Cyber attacks & privacy breaches continue to hit insurance industry hard

Failing to secure and safeguard confidential information can lead to privacy breaches, potentially harming clients and damaging reputations. We continue to hear of privacy breaches and cyber attacks in the insurance industry, for example:

• Desjardins responds to the report from the Office of the Privacy Commissioner of Canada
• La Capitale, SSQ Insurance and Unica confirm that no data was compromised during cyberattack

Confidential information is information of a personal, financial, medical or other nature that must be handled confidentially. It’s imperative that everyone takes the necessary security measures to ensure the protection of any confidential information that they hold concerning clients, and in the case of BridgeForce, of our staff and advisors. Given the importance and sensitivity of confidential information, you should already have a privacy compliance program in place, including designating someone responsible for privacy compliance as well as a breach handling process. The policies and procedures within your compliance program should help ensure you’ve implemented sound practices to protect information and comply with privacy legislation, which include:

• Taking appropriate training, and if you have staff or associate advisors, providing the required training to promote a good understanding of your policies and procedures relating to the protection of confidential information.
• Have service providers you may employ or contract, with access to confidential information (e.g., IT service providers), sign confidentiality agreements.
• Reviewing policies and procedures relating to the protection of confidential information regularly, to ensure they’re effective and being followed.
• Adopt sound cybersecurity practices. Start by familiarizing yourself with measures you should take. A good place to start might be this Government of Canada website – Get Cyber Safe. The BridgeForce compliance website also has a number of resources, specifically the section on Privacy & record retention & privacy breach procedure.

In an effort to ensure we’re working together should a breach occur, Sun Life is introducing a Privacy Incident Notification process. Please take a few minutes to review, and incorporate this process into your current privacy breach process.

Sun Life regards privacy and the safeguarding of Client personal information with the highest of importance. With this in mind, Sun Life has created a detailed Privacy Incident Notification process to guide Advisors on how to handle a privacy incident. This process outlines:

1. The definition of a privacy incident.
2. Who and how to notify in the event of an incident.
   • The person responsible for privacy compliance should report directly to Sun Life, copying in BridgeForce, using Sun Life’s Privacy Incident Notification Document.
   • Alternatively, contact your BridgeForce office to discuss next steps; have your privacy breach policy handy.
3. Sun Life’s role.

Sun Life asks that you review, implement and follow this process to ensure the timely reporting of any potential privacy incident. This will allow them to review the situation, take the appropriate steps and ensure any legal/regulatory obligations are met.

If you have questions about Sun Life’s Privacy Incident Notification process, please reach out to the Compliance team at Qualbus@sunlife.com.