Symetra Financial Corp - Business Continuity / IT Resilience / Disaster Recovery Statement
Symetra Financial Corp (Symetra) is committed to reducing the risks and impacts engendered by a potential disruption through the continuing support of our Business Continuity Management (BCM) program.
Symetra has developed a Business Continuity Management (BCM) program that encompasses four major components: Crisis and Incident Management, Emergency Preparedness and Response, Business Continuity Planning and IT Resilience (Disaster Recovery). Each of these components consists of dedicated plans, procedures, and communication paths.
The Symetra Business Continuity and IT Resilience plans were developed, and maintained, with senior management oversight and approval for the methodology, processes and procedures necessary to protect our employees, to continue or resume business during a major event, and to restore access to information and services for our customers and producers. The plans were developed using the guidelines for best practices from respected sources such as the Disaster Recovery Institute International (DRII), OSHA, FEMA and other recognized organizations for business continuity and disaster recovery. Senior management formally reviews and approves the Symetra plans on an annual basis.
BCM Program Overview:
Crisis and Incident Management
The Crisis Management Team (CMT) acts as the central communication and decision-making hub for the organization in the event of a major disaster that impacts business operations. The CMT is responsible for providing Symetra leadership during a disaster or major incident, and is comprised of executive management and business leaders from across the organization. The team provides strategy and resources as required to recover critical business processes or IT systems in a timely and efficient manner.
Emergency Preparedness and Response
Symetra understands the importance of sustainability and strives to make conscience business decisions that protect the health, safety and well-being of our employees, contractors, visitors, customers, partners and those in the communities in which we operate.
Our Emergency Response Plans integrate into our overall BCM program and address life safety issues such as medical emergencies, shelter in place, and emergency evacuations.
In the event of a building emergency, Symetra Corporate Operations works in conjunction with our Property Management Company resources and Symetra CMT to mitigate issues within the workplace environment.
- Life safety processes and procedures exist to protect employees and guests located at our facility during a disaster;
- In alignment with local building code and property management requirements, Symetra sites may perform evacuation drills.
Business Continuity Planning
Symetra’s Business Continuity Planning focuses on plans for each business unit. The Business Continuity Plans cover emergency response, notification, and work-around procedures for the loss of internal or external dependencies to critical business processes. Business Continuity Plans are exercised through a variety of scenarios on an annual basis.
Business processes are ranked by priority. All business units are required to annually participate in a Business Impact Analysis (BIA) to determine and identify the risks and impacts of an outage or interruption of a business process to the company as a whole. The BIA interview approach results in the evaluation of objective criteria based on a standardized set of questions. This is the method used to determine the Recovery Time Objective (RTO) of each business process and internal / external dependencies.
Symetra hosts a workplace environment that offers flexibility to employees working in and out of the office by providing laptops, VPN access and wireless network capabilities.
The Symetra Business Continuity plans are derived from the results of a risk based analysis, strategies, and mitigations and contain the following key components:
- Predetermined processes for escalation and activation for any and all parts of the plan by the event response team which consists of management with defined levels of responsibility to act on behalf of Symetra;
- Internal and external communication processes and procedures for customers, producers, and employees regardless of their physical location within the United States;
- Critical and/or time sensitive business functions are identified in the plan along with the resources that those functions require to be successfully recovered;
- Processes and procedures developed specifically for response to a Pandemic Flu based event
- Flexible workplace environment for staff and operations usage along with full system backup and recovery to maintain customer services; and
- Testing of the business continuity plans are conducted on an annual schedule basis using multiple environments (i.e. scenario based, alternate locations).
3rd Party Vendor Continuity Monitoring
In alignment with regulatory influences, Symetra vendor management teams have established monitoring of critical 3rd party service providers to assess Business Continuity and IT Disaster Recovery program levels.
Symetra’s IT resiliency utilizes a variety of solutions to provide availability and recoverability of our systems and data that align to business criticality. These solutions protect the business and are designed to reduce the impact of a disruption to our customers and partners, while protecting reputation and sustainability. The IT recovery plan specifies the resources and activities required to re-establish information technology services (including components such as data centers, networks, servers, applications and data) at an alternate site following a disruption. The level of resiliency is defined through business-driven risk decisions intended to align with the organizational risk appetite. In the event of a catastrophic outage at our primary data center, Symetra would activate its secondary (recovery) site. Both the primary and secondary data center reside in enterprise class data centers in the mid-west and eastern United States.
Both Data Centers used by Symetra’s production environments are in hardened facilities that meet or exceed industry standard protective measures for power, cooling, physical security, cyber-security, interconnectivity, and natural or man-made hazard mitigation.
- IT Recovery planning is performed at multiple levels from site level recovery plan including the infrastructure for network, access management and security to Application level plans with procedures to recover the application, validate functionality and synchronize the data.
- Data protection backups are performed on a routine schedule that aligns to the Recovery Point Objective. In alignment with best practice, multiple copies of the backups are stored in different secured locations for local restore or disaster recovery. Backup processes have security protocols to protect customer information during creation, transport and storage.
- IT Recovery exercises are performed annually in accordance with the policy. Exercises are designed to validate the recovery procedures and capability to meet the Recovery Time Objective and Recovery Point Objectives. Gaps identified in the exercise are tracked through to adjustment of the plan document or operational changes to address the item.
Confidentiality of BCM program materials
Due to the confidentiality of the information contained within our Plans (Crisis and Incident Management, Emergency Preparedness and Response, Business Continuity and IT Resilience), it is our policy not to share copies to outside parties.
For additional information on Symetra’s Business Continuity Management (BCM) Program Email Us.
Rev. November 27, 2019