Information Security at Swiss Re
Information Security Programme
Our information security programme and management approach are aligned to the international information security standard ISO/IEC 27002. They duly focus on our need to maintain the confidentiality, integrity and availability of the data that we hold.
They also define how we protect that data and associated systems from a technical (cyber security) perspective. Here we have implemented multiple layers of protection to minimise the risks to both data and systems. Such protection includes network security controls, logical and physical access controls, maintaining up-to-date inventories (authorised hardware and software), system hardening, usage of state-of-the-art protection software, monitoring and response procedures, as well as regular information security awareness training of all involved employees.
We conduct an annual risk assessment of Swiss Re’s cyber security resilience, benchmarking against a wide range of good practice standards including ISO/IEC 27002, COBIT and NIST. Additionally, we also benchmark our own maturity against other similar financial institutions.
The process involves stakeholders throughout the company and results in mitigation measures and the revision of controls to respond to technological developments and evolving threats. It considers those cyber security threats of relevance for Swiss Re's business operations, the business information collected or stored, IT landscape, the availability and effectiveness of controls to protect information and IT landscape.
This is a cycle that we continue to improve as risks are always evolving, and security can never be 100% assured.
Our compliance Policy Management Framework includes at least annual reviews of our information security policies to ensure that their requirements still appropriately address our risk exposure. Our internal assurance functions and external auditors also regularly audit these policies.
We believe that vigilance and collaboration are crucial to our efforts to ensure the ongoing security of our data and systems.
Effective governance of the programme is seen as crucial hence a multi-layered approach exists.
The Board of Directors Finance & Risk Committee (FRC) reviews all the most important risk exposures in all major risk categories and this includes cyber risks. The FRC will review the annual risk assessment of Swiss Re’s cyber security resilience. This regular re-assessment enables Board members to understand how well the company's assets are protected against evolving cyber risks.
Members of the FRC regularly share their cyber experience with Management and the topic of cyber risk remains on the agenda, with the Group Chief Security Officer ensuring that the Board of Directors is regularly informed on relevant matters.
Operationally governance is robustly implemented through a three-lines-of-defence model, with the Group Risk Officer and Group Operations Officer regularly engaged.
Swiss Re's cyber risk strategy continues to be a key focus area for the Board and its Committees.
As a response to new increased client and regulatory demands and continuous improvement of the internal control processes, Swiss Re issues on an annual basis a SOC 2 Type II report, which provides a high degree of assurance, and is demonstrating transparency and a stable control environment. The SOC 2 report is an independent, third-party validation of Swiss Re's commitment to evidencing the design and effective operation of their controls through the whole year.
SOC 2 reports cover controls at a service organisation relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy Trust Service Principles and are not limited to financial reporting controls. The relevant trust services criteria to be used to evaluate the design and operating effectiveness of the internal control system are set out by AICPA and are align with COSO principles.
By delivering the SOC 2 report, Swiss Re demonstrates to its clients and their independent auditors that the services provided are performed in a reliable, secure and compliant manner.
Swiss Re holds the Cyber Essentials certificate and undergoes the annual re-certification. This is a government backed certificate which reassure customers that Swiss Re is working to secure IT against cyber-attack. It is operated by the National Cyber Security Centre (NCSC) of the United Kingdom.
Vulnerability Management and Patching
Following the respective vulnerability assessment and patching processes as referenced in Swiss Re Security Standards, platform owners regularly monitor their systems for critical vulnerabilities where required and check security alert announcements from hardware and software vendors.
Vulnerability scans and penetration tests are performed on a frequent basis. Its output is evaluated, rated and addressed if deemed necessary.
Antivirus software and other security controls are implemented and configured to automatically monitor Swiss Re’s IT environment in order to prevent the introduction of cyber threats from malware that may exploit vulnerabilities.
Business Continuity Management
Swiss Re's Group Business Continuity Management (BCM) policy and process document aim to ensure that the framework for business continuity across the Swiss Re Group is defined, communicated, approved and executed in an efficient and controlled manner and in accordance with the organisation’s strategic goals. It defines the scope, objectives, methodology, roles and responsibilities as well as processes (including incident reporting and escalation) related to BCM.
Swiss Re has developed and implemented Business Continuity Plans (BCPs) and IT Service Continuity Plans for all its locations, business units and the data centres.
These BCPs, which are reviewed at least annually and updated accordingly, will be actioned in the event of a significant operational disruption, such as natural disaster, pandemic, power outage or any other event leading to a major interruption of critical services.
We test the effectiveness of our business continuity / contingency plans at least semi-annually.
Assurance over Third Party Control Environment
Swiss Re has implemented a holistic and consistent risk mitigation process to identify and assess the cyber resilience of third parties providing goods or services to any of Swiss Re’s legal entities.
A risk-based approach is followed, covering the whole lifecycle of Swiss Re’s engagement with a third party. The applied methodology is based on international standards and frameworks, such as ISO/IEC 27002, COBIT and NIST. It takes into account the criticality of the processed data (e.g. whether company or client data is processed), the way the data is processed (e.g. on Swiss Re-controlled systems or independently) and Swiss Re’s dependency on the third party (e.g. considering availability requirements).
We regularly test the effectiveness of our incident response plans via simulation exercises involving cross-functional stakeholders, evolving them based upon the lessons learned from each exercise.
In the event of security incidents, we have in place global and regional incident response procedures, including appropriate reporting channels such as 24/7 contact lines as well as a whistleblowing hotline. Our breach detection and containment procedures consider the potential business, reputational, legal, and regulatory impact on our company. They also entail assessing whether the incident is an actual data breach which could have consequences for individuals and determining who needs to be notified, such as regulatory authorities, individual data subjects, or other stakeholders. To this end, we use the most effective communication channels depending on the severity and scale of the breach, including our public website when appropriate.
We involve all relevant internal and external stakeholders in our attempt to minimise the harm to Swiss Re and affected individuals. We are constantly monitoring the threat environment and have prepared lines of communication both internally and externally with forensic investigation partners, information-sharing centres, law enforcement and regulators. Our plans aim to mitigate and resolve such incidents to minimise harm to the company and to data subjects.
Mandatory training sessions for all employees are part of Swiss Re's corporate culture and governance. To ensure that assigned trainings are completed, training activities are monitored and tracked in a central system. Training includes general introduction, code of conduct, information security awareness, customised courses for specific functions or skills and subject-specific compliance trainings such as anti-fraud, anti-money laundering, bribery & corruption, data protection etc.
Swiss Re employees are required to complete the Code of Conduct and other relevant mandatory Compliance eLearning's upon starting with Swiss Re. Mandatory refresher training on individual risks is delivered periodically. Information security and cyber risk topics are communicated to internal and external staff on a yearly basis and training activities are provided.
Special attention is given to staff with access to sensitive personal data which can include client data. In these cases, additional trainings or awareness campaigns are performed according to local laws, regulations and client requirements.
Advice and guidance are also provided via the corporate intranet, reference cards and various brochures. Our security brochure, the "Cyber & Security Cookbook" covers the key cyber security dos and don'ts. Every chapter is tied to a recipe for a real menu and includes a short explanation, why the specific recipe is linked to the security topic. This cookbook offers employees practical day-to-day advice and helps them to protect themselves and the firm in the many different situations they encounter in their digital lives.
We also provide a checklist with key security responsibilities for customers using Swiss Re solutions to raise the awareness for the topic.
If you have questions about this topic, please contact our Global Chief Security Officer, Philipp Krayenbuehl, and his team at [email protected].