Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability for the safeguarding of information assets. The supporting standards outline the requirements that have been determined necessary to comply with legal, regulatory or contractual obligations and Cyber Risk. Stewardship and Classification Canada Life holds information which has been obtained from a number of sources. Some information is created by Canada Life or is otherwise acquired and held as proprietary information belonging to the company. Other information is gathered from third parties (e.g. our customers, employees, clients, advisers and business partners) who have entrusted such information to Canada Life as its steward. Canada Life will designate information owners for all information assets. Information owners are responsible for meeting the Company s internal control requirements as defined by the Information Security Policy and its supporting standards. Access Control Canada Life will strictly limit access to information assets based upon their classification. Access rights are managed and extended by the appropriate information owner. Privileged accounts are migrating to a dedicated Privileged Account Management (PAM) platform. Personnel Security Canada Life conduct regular information security awareness programmes to ensure staff are aware of information security risks, the policy, supporting standards, safe practices and their individual responsibility. Canada Life reserves the right to conduct additional security and reference checks on its staff, based upon the classification of the information assets they are required to access or have exposure based on their job duties. Acceptable Use All Canada Life staff commit to using information assets for business purposes and in a manner consistent with its information classification, the Information Security Policy, the supporting standards, the company s Code of Business Conduct and Ethics and other applicable business practices and procedures. Physical and Environmental Security Canada Life will define, implement and manage appropriate physical security measures in all locations, to protect information assets based upon the Information Classification Scheme. 1
Risk Management Approach In 2014, cyber security was recognised as a significant emerging risk due to the increase in cyberattacks targeting financial institutions. The Enterprise began a multi-year enhancement to our information security capabilities to ensure appropriate focus was placed on cyber security protection. This led to the establishment of a Cyber Security Programme to provide effective and sustainable capabilities to protect the Company from current and emerging cyber threats and enable and support business strategies The Cyber Security Programme is implementing the governance, policies, staff, processes, and technologies required to assess and mitigate cyber risks and attacks, first to remediate the current gaps and then safeguard the Company on a sustainable on-going basis. The first initiative in the programme was the creation of a Cyber Security Architecture and Strategy that protects the business and provides traceability from the services and technologies being implemented to key business drivers. The process followed to develop the cyber strategy started with understanding the business goals and objectives. Based on that information, the risks to the business were examined and control objectives were established to mitigate those risks. A logical security architecture was then established that described the security services required to satisfy those objectives. Security policies and standards were refreshed to support the control objectives. A services based roadmap was produced to guide delivery activities. Business Modelling Business Attributes Business Risk Modelling Control Objectives Security Strategies Control Objectives Policies & Standards Security Policies & Standards List of Services Logical Security Architecture Technologies, People, Process Roadmap Program Planning & Executive 2
Cyber Security in Canada Life Canada Life takes the protection of our Information Assets seriously and has, through a multi-year Cyber Security Programme, enhanced the already strong controls. Perimeter The European perimeter defences are constantly being enhanced to protect the organisation against the cyber threat. Such enhancements include, Distributed Denial of Service (DDOS) protection, Intrusion Detection (IDS) and Intrusion Prevention (IPS) and firewalls providing multiple layers of defence. Further enhancements are inflight and include the implementation of Web Application Firewalls (WAF) and Secure code reviews for internet facing systems. To ensure that the risk is monitored the Perimeter is subject to both Vulnerability Assessments and external application Penetration testing. Email The email gateways used by Canada Life are being upgraded to address the Cyber Risk and will include state of the art detection and analysis and Targeted Attack Protection. Browsing All LAN browsing utilises proxy technology which are configured to allow or block traffic based on URL classification. Servers Servers are being built to international standards for hardening and monitored for compliance against this chosen standard. Access to these servers is managed via a Privileged Account Management (PAM) solution and servers have antivirus software which is centrally managed. Laptops All corporate laptops are encrypted and have additional protection including Antivirus, Host Intrusion Protection (HIPS) and Data Loss Technology. Threat Intelligence Central Security Services (CSS), the primary operational security group within GWLE IS, receives threat intelligence from a wide variety of sources. The vast majority of actionable intelligence is delivered automatically as part of rule base updates that form part of the commercial products (e.g. McAfee Anti- Virus) licenced to protect the environment. In addition, a growing number of in-house security professionals leverage a corporate membership with the Information Security Forum (ISF) and Financial Services- Information Sharing and Analysis Centre (FS-ISAC) on an ad hoc basis to apprise the organization of evolving threats. This is further augmented by publicly available threat intelligence services (e.g. https:// myonlinesecurity.co.uk/.) Representatives from various Information Security disciplines within GWLE IS also visited a peer company in 2016 to share experiences. This information sharing continued into 2017 through its participation in the inaugural Irish Computer Society Security Forum where it met with companies from various industries to discuss and share in confidence Incident response The Critical Incident Response Team (CIRT) procedure is invoked when appropriate by our Service Management team to ensure a co-ordinated response to IT incidents which meet a defined set of criteria indicating a risk of high business impact. These procedures are designed to work with the standard IT Incident Management processes in order to bring critical incidents to resolution in a timely fashion. 3
DR / BCP All critical data is backed up according to an agreed retention policy. This data is backed up to disk locally and replicated to the Disaster Recovery site. Restores of the data are tested periodically. Samples are tested quarterly and regular tests are performed through business requests for business as usual (BAU) data restores. Detailed BCP plans are in place and are reviewed annually. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective. There is an annual enterprise-wide test of our DR Infrastructure. The general purpose of this exercise is to demonstrate the recovery capability of selected production systems to the recovery site. Aware and compliant with Laws Regulation A register of external requirements is maintained centrally. A review of this register is undertaken annually to determine whether any new requirements need further assessments or a specific requirement previously assessed require any further reviews. This annual review prompts us to identify any new or changed legal, regulatory or contractual external requirements that might be relevant to IS. The requirements are gathered through discussions involving various stakeholders such as Legal Officers, Corporate Compliance staff, Risk Officers, Account Managers and I.S. Process Owners. Risk & Compliance Analyst assesses any new or changed legal, regulatory or contractual external requirements in order to determine if they are applicable to I.S. and update the External Requirements register. The key findings and recommendations are reported to the IS senior management on annual basis. Subject matter experts are consulted as appropriate to confirm applicability and determine priority. Board of Directors responsibilities Our Board is provided with regular reporting on cyber and other IT risks and their roles and responsibilities with respect to the management of these risks. The board is provided with access to skilled IT Risk professionals to ensure adequate understanding of Cyber and IT risks. The Chief Information Security Officer also presents to the board periodically. Management of 3rd party relationships The IS team within Canada Life has a number of governance functions with processes and guidelines in place to ensure we mitigate risk with third parties while creating and realising economies of scale and synergies as part of the Great West Life (GWL) group of companies. Our IS team on initial engagement with 3rd parties perform normal due diligence expected of any commercial/business relationship however it also, through its Security and Compliance teams performs deeper due diligence on potential 3rd party suppliers, looking at their offering/capability from a security and compliance perspective. If a potential 3rd party supplier meets our security/compliance standards our Vendor Management team then engages with a 3rd party to put robust contracts in place to reduce our business and legal risk while fulfilling our business needs, often using our global reach and leverage allowing us to be part of contracts already in place with our Canadian parent (GWL). Ongoing management of a 3rd party service/delivery is delivered under an SLA framework contained in our contracts and managed by our internal contract manager(s) (typically the individual who owns/budgets for the service/product in-house), who in turn is subject to a framework, and integral audit at frequent intervals to ensure compliance. Financial Fraud Canada Life has policies and procedures in place to meet all UK legislation in connection with the prevention and detection of financial crime. Canada Life has made every attempt to ensure the accuracy and reliability of the information provided in this Document. However, the information is provided on an as is basis without warranty of any kind. Canada Life does not accept any responsibility or liability for the accuracy, content, completeness or reliability for the information contained herein. 4
Canada Life Limited, registered in England no. 973271. Registered office: Canada Life Place, Potters Bar, Hertfordshire EN6 5BA. Telephone: 0345 6060708 Fax: 01707 646088 www.canadalife.co.uk Member of the Association of British Insurers. Canada Life Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. CL01482 418R