About Us Our Company ESG Data Center Business Continuity Management Program
Business Continuity Management Program

Principal is committed through the Business Continuity Management Program (BC Program) to protect our customers’ financial assets and other interests.

Business continuity at Principal supports the continued operation of our business units and subsidiaries through an organized recovery program. The BC Program’s mission is to coordinate an enterprise -wide program that minimizes impact and mitigates risk from threats that may impact our customers, workers, and our organization.
Business Continuity Planning

The BC Program is based on professional practices established by the Disaster Recovery Institute International and Business Continuity Institute and aligns with standards such as Public Law 110-53: Public Sector Preparedness and ISO22301. A Business Continuity Policy is published on Passport, our company intranet, and includes business continuity, incident management, and disaster recovery planning. The Business Continuity and Disaster Recovery Teams review the Policy and Standards every year. Business areas are expected to follow the Business Continuity Policy and Standards and include the required elements.

Business Continuity Framework: The business continuity framework consists of industry standard procedures for continuity planning, risk mitigation, incident response, and recovery. The framework accounts for the following:

  • Business Unit Heads define business areas within the business unit and appoint Business Continuity Executives. The Business Continuity Executives are responsible for the continuity of operations in that business area. Business Continuity Contacts are appointed by the Business Continuity Executives and are accountable for the development, maintenance, implementation, and exercising of their business continuity plans.
  • An analysis of the business to determine business capabilities, supporting business processes, applications, as well as documentation of resources or assets necessary for recovery. Along with the review of any business area risks.
  • Documentation of recovery strategies and recovery tasks.
  • The prolonged unavailability of equipment, communications services, employees, buildings, or access to buildings.
  • Regular testing, using realistic simulations, to demonstrate whether services can be resumed within critical time frames.
  • Annual review and approval of Business Continuity Plans.

Business Continuity Requirements: The BC Program has established requirements to ensure preparedness for a disruptive event. The Business Continuity Team will create an annual summary to report on the progress of the BC Program measuring compliance with the Business Continuity Standards. The summary is communicated with Business Continuity Executives and other interested parties, including the Board of Directors.

Business Impact Analysis (BIA): The BIA is conducted every two years at the business area level. The purpose of the BIA is to review the business areas’ capabilities and processes and to identify their supporting applications. Taking into consideration the operational risk for that business area, recovery time objectives (RTOs) are identified for each business capability and supporting processes. Supporting applications are also assigned a recovery time objective (RTO) as well as a recovery point objective (RPO).

  • The Business Continuity Executive must approve capabilities, processes, process RTO, applications, and application needed RTO’s/RPO’s.
  • The Business Unit Chief Information Officer (CIO), or delegate, will approve application actual RTO’s/RPO’s.
  • A risk review is conducted to identify risks that threaten continuity of operations for the organization. The business will identify risks unique to their business area, document the risk, and determine mitigation options and solutions. The BC Executive must sign off on the results of the risk review.

Business Continuity Plans: Every business area at Principal is required to have or be a part of a larger business area business continuity plan. Plans are reviewed annually and with significant business model changes to ensure the information within the plan adequately documents the processes necessary to restore business operations within the agreed upon time frame and are compliant with any relevant regulatory requirements.

  • The Business Continuity Executive, as well as an enterprise BC Team member (BC Consultant) approve the BC Plan annually.
  • At a minimum, Business Continuity Plans should include the data elements outlined in the plan templates provided by the enterprise Business Continuity Team.
  • Material is managed according to enterprise guidelines for location and retention.
  • The BC Executive is the person responsible for determining if a BC Plan needs to be activated.

Business Continuity Plan Testing/Exercise: Throughout the year, the business areas conduct various business continuity exercises to enable the most effective response during a business interruption. Principal tests the BC Plan to determine the effectiveness of it and the organizational readiness to execute.

Business Continuity Exercises are conducted annually and consist of the following:

  • Call tree or communication plan
  • Alternate worksite or remote access functionality
  • A tabletop exercise with the business area recovery team

Third Party Service Provider Testing: Principal third-party service providers are required to have Disaster Recovery and Business Continuity Plans in place for the prompt resumption of performance of the services in the event of disasters and other circumstances that may affect their performance of the services. This requirement is a provision within the supplier contractual agreement with Principal and is agreed upon at contract signing.

Workspace Recovery: The business continuity philosophy at Principal is to take an all-hazard approach, planning for the potential loss of people, facilities, and computing technology regardless of the cause for the loss. Principal also assumes, for planning purposes, total loss of the operational site.

In the event an incident would affect the entire Des Moines campus, an enterprise-wide recovery plan is in place for relocation of critical business. Business capabilities and processes considered critical during the first 72 hours of an incident have been identified and prioritized via a formal Business Impact Analysis (BIA) process. The recovery plans leverage non-Des Moines campus offices along with the ability for authorized staff to work remotely using enterprise remote access solutions. Additionally, we have geographically diverse offices which reduce potential impacts of a disaster scenario near our primary location.

Incident Response Framework

Principal has an incident management framework that provides processes, tools, and accountabilities to identify emerging and active threats to the business, mobilize a response, and mitigate the impact on Principal’s workforce, customers, assets, resources, market share, and reputation. It provides an escalation protocol to follow as additional information regarding impact is gathered during the investigation and/or response effort. The framework provides expectations and guidelines for local response integration through escalation to enterprise response.

Incident lifecycle

While incidents do not always unfold the same way, the same basic lifecycle applies to incidents and how they evolve.

The framework provides for incidents to be managed by local response teams (LRTs) with escalation criteria for engagement of enterprise response teams. Local response teams manage incidents that have less impact on overall business operations or are routine in nature. Enterprise response teams manage incidents with greater impact to business operations. Severity guidelines provide information on when incidents should be escalated and to which enterprise response team would be engaged.

Each response team is led by an incident leader and incident facilitator and utilizes resources in other areas of the Company, such as Global Brand and Experience, Global Risk, Human Resources and Legal, in their response efforts.

We have established operational response teams (ORTs) to cover these incident types:

  • Cybersecurity
  • Fraud
  • Information Technology
  • Site & Personnel
  • Privacy
  • Reputation
  • Other

Incidents with a severe impact to business operations are escalated to response teams consisting of senior leaders from the enterprise.

  • Core Response Team (CRT) – The response team accountable for providing tactical decisions and direction in response to business interruptions. CRT membership consists of representation of business unit and corporate services senior leaders. The CRT is responsible for ensuring continuity of business operations.
  • Executive Management Group (EMG) – The response team accountable for providing strategic decisions and direction in response to business interruptions. EMG membership consists of the senior executive team.

Principal has an Enterprise Incident Management Plan (EIM Plan) to manage the coordination of response activities. The EIM Plan has management support and is supported by the appropriate training and resources. The EIM Plan and its supporting documentation consist of:

  • Guidance on what constitutes an incident and how to classify the severity of an incident impacting the ability to conduct business operations
  • Escalation guidelines
  • Clarification of roles and responsibilities for response teams
  • Communication guidance
  • Tasks and action lists to manage the response to a business disruption
  • Workspace recovery activities

Disaster Recovery Program

The Disaster Recovery Program complements the Business Continuity Program focusing on Information Technology (IT) systems recovery required to support business operations. The Business Continuity Team partners with the Disaster Recovery Team to ensure recovery plans and exercises position the Company to effectively respond to incidents that may lead to a business interruption. Reducing operational and financial risk is a key component in both programs along with creating a better prepared response team.

The Disaster Recovery Team provides oversight for the Disaster Recovery Program. Business unit CIOs are accountable for ensuring recovery of their business applications. Disaster Recovery Contacts are assigned by senior IT management for each business unit and are responsible for the planning and exercising of recovery solutions. Principal has a formal architecture program that defines the disaster recovery requirements required to be incorporated into application/system designs.

As a part of the BIA process, Disaster Recovery Contacts collaborate with the Business Continuity Contacts to determine the appropriate Recovery Time Objective and Recovery Point Objective for each application required by the business processes identified in the BIA.

The technology response to a disaster at Principal includes an enterprise technology recovery plan utilizing replicated data at the disaster recovery center. The enterprise Disaster Recovery Plan is used to prepare for and respond to a total loss of the production data center. The Disaster Recovery Team owns this plan and is responsible for helping ensure the plan will provide the steps needed for continuity of infrastructure/applications in the event of a loss of the production data center. The enterprise Disaster Recovery Plan has identified phases to complete in the event of a declared disaster. Following execution of the defined phases the data center functionality is re-established at the disaster recovery data center located out-of-state. Specific instructions for all phases can be found within the enterprise Disaster Recovery Plan.

The Disaster Recovery Team creates a quarterly assessment to report on the progress of the Disaster Recovery Program measuring compliance against Disaster Recovery standards. The assessment is communicated to the CIOs and other interested parties. Elements of the quarterly disaster recovery assessment are included in the annual Business Continuity assessment.

Additional details of the Disaster Recovery Program:

Disaster Recovery Plans: The disaster recovery contacts are responsible for the development, and maintenance of recovery plans. Disaster Recovery Plans are required for all critical infrastructure and applications (those required in the first 72 hours after a data center loss). Disaster Recovery Plans are updated annually and with significant system changes and contain the elements documented in the disaster recovery plan template. Those plans are reviewed and approved by the business unit disaster recovery representatives. On a monthly basis, key disaster recovery contacts meet to discuss the progress of planning and testing for the year, as debrief on any lessons learned or changes needed to recovery plans.

Disaster Recovery Testing: Critical infrastructure and applications (those required in the first 72 hours) must be tested on an annual basis. To validate and continuously refine recovery procedures, multiple tests are executed throughout the year, generally on a quarterly basis. Results of these tests are included in the quarterly assessment report to management.

Disaster Recovery Strategy: The cornerstones of the Disaster Recovery strategy include two geographically distant data centers, a production data center, and a disaster recovery data center. The data centers are highly redundant including redundant electrical systems, cooling systems, and uninterruptible power systems. In addition, there are redundant backup diesel generators as resources in the event of a power loss. The production data center provides high availability solutions to mitigate the loss of a single storage or server system. The disaster recovery data center is a clone of the production data center to mitigate the loss of an entire data center. High availability storage solutions will be added to the disaster recovery data center after failover.

Principal policies require all critical applications and infrastructure to be replicated to virtual tape, dedicated block storage, or NAS systems at the disaster recovery data center, to provide for: the recovery of processing in the event facilities are lost. This requirement is met through replication of data to systems in the production and disaster recovery data centers.

Feb. 2025
Summary Disclosure Statement of Business Continuity Practices for Principal Funds

Principal Funds Distributor, Inc. (PFD) is dedicated to facilitating the distribution of the Principal mutual funds. In support of this effort, we have developed a written "Business Continuity Plan" (BCP) to help ensure that our core business processes can be performed under a variety of foreseeable adverse circumstances of varying scope. Our plan provides for the continuation of our business in the event of a Significant Business Disruption (SBD).

Due to the limited nature of our FINRA membership agreement, PFD does not maintain customer accounts. As a result, our BCPs are also limited in nature. Our plan provides for the continuation of crucial operations and other activities subsequent to a variety of disruptions. We utilize many approaches to accomplish this goal, including archiving systems data, maintaining alternate business recovery sites, and contracting for off-site storage of data. In formulating our plan, we have anticipated several "levels" of SBDs that anticipate the possibility that a disruption may be either internal (a single isolated failure limited solely to our firm) or that the disruption may be external in nature (a disruption that may prevent the operation of the securities markets or a number of firms, such as a terrorist attack, a city flood, or a wide-scale, regional disruption).

In developing our BCP, we have considered a variety of scenarios which may cause our business to be disrupted. Examples of these scenarios include a loss of computer abilities, a loss of communications, or an inability to occupy our offices. Once our BCP has been initiated, we will pursue the protection of firm staff and firm property, then begin to perform financial and operations assessments, recover and resume operations, and protect the firm's books and records. Additional time may be required to retrieve any lost data from off-site storage facilities or to complete a transition to a secondary location, but our goal is to otherwise resume operations within 24 hours of a disruption. (This includes disruptions to any systems, buildings, business districts, cities, or regions.)

In the event of a SBD which results in the need to implement our BCP, our plan provides for us to transition our business operations to alternative physical locations. These alternate sites are geographically disperse, and back up data for each site is maintained, and can be used to rebuild systems when necessary.

Although no BCP can accommodate every potential disruption, our plan is reviewed at least annually to ensure appropriate enhancements are implemented due to changes in our business activities or to accommodate revised regulatory requirements. Should material changes to the plan occur, this 'Summary Disclosure Statement' as well as the actual BCP will be updated as necessary.