The case for CSR/ Sustainability Reporting Done Responsibly


Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Sun Life promotes data security and privacy

Case study: How Sun Life promotes data security and privacy

Sun Life is a leading international financial services organisation providing insurance, wealth and asset management solutions to both individual and corporate clients in several markets worldwide. Being in the insurance and wealth management business, Sun Life handles sensitive personal information, from medical records to financial statements. Accordingly, Sun Life maintains and constantly invests in practices, processes and tools to safeguard its networks and clients’ personal information.  Tweet This!

This case study is based on the 2018 Sustainability Report by Sun Life published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing. 

Layout 1Abstract

Sun Life’s business is dependent on maintaining a secure, confidential environment for its clients’, employees’ and other partners’ information, making sure it protects and manages it with great care. In order to promote data security and privacy Sun Life took action to:

  • implement a security awareness programme
  • promote privacy protection
  • strengthen defences
  • promote cyber safety

What are the material issues the company has identified?

In its 2018 Sustainability Report Sun Life identified a range of material issues, such as digital innovation, talent management, workforce wellness, diversity and inclusion, environmental impacts. Among these, promoting data security and privacy stands out as a key material issue for Sun Life.

Stakeholder engagement in accordance with the GRI Standards

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The organization should identify its stakeholders, and explain how it has responded to their reasonable expectations.”

Stakeholders must be consulted in the process s of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Sun Life engages with:   

To identify and prioritise material topics Sun Life listened to and consulted with internal and external stakeholders throughout the year via diverse channels that included the following:

Stakeholder Group                Method of engagement


·      Client experience surveys

·      Focus groups

·      Other feedback channels (in-person, mobile apps, email, social media, call centres, online communities)

·      User testing website



·      Global Engagement Survey

·      Training and development activities

·      Internal social media and online forums

·      Manager/staff meetings, including formal performance appraisals

·      Town hall meetings with senior executives

·      Employee Ethics Hotline

·      Internal inclusion networks

·      Millennial think tank

Shareholders, Investors, ESG Analysts


·      Investor Days

·      Annual meetings

·      Quarterly earnings conference calls

·      Webcast presentations

·      Participation in conferences

·      Meetings with investor groups

·      Participation in surveys

Community Organisations and Members



·      Community outreach

·      Sponsorships

·      Employee and advisor giving and volunteerism

·      Media relations

·      Community consultations/meetings




·      Request for proposal processes

·      Regular meetings and briefings

·      Ongoing relationship management

·      Supplier risk assessment

·      Supplier Diversity Programme

Governments and Regulators, Industry Associations


·      Participation in consultation processes, conferences and events

·      Memberships and participation in industry/trade associations and working groups

·      Sun Life Political Action Committee (U.S.)

·      Ongoing dialogue

What actions were taken by Sun Life to promote data security and privacy?

In its 2018 Sustainability Report Sun Life reports that it took the following actions for promoting data security and privacy:

  • Implementing a security awareness programme
  • Sun Life’s global security awareness programme educates all employees on their security responsibilities and on Sun Life’s Security Policy. The programme includes compulsory security training, security alerts and bulletins, and additional training for specific groups, such as managers and system administrators. Sun Life’s security architecture includes firewalls, intrusion detection systems, network monitoring, encryption and other tools to prevent and detect cyber security attacks.
  • Promoting privacy protection
  • Sun Life’s Global Privacy Programme is embedded in its enterprise-wide risk management framework and includes various standards and processes. Additionally, Sun Life’s Global Privacy Commitment outlines principles to ensure personal information remains private and confidential. Sun Life employs privacy by design in its product development, and includes privacy clauses in contracts with third parties that handle client data. All employees receive privacy training and guidance through Sun Life’s privacy policies, to understand and fulfill Sun Life’s corporate privacy commitments and all relevant regulations.
  • Strengthening defences
  • To strengthen its defences, in 2018 Sun Life:
    • Initiated over 20 projects to increase its cyber security capabilities. Examples include enhancements to security alerting and incident response processes.
    • Continued to embed its privacy risk appetite statement and compass in internal processes, to better manage privacy risks and guide employees during the development and deployment of new products and initiatives.
    • Enhanced its privacy risk self-assessment processes to better identify risks and strengthen privacy controls in ongoing business processes, products and initiatives. 
  • Promoting cyber safety
  • To promote cyber safety, in 2018 Sun Life:
    • Carried out monthly phishing simulation tests with every employee.
    • Broadened its cyber security training and education to include new ways of reaching and engaging employees. For example, Sun Life:
      • used Workplace by Facebook to deliver a live streaming event that featured Q&As with executives, offering a forum for employees to ask questions about how to protect data and privacy both at work and at home; and
      • created topical blogs, posts and animated videos to bring cyber security issues to life. Topics addressed common questions and concerns raised by employees, such as online security, anti-virus protection, social media security and the Internet of Things.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed? 

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

  • Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
  • Business theme: Compliance with laws and regulations, Protection of privacy


80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified and IEMA approved Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI-Standards Certified and IEMA approved Course you will be taking the first step in gaining the many benefits of sustainability reporting.



1) This case study is based on published information by Sun Life, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning.  If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:


Note to Sun Life: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.