Our Commitment to Cybersecurity

Institutional Asset Management Solutions

The Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) provides guidance on cybersecurity directed at plan sponsors and fiduciaries regulated by ERISA (the Employee Retirement Income Security Act of 1974), and at plan participants and beneficiaries.

At PNC Institutional Asset Management® (PNC IAM), we recognize the obligation of our retirement plan clients to monitor the cybersecurity practices of service providers to the plan. We are proud of the measures PNC has taken and the ongoing enhancements we deliver each year to help protect our clients’ data and assets.

View Additional Resources for Retirement Plan Sponsors

Best Practices

The EBSA prepared a list of best practices for use by recordkeepers and other service providers responsible for plan related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire. According to the EBSA, plan service providers should do each of the things listed on the left, below. On the right, you’ll see what PNC is doing to adhere to these practices. We provide this overview so that as a plan fiduciary, you can be confident that PNC IAM is in alignment with the DOL’s best practices.

EBSA United States DOL Cybersecurity Program Best Practices PNC Practices
Have a formal, well documented cybersecurity program. As a regulated financial institution, PNC maintains a comprehensive cybersecurity program aligned to industry best practices. Please see attached Security Overview document and visit the Security and Privacy Center for additional pertinent information.
Conduct prudent annual risk assessments. Risk assessments are performed at least annually and when there are any significant changes to controls or technology.
Have a reliable annual third-party audit of security controls. Service Organization Controls (SOC) reporting may be provided to our clients subject to the establishment of the appropriate confidentiality protections.
Clearly define and assign information security roles and responsibilities. PNC has a dedicated cybersecurity team of highly skilled information security experts in defined roles within the organization.
Have strong access control procedures. Access Management is PNC’s program for governing access to information systems and technology and tailoring such access and misuse of data are in place. PNC’s Access Management Program is designed to provide integrity, privacy, and consistency of financial, business, and customer information through data ownership, appropriate access, and governance.
Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. The Third-Party Assurance (TPA) team within Security is responsible and accountable for evaluating the security of PNC’s Third-Party service providers. The TPA Team is comprised of Information Risk professionals following control frameworks built upon industry standard assessment methodologies. The Team is organized to review domestic and global suppliers to identify and mitigate risk, protecting PNC customer and employee information assets. The Third-Party Assessment program aligns with regulatory guidance.
Implement and manage a secure system development life cycle (SDLC) program. The PNC Secure SDLC program is aligned to industry best practices and injects security and risk management within all aspects and phase gates of the systems development life cycle.
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

The PNC Business Continuity Management Program is based on a defined methodology that is aligned to industry best practices and the Federal Financial Institutions Examination Council (FFIEC) Guidelines. The program methodology has four embedded components:

  1. Business Impact Analysis – prioritization of business recovery and its necessary components based on potential loss implications;
  2. Risk Assessment – assessment of the likelihood and potential impact of threats that may lead to a business disruption;
  3. Planning and Mitigation – establishment and ongoing maintenance of recovery plans for business processes and their interrelated components; and,
  4. Recovery Testing – conducting periodic recovery testing of PNC’s critical processes and components.
Encrypt sensitive data, stored and in transit. Industry standard encryption tools are used to protect confidential data during transmission and at rest, where deemed necessary to meet PNC risk management objectives.
Implement strong technical controls in accordance with best security practices. As a regulated financial institution, PNC is aligned to National Institute of Standards and Technology (NIST) Special Publication (SP) 800 series, put forth by the United States Department of Commerce. This is an ever-growing set of computer security documents as part of Federal Information Security Management Act of 2002 (FISMA) compliance.
Appropriately respond to any past cybersecurity incidents. PNC monitors our systems and utilizes sophisticated layers of technology to protect the PNC network, customer accounts, and personal information. PNC's Security team actively monitors various external information channels about active threats, attacks, and vulnerabilities being reported or exploited. Depending on the information, our security intelligence, incident response, operations, and vulnerability management teams evaluate the reporting and assess impact and response for PNC.

PNC’s Corporate Information Security Program

Below is an overview of PNC’s Information Security, Data Protection, and Business Resiliency policies. These policies are reviewed regularly for alignment with regulatory guidance with a high level of focus on security, privacy, and resiliency for our clients.

Information Security

Information Security relates to the protection of PNC information systems, proprietary data, and customer information. The Information Security Program governs access to, and use of, PNC information and information assets, leveraging accepted information security industry standards. The program is designed to help safeguard our client and company assets from external and internal information security threats. The PNC Program provides: 

  • An organizational framework with clear responsibilities and accountabilities for managing and reporting information security risks and threats. 
  • Processes and procedures for identifying, assessing and mitigating security risks to information assets inherent in ongoing business and operational activities. 
  • A control infrastructure to manage security risks within established risk tolerances. 

PNC’s Information Security team works proactively to identify and contain threats and help defend our infrastructure. We have dedicated resources focusing on areas including access control, control integrity, vendor management, security architecture, network intrusion detection, vulnerability management, data loss prevention and incident response. In addition, we proactively manage an active cyber intelligence collection and sharing program.

In furtherance of these objectives, PNC’s Information Security program is organized into the following major functional areas: 

I. Access Management: Access Management is PNC’s program for governing access to information systems and technology and tailoring such access to that which is needed for employees to perform their job functions. Security controls designed to prevent unauthorized access and misuse of data are in place. PNC’s Access Management Program offers integrity, privacy, and consistency of financial, business and customer information through data ownership, appropriate principle of least privilege access and governance. 

II. Security Assessment: Security Assessment manages the risk to PNC from the use of third-party suppliers and new technology, providing corporate customers information concerning the security controls PNC employs to manage information security risks within the PNC products and services they utilize. 

III. Security Awareness: The Security Awareness Program is comprised of three pillars that support employee education: 

  • Security Awareness Training – provided to all new hires and required again for employees on a regular cadence. 
  • Social Engineering Attack Testing – phishing and vishing tests provided to employees on a regular cadence. 
  • Security Awareness Communication - identify relevant and targeted communications to heighten awareness for emerging topics and identified threats. These communications are both internal and external (for our customers). 

IV. Cryptographic Management: Cryptographic Management provides enterprise PKI and key management services to position Information Security to protect and defend PNC. 

V. Security Fusion Center: PNC is tasked to prevent, detect, respond and neutralize unwanted activity potentially posing a threat to PNC’s enterprise network. PNC protects information assets by centrally monitoring, tracking and responding to suspicious or malicious activity against PNC. To effectively deal with the various enterprise cyber attacks, teams work cohesively to deliver streamlined cyber security operations to protect the enterprise. PNC develops and periodically performs tabletop exercises to ensure relevancy and sufficiency of the response plans in preparation for an incident response. Response plans provide assurance that tactics, techniques, and actions are primed to respond to emerging threats and support remediation. Periodic tabletop exercises are conducted to simulate real incident response using response plans. The program also provides identification and analysis of emerging risks and threats across the technology landscape. 

VI. Vulnerability Assessment & Penetration Testing: Provides security penetration testing, code checking capabilities, vulnerability scanning capabilities and manages, and tracks identified vulnerabilities. The scope of this program covers network and technical infrastructure in addition to applications. 

VII. Security Engineering: Provides management of security infrastructure, issue resolution, deploys, operates and maintains security technologies utilized by Information Security. 

VIII. Security Architecture: Provides security guidance and the design. Provides security consulting to other teams within Information Security and the enterprise. 

IX. Cloud Security: Enables secure cloud consumption by deploying automated detective, corrective, and preventative controls in PNC’s cloud service provider tenants. 

X. Adaptive Trust: The primary focus is to ensure cohesive execution of PNC’s adaptive trust strategy based off Zero Trust architecture principles. This organizes efforts across various technologies and teams into one cohesive program. 

XI. Adversarial Simulation: Pressure tests and validates that detective and preventative controls are working effectively when exercised in an adversary-like attack simulation. 

Data Protection

PNC Information Security Policies establish roles, responsibilities, standards and procedures for both physical and electronic data protection. These policies are implemented throughout the enterprise with specific focus on data centers and major operational facilities. 

PNC identifies and manages the security of its information assets according to these policies. Each asset has an owner responsible for implementing appropriate data security controls, authorizing access and monitoring the effectiveness of the controls. 

PNC information assets are classified based on the confidentiality, integrity and availability characteristics of the data. Specific control requirements are established and implemented for each classification. These controls include both technology-based controls and administrative controls designed to meet PNC risk management objectives. 

The PNC Access Management Program provides electronic access to PNC data and data processing assets based on the access needed to perform job responsibilities by applying the following security and privacy principles: 

  • “Need to Know,” which takes a risk‐based approach to granting sufficient access needed to complete a job task. 
  • “Segregation of Duties,” which require that an individual cannot execute an end‐to‐end business transaction or administrative technical command without the assistance or oversight of a second party. 

PNC deploys industry standard tools for Data Leakage Prevention to protect confidential data from unauthorized transmission, storage and disclosure. Industry standard encryption tools are used to protect confidential data during transmission and at rest, where deemed necessary to meet PNC risk management objectives (e.g. laptop computers and mobile devices). 

Physical and environmental controls are implemented to protect data centers and major operational facilities. These include controls and surveillance over physical access to the facilities and restricted areas within the facilities. PNC also meets industry standards and local codes for fire protection, water protection and electrical protection of our information assets.

Additional Resources

Contact Us

For additional questions about PNC’s cybersecurity practices,
please reach out to your PNC representative.