At Cigna, we respect our customers’ and clients’ right to privacy and value the trust they place in us. We are committed to the responsible management, use, and protection of our customers’ personal information. Every day, Cigna’s computer systems are used to collect, store, and process high volumes of sensitive personal information in connection with the services we provide. Our business depends on our clients’ and customers’ willingness to entrust us with their health-related and other sensitive personal information.
As a global business, Cigna operates in many different countries that have unique laws related to the collection, storage, use, processing, transfer, disclosure, and destruction of personal information. Cigna takes these legal obligations very seriously. We are committed to maintaining a globally-compliant privacy and information protection program that aligns with international best practices and standards, including the Cyber Security Framework of the National Institute of Standards and Technology (“NIST”) and ISO 27001 and ISO 27002, which are information security standards published by the International Organization for Standardization (as further described below under “Cigna Information Protection”). We believe our approach is competitively distinct, and will continue to work to build and maintain trust and confidence with our new and existing customers, clients, and business partners.
A Collective Effort
Protecting the privacy of our customers, clients, workforce members, and other business partners is an inherent part of Cigna’s Code of Ethics and Principles of Conduct. We train our workforce members to understand that privacy and information protection is "Everyone's Responsibility”. We strive to foster and enable trusted relationships in part by being transparent and zealously working to protect the personal information our customers entrust to us.
As part of this effort, we aim to provide customers with a wealth of online resources regarding Cigna Privacy Information, which includes our Online and Mobile Privacy Statement and notices of privacy practices and privacy forms. We also provide customers with information on how to further protect their personal information, including their personal health information and any potential uses of personally identifiable information.
Our Privacy Programs
Cigna's U.S. and International Privacy Programs are responsible for:
- Developing policies that support Cigna's privacy governance programs
- Monitoring privacy and security laws and regulations, updating policies as necessary, and communicating changes to such policies
- Managing privacy risk and control assessment
- Creating and maintaining privacy training and privacy awareness efforts to educate Cigna associates about the importance of handling private information with care
- Providing legal guidance on information incidents, breaches, and complaints
- Monitoring the effectiveness of the privacy programs
- Reporting privacy-related risks to Cigna management
Cigna Information Protection
Cigna Information Protection (“CIP”) is the unit within our business that focuses on technology and governance to help ensure that Cigna’s business and customer information and systems are secure. CIP focuses on behaviors and technology needed to safeguard information from unauthorized or inappropriate access, use, or disclosure.
Policies and Standards
A key part of Cigna’s cyber security program is Cigna’s enterprise-wide security policies and standards. CIP has aligned Cigna’s cyber security program and its security policies and standards with the NIST Cybersecurity Framework. NIST is an internationally recognized security control framework used by companies to assess and improve their ability to prevent, detect, and respond to cyber-attacks. In addition to the NIST framework, CIP also leverages the internationally accepted standards of ISO 27001 and 27002, which provide best practice recommendations for initiating, implementing, or maintaining information security management systems. We believe that aligning with and leveraging these frameworks helps to ensure that Cigna’s cyber security and information protection program remain relevant and appropriate in light of changes to the cybersecurity landscape and emerging technologies. CIP reviews Cigna's security policies and standards and updates them regularly to facilitate compliance with regulatory, industry, and contractual requirements and recommendations.
Critical Security Processes
CIP is also responsible for the implementation and effective operation of the following critical security processes:
- Cyber risk assessments. Cigna has a defined process in place to identify, quantify, assess, manage, and report on potential cyber risks and their respective risk levels and action plans to Cigna’s senior management and Board of Directors (further discussed below under “Governance and Risk Management Practices”).
- Application and infra-structure security assessments. Cigna uses a comprehensive system development life cycle (SDLC) framework that requires applications and related infrastructure to be reviewed and assessed by CIP before they are implemented into production. CIP’s review is intended to verify Cigna's security policy requirements and standards. The framework includes network and website vulnerability assessments, which are performed using industry-standard scanning software.
- Identity and access management. Access to Cigna’s information system is managed using a role-based access control methodology, which defines the access a user receives to Cigna's information systems based on job function and includes a process to validate that user access rights remain appropriate over time. Privileged or elevated access to Cigna’s systems is subject to heightened internal approval requirements.
- Security awareness and training. Cigna’s security awareness and training program includes initial security awareness training for new employees and contractors, followed by ongoing, annual security awareness refresh courses. New employees must sign an acknowledgement, showing receipt and understanding of the responsibility to comply with Cigna’s Code of Ethics, including the Cigna Information Protection policy. Employees also must provide an annual affirmation of this policy. Developers and privileged users are subject to additional security training requirements due to the increased inherent risk associated with these roles.
- Third party security oversight. Suppliers that have access to, host, or transmit Cigna data are contractually required to comply with Cigna's Security Policies. Suppliers also may be subject to a security review, including requirements such as completion of an extensive security questionnaire; assessment of security capabilities and maturity; inspection of evidence of compliance with Cigna's Security Policies; security alignment to service specific industry standards, such as NIST, ISO, HIPAA, and Payment Card Industry standards, as appropriate; completion of application vulnerability assessments; site validation of attested controls from security questionnaire; and completion of a risk assessment.
- Security operations and monitoring. Security log data is fed into a centralized system, which performs event correlation and creates an incident if identified trigger events occur. Incidents are then assigned to a member of the enterprise threat management team for analysis. Cigna's enterprise threat management team also monitors the security industry for the latest threats, exposures, and patches.
- Cyber security incident response planning. Cigna has a formal incident handling plan in which predefined escalation paths are followed when a cyber-incident occurs. The global enterprise threat management team works in cooperation with our managed security services partners to provide continuous coverage.
Additionally, Cigna Information Protection implements a broad spectrum of technical controls in connection with these processes, including data loss prevention, role-based access, application/desktop logging, data encryption, and others. Cigna also maintains several technologies that are used to enhance customer’s privacy, such as multi-factor authentication and enhanced web application firewall controls including geo-fencing, brute force logon mitigation, IP intelligence and reputational blocking, and bot detection and prevention.
The effectiveness of Cigna’s overall cyber security program is frequently evaluated by reputable and independent firms through various levels of controls assessments such as external penetration tests, advanced attack simulations (red team exercises), and Service Organizational Control (SOC) 2 audits. We also perform security controls benchmarking and monitor operational security metrics to identify opportunities to strengthen Cigna’s cyber security program.
In 2018, we increased our investment in technical capabilities and expanded our information security staff. We maturated our threat intelligence and threat hunting capabilities with automation of collection and analysis of intelligence feeds and further enhanced our monitoring of third party suppliers. We also developed a Mergers and Acquisitions playbook that documents how CIP’s approach to cyber security practices of acquired companies.
Looking ahead, we will continue to enhance and mature our cyber security program. For 2019, CIP is focused on increasing the level of automation of security process to gain additional operational efficiencies; building more secure applications by enabling developers to identify and resolve vulnerabilities earlier; implementing next-generation controls for Identity and Access Management. Another priority for CIP will be the integration Express Scripts’ information systems and information protection practices and policies.
Governance and Risk Management Practices
Safeguarding our customer and business information is a top priority at Cigna, and we consistently evolve our Privacy and Information Protection programs as privacy and information protection risks evolve. Our privacy and information protection risk management framework is a shared risk model, which strives to further integrate our privacy, information protection, and related enterprise risk management functions. In addition to our Cigna Information Protection team, Cigna’s practices include the following features.
Board of Directors
Cigna’s Board of Directors has ultimate oversight over the Company’s cyber security program and strategy. The Board executes this oversight both directly and through its Audit Committee. Together, the Board and the Audit Committee ensure that the Company has cyber risk management policies and processes in place. The Board and the Audit Committee are regularly briefed on issues related to the Company’s risk profile, including cyber security risks. These briefings are designed to provide visibility about the identification, assessment, and management of critical risks, audit findings, and management’s risk mitigation strategies.
Management briefs the Audit Committee on an annual basis about Cigna’s cyber security and privacy strategy and program, with a focus on items such as current trends in the environment, incident preparedness, business continuity management, program governance, and program components, including updates on security processes, external testing, and employee training and awareness initiatives. In addition, the Company’s Chief Information Officer meets with the Audit Committee in executive session at least annually.
Cyber and Privacy Council
Cigna’s Cyber and Privacy Council (CPC) is composed of members of the Company’s Enterprise Leadership Team, including the Chief Information Officer, as well as the Chief Privacy Officer, the Chief Information Security Officer, the Chief Compliance Officer, Corporate (Physical) Security, and Legal. The CPC is responsible for approving the cyber security and privacy strategy, roadmap, and budget, setting the organization’s priorities and driving alignment with the business.
Enterprise Risk Management
Enterprise Risk Management (ERM) is a Company-wide initiative that involves the Board, Cigna’s management, Cigna’s Chief Risk Officer and General Auditor (CRO), and internal audit function. The ERM function is led by Cigna’s CRO, who reports functionally to Cigna’s Chief Financial Officer, and, administratively to the Audit Committee and Board of Directors. ERM is an integrated effort to (1) identify, assess, prioritize, and monitor a broad range of risks, including privacy and information protection risks, and (2) formulate and execute plans to monitor and, to the extent possible, mitigate the effect of those risks.
Our privacy and information protection programs have business liaisons–Privacy Stewards or International Privacy Leads/Officers and Information Protection Champions and Coordinators–that play critical roles in our program. Our business liaisons support privacy and information protection implementation by providing insight to make actions and messaging relevant at the local level. These liaisons strive to ensure that business and functional area employees have easy access to subject matter experts who can provide guidance, assist with answering questions, help with issues, and mitigate related privacy and information protection risks. The collective combinations of these efforts help drive privacy and security compliance across the enterprise.
Protocols to Respond Should Information Incidents Occur
Although we work hard to protect the privacy of our customers' information, we do experience information incidents. The costs to eliminate or address security threats and vulnerabilities before or after a cyber-incident could be significant and potentially exceed the amount of cyber liability insurance carried by Cigna. We have experienced human errors and have been the target of computer viruses or other malicious codes, unauthorized access, cyber-attacks, or other computer related penetrations. In the event of a breach, the Privacy Office strives to contain the incident in a timely manner, notify individuals as quickly as possible, and, when the situation warrants, provide credit monitoring. In addition, we identify and remediate the root cause of the issue when necessary.
Disclaimer: The report covers calendar year 2018 and unless otherwise noted, excludes the combination with Express Scripts, which closed on December 20, 2018.