Our Commitment to Cybersecurity

Institutional Asset Management Solutions

On April 14, 2021, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) announced its first-ever guidance on cybersecurity directed at plan sponsors and fiduciaries regulated by ERISA (the Employee Retirement Income Security Act of 1974), and at plan participants and beneficiaries.

The DOL has already begun its audit initiative focusing on retirement plan cybersecurity practices. At PNC Institutional Asset Management® (PNC IAM), we recognize the obligation of our retirement plan clients to monitor the cybersecurity practices of service providers to the plan. We are proud of the measures PNC has taken and the ongoing enhancements we deliver each year to help protect our clients’ data and assets.

 

Best Practices

The EBSA prepared a list of best practices for use by recordkeepers and other service providers responsible for plan related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire. According to the EBSA, plan service providers should do each of the things listed on the left, below. On the right, you’ll see what PNC is doing to adhere to these practices. We provide this overview so that as a plan fiduciary, you can be confident that PNC IAM is in alignment with the DOL’s best practices.

EBSA United States DOL
Cybersecurity Program Best Practices

PNC Practices

Have a formal, well documented cybersecurity program.

As a regulated financial institution, PNC maintains a comprehensive cybersecurity program aligned to industry best practices. Please see attached Security Overview document and visit the Security and Privacy Center for additional pertinent information.

Conduct prudent annual risk assessments.

Risk assessments are performed at least annually and when there are any significant changes to controls or technology.

Have a reliable annual third-party audit of security controls.

Service Organization Controls (SOC) reporting may be provided to our clients subject to the establishment of the appropriate confidentiality protections.

Clearly define and assign information security roles and responsibilities.

PNC has a dedicated cybersecurity team of highly skilled information security experts in defined roles within the organization.

Have strong access control procedures.

Access Management is PNC’s program for governing access to information systems and technology and tailoring such access and misuse of data are in place. PNC’s Access Management Program is designed to provide integrity, privacy, and consistency of financial, business, and customer information through data ownership, appropriate access, and governance.

Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

 

The Third-Party Assurance (TPA) team within Security is responsible and accountable for evaluating the security of PNC’s Third-Party service providers. The TPA Team is comprised of Information Risk professionals following control frameworks built upon industry standard assessment methodologies. The Team is organized to review domestic and global suppliers to identify and mitigate risk, protecting PNC customer and employee information assets. The Third-Party Assessment program aligns with regulatory guidance.

Conduct periodic cybersecurity awareness training.

PNC requires cybersecurity awareness and privacy training for all employees and contractors at hire and annually thereafter. Additionally, phishing exercises are executed throughout the year and there is an annual “spotlight month” of cybersecurity awareness which provides additional cybersecurity insights to PNC employees.

Implement and manage a secure system development life cycle (SDLC) program.

The PNC Secure SDLC program is aligned to industry best practices and injects security and risk management within all aspects and phase gates of the systems development life cycle.

Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

The PNC Business Continuity Management Program is based on a defined methodology that is aligned to industry best practices and the Federal Financial Institutions Examination Council (FFIEC) Guidelines. The program methodology has four embedded components:
 

  1. Business Impact Analysis – prioritization of business recovery and its necessary components based on potential loss implications;
  2. Risk Assessment – assessment of the likelihood and potential impact of threats that may lead to a business disruption;
  3. Planning and Mitigation – establishment and ongoing maintenance of recovery plans for business processes and their interrelated components; and,
  4. Recovery Testing – conducting periodic recovery testing of PNC’s critical processes and components.

Encrypt sensitive data, stored and in transit.

Industry standard encryption tools are used to protect confidential data during transmission and at rest, where deemed necessary to meet PNC risk management objectives.

Implement strong technical controls in accordance with best security practices.

As a regulated financial institution, PNC is aligned to National Institute of Standards and Technology (NIST) Special Publication (SP) 800 series, put forth by the United States Department of Commerce. This is an ever-growing set of computer security documents as part of Federal Information Security Management Act of 2002 (FISMA) compliance.

Appropriately respond to any past cybersecurity incidents.

 

PNC monitors our systems and utilizes sophisticated layers of technology to protect the PNC network, customer accounts, and personal information. PNC's Security team actively monitors various external information channels about active threats, attacks, and vulnerabilities being reported or exploited. Depending on the information, our security intelligence, incident response, operations, and vulnerability management teams evaluate the reporting and assess impact and response for PNC.



PNC’s Corporate Information Security Program

Below is an overview of PNC’s Information Security, Data Protection, and Business Resiliency policies. These policies are reviewed regularly for alignment with regulatory guidance with a high level of focus on security, privacy, and resiliency for our clients.

Information Security

Information Security relates to the protection of PNC information systems, proprietary data, and customer information. The Information Security Program governs access to, and use of, PNC information and information assets, leveraging accepted information security industry standards. The program is designed to safeguard our client and company assets from external and internal information security threats. The PNC Program provides:

  • An organizational framework with clear responsibilities and accountabilities for managing and reporting information security risks and threats.
  • Processes and procedures for identifying, assessing, and mitigating security risks to information assets inherent in ongoing business and operational activities.
  • A control infrastructure to manage security risks within established risk tolerances.

PNC’s Information Security team works proactively to identify, contain and mitigate threats and defend our systems, networks and data. We have experience in areas including access control, control integrity, vendor management, security architecture, network intrusion detection, vulnerability management, data loss prevention and incident response. In addition, we maintain an active cyber intelligence collection and sharing program.

In furtherance of these objectives, PNC’s Information Security program is organized into the following major functional areas:

  1. Access Management: Access Management is PNC’s program for governing access to information systems and technology and tailoring such access to that which is needed for employees to perform their job functions. Security controls designed to prevent unauthorized access and misuse of data are in place. PNC’s Access Management Program provides integrity, privacy and consistency of financial, business and customer information through data ownership, appropriate access and governance.
  2. Control Integrity: Control Integrity seeks to provide a stable, resilient and reliable operating environment by applying security controls, hardening standards and Line of Business (LOB) security liaisons and secure development rigor to the PNC enterprise.
  3. Security Assessment & Awareness: Security Assessment & Awareness manages the risk to PNC from the use of third party suppliers and provides corporate customers information concerning the security controls PNC employs to manage information security risks within the PNC products and services they utilize. The program also provides training to PNC staff on information security threats to help manage risk.
  4. Cryptographic Management: Cryptographic Management provides enterprise PKI and key management services to position Information Security to protect and defend PNC.
  5. Cyber Operations: PNC’s Cyber Operations team is tasked to prevent, detect, respond and neutralize hostile actors and malicious software posing a potential threat to PNC’s enterprise network. Cyber Operations protects information assets by centrally facilitating the monitoring, tracking and response to suspicious or malicious activity against PNC. To effectively deal with the various enterprise cyber attacks, Cyber Operations is comprised of teams working cohesively to deliver streamlined cyber security operations to protect the enterprise. The program also provides identification and analysis of emerging risks and threats across the technology landscape.
  6. Vulnerability Assessment & Penetration Testing: The Ethical Hacking Team provides security penetration testing and code checking capabilities to the PNC Enterprise. The Attack Surface Management Team provides vulnerability scanning capabilities. The scope of this program covers network and technical infrastructure in addition to the inventory of applications, including remediation and tracking of identified vulnerabilities.
  7. Security Engineering & Architecture (SEA): SEA provides comprehensive management of security infrastructure, issue resolution, security architecture guidance and the design and deployment of new security solutions. The SEA team also provides expert level consulting to other teams within Information Security and PNC. The SEA team deploys, operates and maintains security products and technologies utilized by Information Security.

Data Protection

PNC Information Security Policies establish roles, responsibilities, standards and procedures for both physical and electronic data protection. These policies are implemented throughout the enterprise with specific focus on data centers and major operational facilities.

PNC identifies and manages the security of its information assets according to these policies. These assets include data (in any form) and processing equipment, storage media, network component, device, etc., used to process, store, transmit or display information. Each asset has an owner responsible for implementing appropriate data security controls, authorizing access and monitoring the effectiveness of the controls.

PNC information assets are classified based on the confidentiality, integrity and availability characteristics of the data. Specific control requirements are established and implemented for each classification. These controls include both technology based controls and administrative controls designed to meet PNC risk management objectives.

The PNC Access Management Program provides electronic access to PNC data and data processing assets based on the access needed to perform job responsibilities by applying the following security/privacy principles:

  • “Risk to Know,” which takes a risk‐based approach to granting sufficient access needed to complete a job task.
  • “Segregation of Duties,” which require that an individual cannot execute an end‐to‐end business transaction or administrative technical command without the assistance or oversight of a second party.

PNC deploys industry standard tools for Data Leakage Prevention to protect confidential data from unauthorized transmission, storage and disclosure. Industry standard encryption tools are used to protect confidential data during transmission and at rest, where deemed necessary to meet PNC risk management objectives (e.g. laptop computers and mobile devices).

Physical and environmental controls are implemented to protect data centers and major operational facilities. These include controls over physical access to the facilities and restricted areas within the facilities, video surveillance of sensitive areas by on site security personnel, and alarm systems utilizing motion detection, infrared detection and electronic contacts for doors. PNC also meets industry standards and local codes for fire protection, water protection and electrical protection of our information assets.

Business Continuity

Business continuity management provides a framework for building organizational resiliency and recovery capabilities that enable an effective response to business disruptions. Our program is designed to safeguard the interests of key stakeholders, reputation, brand and activities. In addition, business continuity management identifies potential threats to an organization and the impacts to business operations those threats might cause. The PNC Financial Services Group, Inc. (PNC) Business Continuity Program leads the organization’s business continuity activities, which include business recovery, disaster recovery and crisis management.

The guiding principles of the program are based on the priority to protect the health and safety of PNC employees, contractors, customers and third parties. PNC is committed to safeguarding the ongoing availability of PNC products and services through effective business continuity, disaster recovery and crisis management planning.

The major components of the Business Continuity Program include:

  1. Business Impact Analysis (BIA) is performed annually and includes assessment and prioritization of business functions, identification of the customer, legal, regulatory, reputational, and financial impact of business disruptions, estimation of maximum allowable downtime and level of losses, and estimation of recovery time objectives, recovery point objectives, and recovery of the critical path.
  2. Risk Assessments are conducted and documented to evaluate the BIA assumptions, analyze threats to PNC (including employees and facilities), its customers and markets, prioritize potential business disruptions, and provide a policies and procedures gap analysis. Risk assessments identify gaps between recovery demands and existing capabilities for technology, facilities, employees, and third parties.
  3. Planning and Mitigation is focused on identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a comprehensive business continuity program and related plans. Plans developed under the program are designed to be effective in minimizing service disruptions and financial loss and allows for flexibility to respond to unanticipated threat scenarios and changing internal conditions. The plans are specific regarding what conditions prompt crisis management implementation and the immediate steps to be taken during a disruptive event. Plans are disseminated and communicated to PNC employees.
  4. Recovery Testing is an instrumental part of the methodology to validate the planning requirements identified within the business impact analysis and risk assessment. An enterprise‐wide testing and risk monitoring program executes annual testing sufficient to validate the viability of business continuity plans. The testing program includes but is not limited to:
    • Verifying defined roles and responsibilities;
    • Establishing the breadth, depth, and frequency of testing activities based on process criticality and/or changes to operating environments;
    • Ensuring testing of internal and external parties and supporting systems, processes and resources;
    • Demonstrating the ability of recovery arrangements to sustain the business until permanent operations are established;
    • Documenting and reporting test results;
    • An independent review by a third party; and
    • Identifying gaps as a result of testing and incorporating revisions to the testing program as necessary.
  5. Risk Monitoring: Monitoring of activities and plans helps assure that the program is effective and remains viable. Specific business continuity components not aligned with the program are identified and remediation efforts implemented to address such gaps. Reports of risks and activities are produced with the objective of comprehensive and transparent reporting through the governance structure.
  6. Third Party Continuity: Assessing the ability of third parties to respond to service disruptions and conducting recovery testing with third parties critical to business operations.
  7. Awareness and Training: PNC provides business continuity planning awareness via internal meetings with lines of business, executive committee reviews, employee forums, awareness events, held at locations across the PNC footprint, and internal websites. Business continuity training is available to employees through PNC’s learning portal and includes general awareness training, manager web-based training, and reference guides for specific areas of focus within the business continuity program.
  8. Reporting: Management reporting, which is an integrated part of PNC’s Business Continuity Program, is designed to summarize and highlight recovery and business resumption capabilities for specific businesses and services. It also provides a transparent overview among interdependent business activities. The reporting components are presented in aggregated management reports and provided to executive management and various committees.

The Business Continuity Program includes a crisis management capability, comprised of defined crisis teams, crisis plans and standardized processes. PNC’s Enterprise Crisis Management team maintains partnerships with a wide range of agencies, authorities and organizations to receive incident and event notification allowing for a quick and coordinated organizational response to crisis events. Additional steps, which also serve to mitigate and reduce impact to customer services, include:

  • Establishment of crisis management teams that conduct impact assessment, notify critical contacts, and coordinate overall response.
  • Coordinating crisis communications to provide notification and impact assessment to employees, customers, regulators, and third parties.
  • Execution of scenario‐based walkthroughs, which promote an understanding of assessed impact, crisis response, and recovery capabilities.
  • Testing of crisis management response processes, tools, and resources that improve overall effectiveness of crisis management.

Contact Us

For additional questions about PNC’s cybersecurity practices, please reach out to your PNC representative.
 

Important Legal Disclosures and Information

As of 10/30/2021

The PNC Financial Services Group, Inc. (“PNC”) uses the marketing name PNC Institutional Asset Management® for the various discretionary and non-discretionary institutional investment, trustee, custody, consulting, and related services provided by PNC Bank, National Association (“PNC Bank”), which is a Member FDIC, and investment management activities conducted by PNC Capital Advisors, LLC, an SEC-registered investment adviser and wholly-owned subsidiary of PNC Bank. PNC does not provide legal, tax, or accounting advice unless, with respect to tax advice, PNC Bank has entered into a written tax services agreement. PNC Bank is not registered as a municipal advisor under the Dodd-Frank Wall Street Reform and Consumer Protection Act.

“PNC Institutional Asset Management” is a registered mark of The PNC Financial Services Group, Inc.

Investments: Not FDIC Insured. No Bank Guarantee. May Lose Value.

Read a summary of privacy rights for California residents which outlines the types of information we collect, and how and why we use that information.