA methodology is used to determine the Recovery Time Objective (RTO) of each business process and the required operational dependencies. The BIAs and the Business Continuity Plans are reviewed and approved by management annually to ensure that they account for changes to the operations, technology, structure, location, and strategies.
The Symetra Business Continuity plans are derived from the results of a risk-based analysis, strategies, and mitigations and contain the following key components:
- Predetermined processes for escalation and activation for any and all parts of the plan by the event response team which consists of management with defined levels of responsibility to act on behalf of Symetra;
- Internal and external communication processes and procedures for customers, producers, other external parties, and employees regardless of their physical location within the United States;
- Critical and/or time sensitive business functions are identified in the plan along with the resources that those functions require to be successfully recovered;
- Recovery strategies to continue business processes following disruption to the availability of office, personnel, technology, and vendor;
Symetra hosts a workplace environment that offers flexibility to employees working in and out of the office by providing laptops, VPN (virtual private networks) access and wireless network capabilities. To prepare for disruptions, Symetra maintains layers of redundancy in critical roles including geographically dispersed employees, multiple personnel that can perform critical functions, and offices in several cities across the United States.
Third-Party Vendor Continuity Monitoring
In alignment with regulatory influences, Symetra vendor management teams have established monitoring of critical third-party service providers to assess Business Continuity and Information Technology Recovery program levels.
Pandemic Response and Continuity
Symetra has a Pandemic Response and Continuity plan developed based on the ongoing response to the global pandemic. This plan is based on World Health Organization (WHO), US Centers for Disease Control (CDC) and regulatory influences to guide Symetra’s response activities and provide continued operation of services through the pandemic.
Symetra’s IT resiliency utilizes a variety of solutions to provide availability and recoverability of our systems and data that align to business criticality. These solutions protect the business and are designed to reduce the impact of a disruption to our customers and partners, while protecting reputation and sustainability. The IT recovery plan specifies the resources and activities required to re-establish information technology services (including components such as data centers, networks, servers, applications, and data) at an alternate site following a disruption. The level of resiliency is defined through business-driven risk decisions intended to align with the organizational risk appetite. In the event of a catastrophic outage at our data center, Symetra would activate its secondary (recovery) site. Our cloud-based systems are designed and backed up utilizing native cloud-based resilience and multiple backup instances. Symetra utilizes enterprise class data centers in the United States.
Data Centers used by Symetra’s production environments are in hardened facilities that meet or exceed industry standard protective measures for power, cooling, physical security, cyber-security, interconnectivity, and natural or man-made hazard mitigation.
- IT Recovery planning is performed at multiple levels from site level recovery plan including the infrastructure for network, access management and security to Application-level plans with procedures to recover the application, validate functionality and synchronize the data.
- Data protection backups are performed on a routine schedule that aligns to the Recovery Point Objective (RPO). In alignment with best practice, multiple copies of the backups are stored in different secured locations for local restoration or disaster recovery. Backup processes have security protocols to protect customer information during creation, transport, and storage.
- IT Recovery exercises are performed annually in accordance with the policy. Exercises are designed to validate the recovery procedures and capability to meet the Recovery Time Objective and Recovery Point Objectives. Gaps identified in the exercise are tracked through to closure, such as adjustment of the plan document or operational changes to address the item.
After a significant business disruption, if you are not able to reach us at 1-800-796-3872 (1-800-SYMETRA), please visit our website at www.symetra.com for updates and/or to contact us.
Confidentiality of BCM program materials
Due to the confidentiality of the information contained within our Plans (Crisis and Incident Management, Emergency Preparedness and Response, Business Continuity and IT Resilience, Pandemic Response and Continuity), it is our policy not to share copies to outside parties. However, we would be happy to respond to specific inquiries you may have or host a visit to our corporate headquarters in Bellevue, Washington, to discuss.
For additional information on Symetra’s Business Continuity Management (BCM) Program please Email Us.
Rev. February 24, 2023
Document available for current or prospective clients and partners.
Symetra® is a registered service mark of Symetra Life Insurance Company.