Data security and privacy

Evolving risks. Evolving our defences.

New cyberthreats continue to emerge, and a surge in remote work and online financial services creates different data risks. We must work to find and prevent threats before they happen. This effort requires a constant evolution of best practices.

Our approach

Employee education and diligence are critical to our success in protecting our Clients’ data. Each year, employees complete mandatory security and privacy training courses. This training helps them understand their responsibilities, relevant rules and how to protect Client data and confidentiality.

We also provide extra guidance and awareness-building programs to help employees deepen their knowledge. For example, our security team conducts interactive phishing simulations. These tests teach employees to find and avoid real-world cyber threats they may meet. 

Cybersecurity is a growing concern for the public and a top priority for Sun Life. Organizations around the world are facing increasing attacks on their computer systems by sophisticated hacking groups.

Our Senior Vice-President and Chief Information Security Officer (CISO) is accountable for providing global oversight over the implementation of Sun Life’s information security program and the Security Risk Policy. The CISO leads a global team of over 200 highly qualified individuals. His global mandate includes the development, execution and operational management of Sun Life’s security strategy, risk assessments, security controls, monitoring, incident response and compliance. The CISO is also the chair of the global crisis management team and is responsible for reporting on technology risk.

We continue to evolve our cyber defences to be effective against emerging threats. For example:

  • Defence best practices: We align our security program to leading frameworks such as the Cybersecurity Framework of the National Institute of Standards and Technology. This framework outlines best practices to help organizations manage and lower their cybersecurity risks.

  • Multiple control layers: We follow the three-lines-of-defence model to manage security risks (refer to Risk Management). We incorporate a “defence-in-depth” strategy and use multiple control layers to protect all data. These controls range from web firewalls, anti-malware software and encryption to intrusion monitoring and email threat protection. 

  • Security audits and testing: We regularly perform security audits, scanning and testing of Sun Life’s systems and practices involving Client data. Our security team assesses how effective our controls are and drives active improvements. We use security solutions that incorporate artificial intelligence and machine learning. These technologies help our security analysts assess threats and respond to cyberattacks. Every quarter, we report on cyber risk and cybersecurity to the Risk Committee of the Board of Directors.

  • Cyber intelligence: We use several cyber intelligence services to help us identify, assess and update our defences against the latest cyber threats. 

Our reputation depends on being responsible for data entrusted to us. Delivering on this duty involves:

  • Commitment to standards: Our global privacy program is part of Sun Life’s risk management framework across the company. The program includes robust processes and standards including our Global Privacy Statement. It explains how we collect and use the personal information of Clients, and other individuals who interact with us, in a lawful and respectful manner.

  • Oversight and reporting: The Chief Privacy Officer oversees the global privacy program and sets direction for privacy compliance across the enterprise. Over 30 Privacy Officers across the enterprise help our businesses make privacy-related decisions. Every quarter, we report any significant privacy matters to the Board.

  • Privacy by design: We use privacy-by-design principles in our product development. For new initiatives or material changes to existing processes, we conduct Privacy Impact Assessments. These assessments help us identify and manage privacy risks. We also include appropriate privacy and security clauses in contracts with third parties that handle personal information for us. 

Sun Life engages with industry groups and in public policy discussions to share intelligence and best practices for building stronger data protection and privacy programs. Examples include:  

  • the Financial Services Information Sharing and Analysis Center
  • the Cyber Security Specialists Group organized by the Canadian Bankers Association
  • the Canadian Life and Health Insurance Association Information Security Sharing Group
  • the Canadian Cyber Threat Exchange
  • the Canadian Anonymization Network
  • American Council of Life Insurers 
  • Life Insurance Council of New York, Inc.
  • Information Accountability Foundation
  • Canadian Marketing Association Privacy and Data Committee
  • Alliance for Privacy and Innovation in Canada

Managing data responsibly

Client data plays a big role in helping Sun Life deliver on our Purpose. Our Client Data Privacy Principles highlight this commitment and contribute to being a trusted and responsible business. They form the basis of our approach to managing Client data, including how we use data and who is accountable.

We use Client data to deliver on our Purpose

We do not sell Client data

We inform Clients about why we collect and use their data

2022 highlights

  • 91% of employees completed information security and privacy training 1,2
  • Delivered 30 phishing simulations to employees, contractors and Canadian advisors2. These tests include real-life scenarios to help identify and avoid all types of phishing emails.
  • 511 Privacy Impact Assessments conducted before launching new or modified products, services and programs2

Learn more about our progress and performance in our 2022 Sustainability Report and ESG Performance Tables.

How Sun Life is leading the way in protecting privacy rights  

Before launching any product, service or initiative at Sun Life, we conduct a Privacy Impact Assessment (PIA) to proactively address any privacy risks. This helps us ensure Clients’ privacy rights are protected from the start. 

Learn more

1 Training completion rates are as at January 15 since annual training assigned during the reporting year may be completed after year-end. 

2 Refer to Sustainability Data Scope - Note 6.

Refer to Sustainability Data Scope.