Information Security at Swiss Re

Our information security programme and management approach are threat-based and focus on our need to maintain the confidentiality, integrity and availability of our business process on which our clients and stakeholders depend.

These frameworks also define how we protect that data and associated systems from a technical (cybersecurity) perspective. Here we have implemented multiple layers of protection to minimise the risks to both data and systems – including network security controls, logical and physical access controls, maintaining up-to-date inventories (authorised hardware and software), system hardening, protection software, monitoring and response procedures, Data Leakage Protection (DLP) as well as regular information security awareness training for all employees involved.

We conduct an annual risk assessment of Swiss Re’s cybersecurity resilience, benchmarking against a wide range of best practice standards. Additionally, we benchmark our own maturity against other similar financial institutions.

The process involves stakeholders throughout the company and results in mitigation measures and the revision of controls to respond to technological developments and evolving threats. It considers those cybersecurity threats of relevance for Swiss Re's business operations, the business information collected or stored, the IT landscape, the availability and effectiveness of controls to protect information and the IT landscape.

This is a continuous cycle of improvement in an ever-evolving threat landscape, understanding that absolute security can never be guaranteed.

Our compliance Policy Management Framework includes at least annual reviews of our information security policies to ensure that their requirements still appropriately address our risk exposure. Our internal assurance functions and external auditors also regularly audit these policies.

We believe that vigilance and collaboration are crucial to our efforts to ensure the ongoing security of our data and systems.

Effective governance of the programme is seen as crucial, hence a multi-layered approach exists. 

The Board of Directors Risk Committee (RC) reviews all the most important risk exposures in all major risk categories, including cyber risks. The RC will review the annual risk assessment of Swiss Re’s cybersecurity resilience. This regular re-assessment enables Board members to understand how well the company's assets are protected against evolving cyber risks. 

Members of the RC regularly share their cyber experience with Management, and the topic of cyber risk remains on the agenda with the Group Chief Security Officer, ensuring that the Board of Directors is regularly informed of relevant matters. 

Operationally, governance is robustly implemented through a three-lines-of-defence model, with the Group Risk Officer and Group Chief Digital and Technology Officer regularly engaged. Swiss Re's cyber risk strategy continues to be a key focus area for the Board and its Committees. 

As a response to new increased client and regulatory demands and continuous improvement of the internal control processes, Swiss Re issues an ISAE 3000 Type II report annually, based on the SOC 2 Trust Service Criteria and Principles, providing a high degree of assurance and demonstrating transparency and a stable control environment. The ISAE 3000/SOC 2 report is an independent, third-party validation of Swiss Re's commitment to evidencing the design and effective operation of their controls through the year.

The ISAE 3000/SOC 2 reports cover controls at a service organisation relevant to Security, Availability, Confidentiality, Privacy, and Trust service criteria and are not limited to financial reporting controls. The relevant trust services criteria to be used to evaluate the design and operating effectiveness of the internal control system are set out by AICPA and are aligned with COSO principles while the examination is conducted in accordance with the International Standard on Assurance Engagements 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, issued by the International Auditing and Assurance Standards Board (IAASB).

By delivering the ISAE 3000/SOC 2 report, Swiss Re demonstrates to its clients and their independent auditors that the services provided are performed in a reliable, secure and compliant manner.

Following the respective vulnerability assessment and patching processes as referenced in Swiss Re Security Standards, platform owners regularly monitor their systems for critical vulnerabilities where required and check security alert announcements from hardware and software vendors. 

Vulnerability scans and penetration tests are performed on a frequent basis. The outputs are evaluated, rated and addressed. 

Anti-virus software and other security controls are implemented and configured to automatically monitor Swiss Re’s IT environment to prevent the introduction of cyber threats from malware that may exploit vulnerabilities. 

Swiss Re’s Operational Resilience (OpRes) framework ensures the organisation can withstand, adapt to and recover from severe disruptions while safeguarding critical services and strategic objectives. The overarching goal is to minimise the impact of such events on Swiss Re, its clients and the broader financial system. This framework is defined, communicated, approved and executed in a controlled manner aligned with Swiss Re’s strategic goals.

OpRes establishes the scope, objectives, methodology, roles and responsibilities, and processes − including incident reporting, escalation and crisis governance − that underpin Operational Resilience. Governance and coordination during severe disruption scenarios are supported by the Group Crisis Management Function (GCMF), which ensures timely escalation to the Incident Management Teams (IMTs), Executive Management Teams (EMTs) and the Group Crisis Management Team (GCMT). In addition, Protective Intelligence (PI) provides proactive threat monitoring, scenario analysis and intelligence-led insights to strengthen resilience planning, exercises and real-time decision-making.

We work closely with IT Resilience and Third-Party Management (TPM) to ensure critical technology and external dependencies can withstand and recover from disruptions, with scenarios tested and recovery strategies coordinated across all critical services.

Swiss Re maintains Operational Resilience Plans for all critical services. These plans are reviewed at least annually and updated as needed. They are activated in the event of significant operational disruptions such as natural disasters, pandemics, power outages, or other events impacting critical services. Regular testing is performed to confirm preparedness for both anticipated and unexpected threats and major disruptions.

At Swiss Re, we apply a holistic and risk-based approach to managing and assuring the cyber resilience of third parties that provide goods or services to our legal entities worldwide.

The Third-Party Cyber Risk Management (TPCRM) process is designed to safeguard data, systems and operations across the full lifecycle of third-party engagements.

The methodology used is based on internationally recognised standards and frameworks, including ISO/IEC 27001 and 27002, COBIT and NIST Cybersecurity Framework, ensuring that our practices align with industry best-in-class benchmarks. Key elements of the assurance process include:

• Risk-based prioritisation: Assessment depth and frequency are tailored to the criticality of services provided and the sensitivity of data involved.
• Data and system protection: Evaluations consider how and where data is processed − whether on Swiss Re-controlled systems or by independent third-party (supply chain) environments.
• Dependency and resilience: We assess each supplier’s control environment based on Swiss Re’s level of reliance, ensuring that confidentiality, integrity and availability requirements are consistently met.
• Continuous oversight: Swiss Re maintains ongoing assurance activities to monitor changes in third-party risk posture and ensure controls remain effective over time.

We regularly test the effectiveness of our incident response plans via simulation exercises involving cross-functional stakeholders, evolving them based upon the lessons learnt from each exercise. 

In the event of security incidents, we follow global and regional incident response procedures, which include appropriate reporting channels such as 24/7 contact lines as well as a whistleblowing hotline. Our breach detection and containment procedures consider the potential business, reputational, legal and regulatory impact on our company. These procedures also entail assessing whether the incident is an actual data breach – one which could have consequences for individuals and determining who needs to be notified, such as regulatory authorities, individual data subjects or other stakeholders. To this end, we use the most effective communication channels depending on the severity and scale of the breach, including our public website when appropriate. 

We involve all relevant internal and external stakeholders in our attempt to minimise the harm to Swiss Re and affected individuals. We are constantly monitoring the threat environment and have prepared lines of communication both internally and externally with forensic investigation partners, information-sharing centres, law enforcement and regulators. Our plans aim to mitigate and resolve such incidents to minimise harm to the company and to data subjects.

Mandatory eLearnings (online learning modules) for all employees are part of Swiss Re's corporate culture and governance. To ensure that assigned trainings are completed, training assignments are monitored and tracked in a central system.

The security trainings include general security introduction and awareness, managing information security and customised courses for specific roles and functions like Privileged Access Management, Operational Resilience, Major Incident Management and Identity and Access Management.

Other eLearnings such as "Cyber Shield" are assigned to internal and external staff on a yearly basis. In addition, company-wide security awareness campaigns are conducted. Mandatory refresher training on individual risks is delivered periodically. Advice and guidance are also provided via the corporate intranet, guides and brochures.

Our primary security brochure, titled "SHIELD: Security Handbook: Information Essentials and Learning Document", covers the key cybersecurity dos and don'ts. Each chapter covers a key security-related topic, including data and cybersecurity, device and communication practices, physical safety, primary contacts and the risks associated with the standardisation of AI. The handbook offers employees practical day-to-day advice and helps them to protect themselves and the firm in the many different situations they encounter in their digital lives. 

At Swiss Re, we also conduct subject-specific compliance trainings such as anti-fraud, anti-money laundering, bribery and corruption, and data protection. Swiss Re employees are required to complete the Code of Conduct and other relevant mandatory compliance trainings upon joining the company.

If you have questions about this topic, please contact our Group Chief Information Security Officer, Simon Jenner.

October 2025