Case study: How Sun Life promotes data security and privacy
Sun Life is a leading international financial services organisation providing insurance, wealth and asset management solutions to both individual and corporate clients in several markets worldwide. Being in the insurance and wealth management business, Sun Life handles sensitive personal information, from medical records to financial statements. Accordingly, Sun Life maintains and constantly invests in practices, processes and tools to safeguard its networks and clients’ personal information. Tweet This!
This case study is based on the 2018 Sustainability Report by Sun Life published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.
Sun Life’s business is dependent on maintaining a secure, confidential environment for its clients’, employees’ and other partners’ information, making sure it protects and manages it with great care. In order to promote data security and privacy Sun Life took action to:
- implement a security awareness programme
- promote privacy protection
- strengthen defences
- promote cyber safety
Subscribe for free and read the rest of this case study
Please subscribe to the SustainCase Newsletter to keep up to date with the latest sustainability news and gain access to over 2000 case studies. These case studies demonstrate how companies are dealing responsibly with their most important impacts, building trust with their stakeholders (Identify > Measure > Manage > Change).
With this case study you will see:
- Which are the most important impacts (material issues) Sun Life has identified;
- How Sun Life proceeded with stakeholder engagement, and
- What actions were taken by Sun Life to promote data security and privacy
Already Subscribed? Type your email below and click submit
What are the material issues the company has identified?
In its 2018 Sustainability Report Sun Life identified a range of material issues, such as digital innovation, talent management, workforce wellness, diversity and inclusion, environmental impacts. Among these, promoting data security and privacy stands out as a key material issue for Sun Life.
Stakeholder engagement in accordance with the GRI Standards
The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:
Stakeholders must be consulted in the process s of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.
Key stakeholder groups Sun Life engages with:
To identify and prioritise material topics Sun Life listened to and consulted with internal and external stakeholders throughout the year via diverse channels that included the following:
Stakeholder Group | Method of engagement |
Clients
| · Client experience surveys · Focus groups · Other feedback channels (in-person, mobile apps, email, social media, call centres, online communities) · User testing website |
Employees/Advisors
| · Global Engagement Survey · Training and development activities · Internal social media and online forums · Manager/staff meetings, including formal performance appraisals · Town hall meetings with senior executives · Employee Ethics Hotline · Internal inclusion networks · Millennial think tank |
Shareholders, Investors, ESG Analysts
| · Investor Days · Annual meetings · Quarterly earnings conference calls · Webcast presentations · Participation in conferences · Meetings with investor groups · Participation in surveys |
Community Organisations and Members
| · Community outreach · Sponsorships · Employee and advisor giving and volunteerism · Media relations · Community consultations/meetings |
Suppliers
| · Request for proposal processes · Regular meetings and briefings · Ongoing relationship management · Supplier risk assessment · Supplier Diversity Programme |
Governments and Regulators, Industry Associations
| · Participation in consultation processes, conferences and events · Memberships and participation in industry/trade associations and working groups · Sun Life Political Action Committee (U.S.) · Ongoing dialogue |
What actions were taken by Sun Life to promote data security and privacy?
In its 2018 Sustainability Report Sun Life reports that it took the following actions for promoting data security and privacy:
- Implementing a security awareness programme
- Sun Life’s global security awareness programme educates all employees on their security responsibilities and on Sun Life’s Security Policy. The programme includes compulsory security training, security alerts and bulletins, and additional training for specific groups, such as managers and system administrators. Sun Life’s security architecture includes firewalls, intrusion detection systems, network monitoring, encryption and other tools to prevent and detect cyber security attacks.
- Promoting privacy protection
- Sun Life’s Global Privacy Programme is embedded in its enterprise-wide risk management framework and includes various standards and processes. Additionally, Sun Life’s Global Privacy Commitment outlines principles to ensure personal information remains private and confidential. Sun Life employs privacy by design in its product development, and includes privacy clauses in contracts with third parties that handle client data. All employees receive privacy training and guidance through Sun Life’s privacy policies, to understand and fulfill Sun Life’s corporate privacy commitments and all relevant regulations.
- Strengthening defences
- To strengthen its defences, in 2018 Sun Life:
- Initiated over 20 projects to increase its cyber security capabilities. Examples include enhancements to security alerting and incident response processes.
- Continued to embed its privacy risk appetite statement and compass in internal processes, to better manage privacy risks and guide employees during the development and deployment of new products and initiatives.
- Enhanced its privacy risk self-assessment processes to better identify risks and strengthen privacy controls in ongoing business processes, products and initiatives.
- Promoting cyber safety
- To promote cyber safety, in 2018 Sun Life:
- Carried out monthly phishing simulation tests with every employee.
- Broadened its cyber security training and education to include new ways of reaching and engaging employees. For example, Sun Life:
- used Workplace by Facebook to deliver a live streaming event that featured Q&As with executives, offering a forum for employees to ask questions about how to protect data and privacy both at work and at home; and
- created topical blogs, posts and animated videos to bring cyber security issues to life. Topics addressed common questions and concerns raised by employees, such as online security, anti-virus protection, social media security and the Internet of Things.
Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?
The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data
Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:
- Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
- Business theme: Compliance with laws and regulations, Protection of privacy
78% of the world’s 250 largest companies report in accordance with the GRI Standards
SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.
Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.
7 GRI sustainability disclosures get you started
Any size business can start taking sustainability action
GRI, IEMA, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom (venue: London School of Economics)
- Exclusive FBRH template to begin reporting from day one
- Identify your most important impacts on the Environment, Economy and People
- Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP.
- Benchmarking methodology to set you on a path of continuous improvement
References:
1) This case study is based on published information by Sun Life, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:
http://database.globalreporting.org/
2) https://www.globalreporting.org/standards/gri-standards-download-center/
Note to Sun Life: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.