Global Privacy and Information Protection

Global Privacy and Information Protection

At Cigna, data and information are core to our operations, and we are committed to protecting our customers’ and clients’ right to privacy and value the trust they place in us. To serve our customers globally, Cigna must collect and use sensitive personal information about their health and well-being. Cigna maintains a robust privacy program to protect and appropriately utilize the information that our customers disclose.

Every day, Cigna’s computer systems are used to collect, store, and process high volumes of personal information in connection with the services we provide. Our business depends on our clients’ and customers’ willingness to entrust us with their health-related and other sensitive personal information and our ability to protect and use that information appropriately. As we continue to develop our health services offerings, Cigna’s privacy and information protection programs are designed to robustly protect that information.

The digital landscape continues to become more pervasive within business and throughout our personal lives. At the same time, technological advancements continue to accelerate connected devices, artificial intelligence, quantum computing, advanced robotics, block chain, and other game-changing capabilities. Cybersecurity and privacy are only becoming more important in this dynamic environment.

Our operations span more than 30 countries and jurisdictions, all of which have unique laws related to the collection, storage, use, processing, transfer, disclosure, and destruction of personal information. We take these legal obligations very seriously. As such, we are committed to maintaining a globally-compliant privacy and information protection program that aligns with international best practices and standards, including the Cybersecurity Framework of the National Institute of Standards and Technology (NIST) 800-53, ISO 27001, and ISO 27002. The latter are information-security standards published by the International Organization for Standardization.

2020 Privacy Program Overview

In 2020, there were substantial updates to privacy laws and regulations as well as an unprecedented pandemic that strained our health care systems and required a reexamination of how we work and support our customers. In 2020, Cigna addressed the changing privacy needs for working and interacting with customers and clients in virtual environments; supported the increased use of telehealth; maintained the flow of information to support healthcare providers and client responses; and supported public health requirements. We also continued to expand our enterprise-wide privacy program. Our privacy compliance program is designed so that appropriate policies, training, reporting mechanisms, incident management protocols, and preventive measures are in place to prevent harm that may result from the failure to appropriately collect, use, share, and protect personal information.

In 2020, we continued to enhance our privacy governance practices in our U.S. and international markets and the tools and framework used to manage privacy incidents and data breaches. With the majority of our workforce working from home, we also provided strategic, risk-based guidance regarding the use of data and data sharing related to COVID-19 and legal requirements to prevent information blocking.

A Collective Effort – Privacy Requires Cross-Company Engagement

Protecting the privacy of our customers, employer clients, employees, and business partners is of the utmost importance to us. As such, it is part of Cigna’s Code of Ethics and Principles of Conduct (“Code”). We provide continuous training on the Code as well as specific training on privacy and information protection in order to cultivate an atmosphere in which every employee views themselves as responsible for ensuring the privacy of our stakeholders by adhering to our company’s data protection policies and practices.

As part of this effort, we also provide customers with a wealth of online resources regarding Cigna Information Privacy (“CIP”), including our Online and Mobile Privacy Statement, Notices of Privacy Practices, and Privacy Forms. Clients and customers are notified of any changes to our privacy practices, in accordance with applicable laws. We give customers information on how they can further protect their personal information, including their health information, as well as any potential uses of personally identifiable information. In support of Cigna's commitment to transparency of its privacy practices, Cigna provides notice to customers describing how their personal information may be used and disclosed by Cigna, and their rights related to such information, including how they may opt out or in to certain types of sharing.

Cigna’s Privacy Office works to protect personal information and comply with these various requirements through collaboration and coordination among its Enterprise Privacy Program, information protection program, and governance or risk management structure. These three aspects are key to supporting Cigna’s robust and compliant privacy program.

Our Privacy Programs

Cigna's Enterprise Privacy Program is responsible for:

  • Developing policies that support Cigna's governance and use of protected information, and providing advice on strategic initiatives;
  • Monitoring privacy and security laws and regulations, updating policies as necessary, and communicating changes to such policies;
  • Managing privacy risk and reporting privacy-related risks to Cigna management.
  • Creating and maintaining privacy training and privacy awareness efforts to educate employees about the importance of handling personal information with care;
  • Providing legal guidance on information incidents, breaches, and complaints and contracting with third parties that process personal data on Cigna's behalf;
  • Investigating and responding to potential privacy incidents, overseeing corrective action plans, and providing required notifications;
  • Ensuring compliance with applicable breach laws; and
  • Monitoring the effectiveness of the privacy programs.

Cigna Information Protection

A key objective of Cigna’s Information Protection (CIP) team is to keep customer, client, provider, and company data secure and available while enabling speed, scale, and trust. This team focuses on the convergence of technology and governance, ensuring Cigna’s business and customer information and systems are secure. 2020 required that we support and secure new ways to work and deliver simple, affordable, and predicable health care to our stakeholders. We also saw a significant increase in the activity across the global cybersecurity threat landscape. To this end, CIP adapted its technology and procedures in addition to partnering with our business, technology, privacy, compliance, and legal teams to overcome these challenges.

The foundation of Cigna’s cybersecurity program is our enterprise-wide security policies and standards. CIP has aligned Cigna’s cybersecurity program and its security policies and standards with the NIST 800-53 Cybersecurity Framework. NIST is an internationally recognized security control framework used by companies to assess and improve their ability to prevent, detect, and respond to cyberattacks. In addition to the NIST framework, CIP leverages the ISO 27001 and 27002 standards. NIST and ISO standards are internationally accepted and provide best practice recommendations for initiating, implementing, and maintaining information security management systems. Aligning with and leveraging these frameworks helps to ensure that Cigna’s cybersecurity and information protection programs remain relevant and appropriate in light of changes to the cybersecurity landscape and emerging technologies. CIP reviews Cigna's security policies and standards and updates them to facilitate compliance with international, regulatory, industry, and contractual requirements and recommendations.

In 2020, we continued to invest in cybersecurity to drive maturity, which has become a differentiator for Cigna in the marketplace. We also assigned a Deputy Chief Information Security Officer (DCISO) to each of Cigna’s three major business units (Evernorth, U.S. Medical, and International Markets). In 2021, we will continue to evolve our cybersecurity program and increase efficiencies across business and IT units. Among new emerging trends, ransomware, remote worker attacks, and email scams targeting the U.S. healthcare sector continue. By analyzing the events and lessons learned across the industry, we can accelerate efforts in our cybersecurity program in areas such as third-party security oversight.

Critical Security Processes

CIP is also responsible for the implementation and effective operation of the following critical security processes:

  • Cyber risk assessments – Cigna has a defined process in place to identify, quantify, assess, manage, and report on potential cyber risks as well as their respective risk levels and action plans to Cigna’s senior management and Board of Directors.
  • Application and infrastructure security assessments – Cigna uses a comprehensive system development life cycle (SDLC) framework that requires applications and related infrastructure to be reviewed and assessed by CIP before being implemented. CIP’s review is intended to verify Cigna's security policy requirements and standards. The framework includes network and website vulnerability assessments, which are performed using industry-standard scanning software.
  • Identity and access management – Access to Cigna’s information system is managed using a role-based access control methodology, which defines the access a user receives to Cigna's information systems based on job function and includes a process to validate that user access rights remain appropriate over time. Privileged or elevated access to Cigna’s systems is subject to heightened internal approval requirements. By having proper security controls in place, Cigna is able to establish and maintain a holistic view of an individual’s digital identity. This ensures that employees have the minimal amount of access required to perform their jobs.
  • Security awareness and training – Cigna’s cybersecurity education and awareness program is focused on cybersecurity simulations; education and awareness content; compliance; and enforcement. Phishing simulations are conducted monthly and remedial training is administered as required. In addition to training on the Code, all employees are required to complete an annual cybersecurity training course. This training is complemented by ongoing security awareness messaging. Additionally, security-awareness sponsored events are hosted throughout the year. In 2020, we also enhanced privacy trainings to include virtual working safeguards and distributed reminders and awareness communications to Cigna’s workforce to reinforce these safeguards.
  • Third-party security oversight – Suppliers that have access to, host, or transmit Cigna data are contractually required to comply with Cigna's Security Policies. Additionally, suppliers may be subject to a security review, including requirements such as completion of an extensive security questionnaire; assessment of security capabilities and maturity; inspection of evidence of compliance with Cigna's Security Policies; security alignment to service-specific industry standards, such as NIST, ISO, HIPAA, and Payment Card Industry standards, as appropriate; completion of application vulnerability assessments; site validation of attested controls from security questionnaires; and completion of a risk assessment. CIP continuously improves the company’s ability to identify and engage critical suppliers by annually assessing their security programs and continuously monitoring their public Internet presence. In 2020, CIP ensured appropriate safeguards were in place for vendors working remotely.
  • Security operations and monitoring – Security log data is fed into a centralized system, which performs event correlation and creates an alert if identified trigger events occur. Alerts are then assigned to a member of the enterprise threat management team for analysis. Alerts may be escalated to an incident level if warranted by an investigation. Cigna's global threat management team also monitors the security industry for the latest threats, exposures, and patches.
  • Cybersecurity incident response planning – Cigna has a formal incident handling plan in which predefined escalation paths are followed when a cyber incident occurs. The Enterprise Global Threat Management team works in cooperation with our managed security services partners to provide continuous coverage.

CIP implements a broad spectrum of technical controls in connection with these processes, including data loss prevention, role-based access, application/desktop logging, and data encryption. Cigna also maintains several technologies that are used to enhance customers’ privacy, such as multifactor authentication and enhanced web application firewall controls, including geo-fencing; brute force logon mitigation; IP intelligence and reputational blocking; and bot detection and prevention.

Additionally, the effectiveness of Cigna’s overall cybersecurity program is frequently evaluated by reputable and independent firms through various levels of controls assessments such as external penetration tests, advanced attack simulations (red team exercises), and Service Organizational Control (SOC) 2 audits. We also perform security controls benchmarking and monitor operational security metrics to identify opportunities to strengthen Cigna’s cybersecurity program.

Governance and Risk Management

We consistently evolve our privacy and information protection programs to meet current and foreseeable privacy and information protection risks. Our privacy and information protection risk management framework is a shared risk model, which strives to further integrate our privacy, information protection, and related enterprise risk management functions. In addition to our CIP team and Global Privacy Office, our practices include the following features:

Board of Directors – Cigna’s Board of Directors has ultimate oversight over the Company’s privacy and cybersecurity programs and strategy. The Board executes this oversight directly through both the Audit Committee, for cybersecurity purposes, and Compliance Committee, for privacy purposes. In these capacities, the Board is responsible for ensuring that the Company has risk management policies and processes in place to meet and mitigate evolving risks and threats. These committees, as well as the full Board, are briefed on cybersecurity and privacy issues. These briefings are designed to provide visibility about the identification, assessment, and management of critical risks, audit findings, and management’s risk mitigation strategies. Additionally, these briefings include information about current trends in the environment, incident preparedness, and various components of the company’s cybersecurity and privacy programs.

Cyber and Privacy Council – Cigna’s Cyber and Privacy Council (CPC) is composed of members of the Company’s Enterprise Leadership Team, including the Chief Information Officer, the Chief Privacy Officer, the Chief Information Security Officer, the Chief Compliance Officer, Corporate (Physical) Security, and Legal. The CPC is responsible for approving the cybersecurity and privacy strategy, road map, and budget; setting the organization’s priorities; and driving alignment with strategic business initiatives. This organization engages leadership to support and drive a culture of privacy and information protection throughout Cigna and promotes projects to support continual improvement of Cigna’s approach to the protection of information.

Enterprise Risk Management – Enterprise Risk Management (ERM) is a Company-wide initiative that involves the Board, Cigna’s management, Cigna’s Chief Risk Officer and General Auditor (CRO), and internal audit function. Led by Cigna’s CRO, ERM is designed to identify, assess, manage, and control risks that have an impact on the attainment of Cigna's strategic and financial goals.

Business Integration – Our privacy and information protection programs have business liaisons who play critical roles in our program. Our business liaisons support privacy and information protection implementation by providing insight to make actions and messaging relevant at the local level. Among other tasks, these liaisons assist in researching incidents and providing business-specific information to the Privacy and Information Protection teams to assist with incident analysis and resolution. The collective combinations of these efforts help drive privacy and security compliance across the enterprise.

Protocols to Respond to Potential Information Incidents

Cigna has protocols in place that are designed to protect against disclosure or improper use of protected health information. Although we work hard to protect the privacy of our customers' information, we do experience information incidents. The costs to eliminate or address security threats and vulnerabilities before or after a cyber-incident could be significant or infeasible, and potentially exceed the amount of cyber liability insurance carried by Cigna. We have experienced human errors and have been the target of unauthorized access attempts, phishing attacks, and other cyberattacks.

Cigna has documented processes for handling breaches, including playbooks and policies that establish Cigna’s incident response plan and describe each area’s responsibilities. This includes unifying practices across the organization, providing ongoing oversight over the incident response plans, and ensuring that current and emerging privacy and security threats are identified and addressed appropriately.

Cigna’s plans are tested regularly through simulated tabletop exercises involving stakeholders from relevant business areas to ensure readiness and identify opportunities to further strengthen our incident response.