Strengthening privacy and data security

Each year, employees complete a mandatory information security and privacy training course to help them understand their responsibilities, relevant rules and how to protect Client data and confidentiality.

We also provide extra guidance and awareness-building programs to help employees deepen their knowledge. For example, our security team conducts interactive phishing simulations to teach employees to find and avoid real-world cyber threats.

Cybersecurity is a growing concern for the public and a top priority for Sun Life. Organizations around the world are facing increasing attacks by sophisticated hacking groups.

Our Chief Information Security Officer (CISO) is accountable for providing global oversight of the implementation of Sun Life’s information security program and the Security Risk Policy. The CISO leads a global team of over 200 highly qualified security professionals. Their global mandate includes the development, execution and operational management of Sun Life’s security strategy, risk assessments, security controls, monitoring, incident response and compliance. The CISO is also the chair of the global crisis management team and is responsible for reporting on technology risk.

We continue to evolve our cyber defences to be effective against emerging threats.

For example: 

• Defence best practices: We align our security program to leading frameworks such as the Cybersecurity Framework of the National Institute of Standards and Technology. This framework outlines best practices to help organizations manage and lower their cybersecurity risks.
• Multiple control layers: We follow the three-lines-of-defence model to manage security risks (refer to Risk and resilience). We incorporate a “defence-in-depth” strategy and use multiple control layers to protect all data. These controls range from web firewalls, anti-malware software and encryption to intrusion monitoring and email threat protection.
• Security audits and testing: We regularly perform security audits, scanning and testing of Sun Life’s systems and practices involving Client data. Our security team assesses how effective our controls are and drives active improvements. We use security solutions that incorporate artificial intelligence and machine learning. These technologies help our security analysts assess threats and respond to cyberattacks. Every quarter, we report on cyber risk and cybersecurity to the Risk Committee of the Board of Directors.
• Cyber intelligence: We use cyber intelligence services to help us identify, assess and update our defences against the latest cyber threats.

Our reputation depends on how responsibly we handle the personal and sensitive data entrusted to us. Delivering on this duty involves upholding strong privacy practices, ensuring data is protected throughout its lifecycle, and maintaining transparency and trust with those whose information we steward:

• Commitment to standards: Our global privacy program is part of Sun Life’s Risk Management Framework across the company. The program includes robust processes and standards including our Global Privacy Statement. It explains how we collect and use the personal information of Clients, and other individuals who interact with us, in a lawful and respectful manner. Local privacy policies and statements provide further details on any individual rights related to accessing, correcting, deleting, obtaining a copy of or transferring their personal information.
• Oversight and reporting: The Chief Privacy and Data Ethics Officer oversees the global privacy program and sets direction for privacy compliance and responsible data use across the enterprise. Over 30 Privacy Officers across the enterprise help our businesses make privacy-related decisions. Our internal audit and compliance testing programs include privacy risk components. Every quarter, we report any significant privacy matters to Senior Management and the Governance Committee of the Board.
• Privacy by design: We use privacy-by-design principles in product and process development. We conduct Privacy Impact Assessments across Sun Life for new initiatives or material changes to existing processes that involve personal information. These assessments are a strong risk management practice for identifying and mitigating privacy risks. We also include appropriate privacy and security clauses in contracts with third parties that handle personal information for us.

Sun Life continually engages with industry groups and in public policy discussions to share intelligence and best practices for building stronger data protection and privacy programs. Examples include: 

• American Council of Life Insurers 
• Canadian Anonymization Network
• Canadian Cyber Threat Exchange
• Canadian Life and Health Insurance Association Information Security Sharing Group
• Canadian Marketing Association Privacy and Data Committee
• Cyber Security — Citizens Awareness Working Group organized by the Canadian Bankers Association
• Financial Services Information Sharing and Analysis Center
• Life Insurance Council of New York, Inc. 
• Philippine Life Insurance Association
• Vector Institute for Artificial Intelligence