Principal Financial Group 2023 Sustainability Report: Cybersecurity & Data Privacy
Originally published in Principal Financial Group 2023 Sustainability Report
Cybersecurity and data privacy
Protecting the confidentiality of the personal data entrusted to us by our customers, employees, and business partners is of utmost importance to us. That’s why we take proactive approaches to keep our systems secure, continually assess for emerging risks, and ensure employees are sufficiently trained on handling sensitive information.
Our approach
Cybersecurity
We understand the nature of cyber threats and the importance of being able to defend against and respond to them. As a result, cybersecurity is overseen by the full Board of Directors. Directors and the Executive Management Group receive at least one cybersecurity report every quarter from the Chief Information Officer, the Chief Information Security Officer, Chief Risk Officer or other professionals. These reports ensure management maintains an enterprise-wide cyber risk program with the necessary policies, practices, and controls to effectively manage risks and ensure resiliency in the face of potential cyber threats.
We proactively assess risk on new services or systems integrated with Principal network or data. In our current systems and applications, we continuously test for and resolve weaknesses and vulnerabilities using network and infrastructure vulnerability testing, dynamic application security testing, static application security testing, and adversary emulation. The frequency of automated vulnerability scanning varies from daily to monthly depending on the type of testing and target.
Principal also undergoes a third-party assessment of our information security program maturity every two years. The last assessment occurred in 2022 and we showed improvement across all assessed NIST categories.
Our controls are frequently updated and refined based on learnings from regular red team engagements that are responsible for discerning security vulnerabilities through penetration testing and daily analysis by threat hunters. All operations are refined through a dedicated cyber threat intelligence function.
Cybersecurity will continue to be a dynamic area, which requires that we remain agile and aware of internal and external changes. Information security will provide proactive approaches to cloud and data security and ensure there is a strong partnership with engineering and business teams. This includes requiring cybersecurity training for all engineers and others involved in software deployment.
Our enterprise approach to data security in the cloud remains consistent with our overall data security strategy of protecting the personal data entrusted to us by our customers, employees, business partners, and other individuals.
Principal is a member of the Cyber Readiness Institute (CRI), which brings together expertise from global companies to provide free resources that improve cyber readiness. We believe helping small and midsized businesses (SMBs) to be more cyber ready encourages a team approach to cyber defense for both our customers and our suppliers. We meet regularly with CRI to provide content for their program and take part in their SMB business meetings.
Data privacy
Privacy risk assessments
We are continuing to enhance our oversight over how personal data is managed across the global Principal footprint. We’ve enhanced our visibility into privacy risk management, rolling out targeted assessments in global regions to help mitigate privacy risk in business processes.
Our privacy impact assessment is designed to identify, evaluate, and mitigate potential privacy risks, ensure we use personal data in transparent ways, and follow all applicable laws. Our business and technology partners are expected to complete privacy assessments for any new use of personal data. The assessment is updated if the use changes, or is reviewed and updated annually, whichever comes first. Internal audit tests privacy practices and controls and conducts periodic audits of the privacy program.
Privacy rights and concerns
The Global Privacy Statement (PDF) provides direction to individuals on how they can exercise their data subject rights or raise data privacy concerns.
We also protect the privacy rights of Principal employees by ensuring that all employees, including leaders, understand and abide by appropriate data privacy practices in regions where employee data is subject to certain privacy regulations and restrictions.
Other ways we protect both personal and non-personal information:
- New hires and employees must complete annual information security and privacy- related courses. Training is offered every quarter and additional role-based training is provided for certain roles.
- All employees must complete and sign a confidentiality acknowledgment. • Our Global Privacy Statement details how personal data may be collected, used, transferred, accessed or otherwise shared at Principal and by all personnel.
- We run a phishing simulation program to train employees to recognize and report phishing attacks. Employees receive at least two phishing simulations each quarter.
- We have a comprehensive, enterprise third- party risk management program to help ensure proper management of confidential personal, and proprietary data.
- Our Enterprise Written Information Security Program (WISP) aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions: identify, protect, detect, respond, and recover.
- We carry out annual cybersecurity incident response exercises involving multiple levels of management.
- Our Cybersecurity Working Group— comprising individuals with privacy, legal, compliance, risk, audit, and cybersecurity expertise—provides valuable input and feedback to formal information security governance groups.
Information security and data privacy are Board-level topics, therefore quarterly Board reports include key metrics, an overview of the threat landscape, progress on strategic initiatives, and timely awareness topics. Our risk oversight and operational diligence has contributed to us not experiencing any significant incidents in our more than 140 years of being in business.
Read more:
Our actions and performance in 2023
In 2023, we expanded our Consent and Preference Management capability along with enhancements to our one-stop shop for customers—the online Privacy Center. Our Privacy Center is now more user-friendly and makes it easier for individuals to understand both our privacy practices and how they can exercise their personal data rights in accordance with applicable law.
We consolidated and streamlined our jurisdictional privacy policies into a unified Global Privacy Statement which is applicable to the collection and use of personal data across the global enterprise.
We have appointed new data protection officers (DPOs) in multiple regions, including the Philippines and Latin America to adhere to regulatory requirements and as a best practice. Recurring roundtables have been established to ensure clear lines of communication as privacy regulations across the world evolve.
In 2023, an average of 97% of global employees completed information security trainings on time and 99% of global employees completed the global data privacy training.
What’s next
In 2024, we aim to enhance our privacy capabilities in the areas of incident response, regulatory change management, and privacy risk assessment. Privacy laws across the globe are changing at a rapid pace and these adjustments will help us ensure that we’re maturing the program along with regulatory landscape changes.
New privacy enhancing technology will be deployed in 2024, helping the business to assess and mitigate privacy risks through a revamped privacy impact assessment process.
In cybersecurity, our focus for 2024 is to transform cloud security maturity by implementing advanced security controls, adopting industry best practices, and continuously evolving policies and standards to protect cloud resources.
To learn more, read the Principal Financial Group 2023 Sustainability Report.
Insurance products issued by Principal National Life Insurance Co (except in NY) and Principal Life Insurance Company®. Plan administrative services offered by Principal Life. Principal Funds, Inc. is distributed by Principal Funds Distributor, Inc. Securities offered through Principal Securities, Inc., member SIPC and/or independent broker/dealers. Referenced companies are members of the Principal Financial Group®, Des Moines, IA 50392.
3744480-092024