At Cigna, we respect our customers’ and clients’ right to privacy and value the trust they place in us. Every day, Cigna’s computer systems are used to collect, store, and process high volumes of sensitive personal information in connection with the services we provide. Our business depends on our clients’ and customers’ willingness to entrust us with their health-related and other sensitive personal information. Consequently, we are committed to the responsible management, use, and protection of our customers’ and clients’ personal information.
The digital landscape continues to become more pervasive within business and throughout our personal lives. At the same time, technological advancements continue to accelerate connected devices, artificial intelligence, quantum computing, advanced robotics, block chain, and other game-changing capabilities. Cybersecurity and privacy are only becoming more important in this dynamic environment.
Our operations span more than 30 countries, all of which have unique laws related to the collection, storage, use, processing, transfer, disclosure, and destruction of personal information. We take these legal obligations very seriously. As such, we are committed to maintaining a globally-compliant privacy and information protection program that aligns with international best practices and standards, including the Cybersecurity Framework of the National Institute of Standards and Technology (“NIST”), ISO 27001, and ISO 27002. The latter are information security standards published by the International Organization for Standardization.
A Collective Effort
Protecting the privacy of our customers, employer clients, employees, and business partners is of the utmost importance to us. As such, it is part of Cigna’s Code of Ethics and Principles of Conduct (“Code”). We provide continuous training on the Code as well as specific training on privacy and information protection in order to cultivate an atmosphere in which every employee views themselves as responsible for ensuring the privacy of our stakeholders by adhering to our company’s data protection policies and practices.
As part of this effort, we also provide customers with a wealth of online resources regarding Cigna Information Privacy (“CIP”), including our Online and Mobile Privacy Statement, Notices of Privacy Practices, and privacy forms. We also give customers information on how they can further protect their personal information, including their health information, as well as any potential uses of personally identifiable information.
There are many regulations that govern the protection and usage of personal information, such as the Health Insurance Portability and Accountability Act (HIPAA); General Data Protection Regulation (GDPR); the Telephone Consumer Protection Act (TCPA); and the Telemarketing Sales Rule. In addition, there are emerging State privacy laws such as the California Consumer Privacy Act (CCPA). We also take great care in how we use and share Health Plan Clients’ competitively sensitive information to run our businesses. All employees are required to protect our Health Plan Clients’ competitively sensitive information and follow established firewall guidelines. Employees whose roles are impacted by these regulations and restrictions receive training on them during their onboarding and then throughout their employment.
Our Privacy Programs
Cigna's Enterprise Privacy Program is responsible for:
- Developing policies that support Cigna's governance and use of protected information, and providing advice on strategic initiatives;
- Monitoring privacy and security laws and regulations, updating policies as necessary, and communicating changes to such policies;
- Managing privacy risk and reporting privacy-related risks to Cigna management.
- Creating and maintaining privacy training and privacy awareness efforts to educate employees about the importance of handling personal information with care;
- Providing legal guidance on information incidents, breaches, and complaints;
- Investigating and responding to potential privacy incidents, overseeing corrective action plans, and providing required notifications;
- Ensuring compliance with applicable breach laws; and
- Monitoring the effectiveness of the privacy programs.
Cigna Information Protection ("CIP")
CIP is the unit within our company that focuses on technology and governance in order ensure that Cigna’s business and customer information and systems are secure. The unit focuses on behaviors and technology needed to safeguard information from unauthorized or inappropriate access, use, or disclosure. CIP strives to keep data secure and available while enabling speed, scale, and trust.
A key part of Cigna’s cybersecurity program is our enterprise-wide security policies and standards. CIP has aligned Cigna’s cybersecurity program and its security policies and standards with the NIST Cybersecurity Framework. NIST is an internationally recognized security control framework used by companies to assess and improve their ability to prevent, detect, and respond to cyber-attacks. In addition to the NIST framework, CIP leverages the ISO 27001 and 27002 standards. These internationally accepted standards provide best practice recommendations for initiating, implementing, and maintaining information security management systems. Aligning with and leveraging these frameworks helps to ensure that Cigna’s cybersecurity and information protection program remain relevant and appropriate in light of changes to the cybersecurity landscape and emerging technologies. CIP reviews Cigna's security policies and standards and updates them regularly to facilitate compliance with regulatory, industry, and contractual requirements and recommendations.
In 2019, we continued to invest in cybersecurity to drive maturity, which has become a differentiator for Cigna in the marketplace. Following the combination with Express Scripts®, we evaluated and reorganized the information protection function to leverage best practices and drive standardization through enterprise shared services. As part of this restructuring, we assigned a Deputy Chief Information Security Officer (CISO) to each of Cigna’s four major business units (Health Services, U.S. Commercial, Government, and International Markets). In 2020, we will continue to evolve our cybersecurity program and increase efficiencies across business and IT units. Among new emerging trends, Insider Threat continues to be a focal point in health care as shown by prior breaches. By analyzing lessons learned from those incidents, we can accelerate efforts in our cybersecurity program in areas such as education and awareness.
Critical Security Processes
CIP is also responsible for the implementation and effective operation of the following critical security processes:
- Cyber risk assessments – Cigna has a defined process in place to identify, quantify, assess, manage, and report on potential cyber risks as well as their respective risk levels and action plans to Cigna’s senior management and Board of Directors.
- Application and infra-structure security assessments – Cigna uses a comprehensive system development life cycle (SDLC) framework that requires applications and related infrastructure to be reviewed and assessed by CIP before being implemented. CIP’s review is intended to verify Cigna's security policy requirements and standards. The framework includes network and website vulnerability assessments, which are performed using industry-standard scanning software.
- Identity and access management – Access to Cigna’s information system is managed using a role-based access control methodology, which defines the access a user receives to Cigna's information systems based on job function and includes a process to validate that user access rights remain appropriate over time. Privileged or elevated access to Cigna’s systems is subject to heightened internal approval requirements. By having proper security controls in place, Cigna is able to establish and maintain a holistic view of an individual’s digital identity. This ensures that employees have the minimal amount of access required to perform their jobs.
- Security awareness and training – Cigna’s cybersecurity education and awareness program is focused on cybersecurity simulations; education and awareness content; compliance; and enforcement. Phishing simulations are conducted monthly and remedial training is administered as required. In addition to training on the Code, all employees are required to complete an annual cybersecurity training course. This training is complemented by ongoing security awareness messaging. Additionally, security awareness sponsored events are hosted throughout the year.
- Third party security oversight – Suppliers that have access to, host, or transmit Cigna data are contractually required to comply with Cigna's Security Policies. Additionally, suppliers may be subject to a security review, including requirements such as completion of an extensive security questionnaire; assessment of security capabilities and maturity; inspection of evidence of compliance with Cigna's Security Policies; security alignment to service specific industry standards, such as NIST, ISO, HIPPA, and Payment Card Industry standards, as appropriate; completion of application vulnerability assessments; site validation of attested controls from security questionnaires; and completion of a risk assessment. CIP continuously improves the company’s ability to identify and engage critical suppliers by annually assessing their security programs and continuously monitoring their public Internet presence.
- Security operations and monitoring – Security log data is fed into a centralized system, which performs event correlation and creates an alert if identified trigger events occur. Alerts are then assigned to a member of the enterprise threat management team for analysis. Alerts may be escalated to an incident level if warranted by an investigation. Cigna's global threat management team also monitors the security industry for the latest threats, exposures, and patches.
- Cybersecurity incident response planning – Cigna has a formal incident handling plan in which predefined escalation paths are followed when a cyber-incident occurs. The Enterprise Global Threat Management team works in cooperation with our managed security services partners to provide continuous coverage.
Additionally, CIP implements a broad spectrum of technical controls in connection with these processes, including data loss prevention, role-based access, application/desktop logging, and data encryption. Cigna also maintains several technologies that are used to enhance customer’s privacy, such as multi-factor authentication and enhanced web application firewall controls, including geo-fencing; brute force logon mitigation; IP intelligence and reputational blocking; and bot detection and prevention.
The effectiveness of Cigna’s overall cybersecurity program is frequently evaluated by reputable and independent firms through various levels of controls assessments such as external penetration tests, advanced attack simulations (red team exercises), and Service Organizational Control (SOC) 2 audits. We also perform security controls benchmarking and monitor operational security metrics to identify opportunities to strengthen Cigna’s cybersecurity program.
Governance and Risk Management
Safeguarding our customer and business information is a top priority for Cigna. Consequently, we consistently evolve our Privacy and Information Protection programs to meet privacy and information protection risks. Our privacy and information protection risk management framework is a shared risk model, which strives to further integrate our privacy, information protection, and related enterprise risk management functions. In addition to our CIP team and Global Privacy Office, our practices include the following features:
Board of Directors – Cigna’s Board of Directors has ultimate oversight over the Company’s privacy and cybersecurity programs and strategy. The Board executes this oversight directly, through the Audit Committee of the Board. Together, the Board and Audit Committee ensure that the Company has risk management policies and processes in place to meet and mitigate evolving risks and threats. The Board and the Audit Committee are regularly briefed on issues related to the Company’s risk profile, including cybersecurity risks. These briefings are designed to provide visibility about the identification, assessment, and management of critical risks, audit findings, and management’s risk mitigation strategies. Management briefs the Audit Committee on an annual basis about Cigna’s cybersecurity and privacy strategy and program, with a focus on items such as current trends in the environment, incident preparedness, business continuity management, program governance, and program components, including updates on security processes, external testing and employee training, and awareness initiatives.
Cyber and Privacy Council – Cigna’s Cyber and Privacy Council (CPC) is composed of members of the Company’s Enterprise Leadership Team, including the Chief Information Officer, the Chief Privacy Officer, the Chief Information Security Officer, the Chief Compliance Officer, Corporate (Physical) Security, and Legal. The CPC is responsible for approving the cybersecurity and privacy strategy, roadmap and budget, setting the organization’s priorities, and driving alignment with the business.
Enterprise Risk Management – Enterprise Risk Management (ERM) is a Company-wide initiative that involves the Board, Cigna’s management, Cigna’s Chief Risk Officer and General Auditor (CRO), and internal audit function. The ERM function is led by Cigna’s CRO, who reports functionally to Cigna’s Chief Financial Officer, and, administratively to the Audit Committee and Board of Directors. ERM is an integrated effort to (1) identify, assess, prioritize, and monitor a broad range of risks, including privacy and information protection risks, and (2) formulate and execute plans to monitor and, to the extent possible, mitigate the effect of those risks.
Business Integration – Our privacy and information protection programs have business liaisons – Privacy Stewards or International Privacy Leads/Officers and Information Protection Champions and Coordinators – that play critical roles in our program. Our business liaisons support privacy and information protection implementation by providing insight to make actions and messaging relevant at the local level. These liaisons strive to ensure that business and functional area employees have easy access to subject matter experts who can provide guidance, assist with answering questions, help with issues, and mitigate related privacy and information protection risks. Additionally, these liaisons assist in researching incidents and providing business-specific information to the Privacy and Information Protection teams to assist with incident analysis and resolution. The collective combinations of these efforts help drive privacy and security compliance across the enterprise.
Protocols to Respond should Information Incidents Occur
Cigna has protocols in place that are designed to protect against disclosure or improper use of protected health information. Although we work hard to protect the privacy of our customers' information, we do experience information incidents. The costs to eliminate or address security threats and vulnerabilities before or after a cyber-incident could be significant or infeasible, and potentially exceed the amount of cyber liability insurance carried by Cigna. We have experienced human errors and have been the target of unauthorized access attempts, phishing attacks, and other computer related cyber-attacks.
In the event of a breach, Cigna has documented processes in place to ensure that all required notifications are sent to impacted clients, customers, and regulatory agencies. Customers are typically notified by mail, but may be notified by other means depending on the nature and scope of the incident. Cigna offers credit monitoring, at our expense, when there is risk of identity theft or other potential harms. In all cases, we strive to identify and remediate the root cause of the incident to prevent future occurrences.