Information Security at Swiss Re

Information Security Programme

Our information security programme and management approach are based on the international information security standard ISO/IEC 27002.

We have implemented multiple layers of protection to minimise the risks to both data and systems. Such protection includes network security controls, logical and physical access controls, maintaining up-to-date inventories (authorised hardware and software), system hardening and monitoring, usage of state-of-the-art protection software, monitoring and response procedures, as well as regular information security awareness training of all involved employees.

Annually, we review our information security policies and associated standards. We also conduct an annual risk assessment of Swiss Re’s cyber security resilience, benchmarking against best practice standards including: ISO/IEC 27002, COBIT and NIST. Additionally, we also benchmark our own maturity against other similar financial institutions.

The process involves stakeholders throughout the company and results in mitigation measures and the revision of controls to respond to technological developments and evolving threats. It considers those cyber security threats of relevance for Swiss Re's business operations, the business information collected or stored, IT landscape, the availability and effectiveness of controls to protect information and IT landscape.

This is a cycle that we continue to improve as risks are always evolving, and security can never be 100% assured.

Vigilance and collaboration are crucial to our efforts to ensure the security of our data and systems. Finally, our compliance Policy Management Framework includes at least annual reviews of our information security policies to ensure that their requirements still appropriately address our risk exposure. Our internal assurance functions and external auditors also regularly audit these policies.

Governance

Effective governance of the programme is seen as crucial, which is why it is overseen by both the Group Chief Risk Officer and Group Chief Operating Officer and is robustly implemented through a three-lines-of-defence model. Additionally, Swiss Re has a committee in place that provides Groupwide management oversight and direction in information security, cyber defence, and data protection risks, with the Group Chief Security Officer ensuring that the Board of Directors is regularly informed on relevant matters.

Third Party Services

We take particular care when working with third parties. We require third parties to maintain similar standards to ours as verified by our due diligence process. We have implemented a holistic and consistent risk mitigation process to identify and assess the cyber resilience of third parties providing goods or services to any of Swiss Re's legal entities. A risk-based approach is followed, covering the whole lifecycle of our engagement with a third party. The applied methodology is based on international standards and frameworks such as ISO/IEC 27002, COBIT and NIST, and takes into account the criticality of the processed data, the way the data is processed and Swiss Re's dependency on the third party.  

Once we enter these relationships, we continue to monitor the data practices of the third parties and reserve the right to conduct audits as appropriate.  We require them to maintain these standards with their sub-contractors and other parties that might further process our data on their behalf.

Incident response

We regularly test the effectiveness of our incident response plans via simulation exercises involving cross-functional stakeholders, evolving them based upon the lessons learned from each exercise.

In the event of security incidents, we have in place global and regional incident response procedures, including appropriate reporting channels such as 24/7 contact lines as well as a whistleblowing hotline. Our breach detection and containment procedures consider the potential business, reputational, legal, and regulatory impact on our company. They also entail assessing whether the incident is an actual data breach which could have consequences for individuals and determining who needs to be notified, such as regulatory authorities, individual data subjects, or other stakeholders. To this end, we use the most effective communication channels depending on the severity and scale of the breach, including our public website when appropriate.

We involve all relevant internal and external stakeholders in our attempt to minimise the harm to Swiss Re and affected individuals. We are constantly monitoring the threat environment and have prepared lines of communication both internally and externally with information-sharing centres, law enforcement and regulators. Our plans aim to mitigate and resolve such incidents to minimise harm to the company and to data subjects.

Contact us:

If you have questions about this topic, please contact our Global Chief Security Officer, Philipp Krayenbuehl, and his team at [email protected].