MetLife cyber leader shares how they’re tackling data sprawl, AI risk, and vendor security
Matthew Duckworth, Director of IT Risk and Security, Asia Operations at MetLife Insurance, shares in a Security Edge interview how the insurer is consolidating tools, boosting resilience, and adopting AI responsibly.Matthew Duckworth, Director of IT Risk and Security, Asia Operations at MetLife Insurance, shares in a Security Edge interview how the insurer is consolidating tools, boosting resilience, and adopting AI responsibly.
In this interview, Matthew Duckworth discusses the organisation’s cyber security evolution since 2021.
He outlines a multi-year strategy underpinned by global investment and a focus on maturing cyber resilience.
Over the past three years, MetLife has consolidated tools, strengthened defences, and is targeting a cyber maturity level beyond Level 4.
Its current strategy centres on real-time threat detection, implementing zero trust principles, and exploring AI use cases with care and clarity.
Matt notes that perfection in cyber security is unrealistic, but using existing tools more proactively and effectively is now the key objective.
One major challenge he highlights is the complexity introduced by legacy systems and the proliferation of point-to-point solutions.
Despite strong resourcing, the organisation still faces visibility gaps due to siloed data and dispersed tools.
A core initiative is consolidating the security stack to achieve a unified view—a “single pane of glass”—that improves monitoring, oversight and patching efficiency.
A growing concern is access control and data classification, especially as AI tools like Microsoft Copilot are rolled out. Matt stresses the role of e-discovery and classification protocols in preventing unauthorised access to sensitive files, particularly financial data, across platforms like OneDrive and SharePoint.
On the AI front, MetLife is adopting Microsoft AI capabilities internally to boost productivity, automating approvals, summarising meetings, and supporting help desk operations.
While customer-facing AI is still in early stages, Matt sees strong potential in use cases like real-time sentiment detection in call centres.
He emphasises that trust, transparency, and human oversight are essential, especially in high-impact decision-making processes such as claims assessments.
On third-party and SaaS risk, MetLife mandates annual assessments for all vendors, including penetration testing and strategic reviews.
These are bolstered by continuous monitoring using tools such as BitSight and SecurityScorecard, with any drop below internal thresholds prompting further investigation.
Key takeaways:
- Strategic cyber maturity: Since 2021, MetLife has significantly advanced its cyber security maturity, aiming beyond Level 4 by adopting real-time detection, zero trust, and AI integration.
- Visibility through consolidation: The organisation is unifying its security stack to reduce complexity and improve oversight—particularly around access control and data classification on platforms like SharePoint and OneDrive.
- Measured AI adoption with vendor scrutiny: Internal AI use is expanding (e.g. Copilot, help desk automation), while customer-facing AI remains cautious. Third-party and SaaS risks are tightly managed via annual assessments and continuous risk monitoring.