Please note that the website might not function correctly using an outdated browser. We recommend updating your browser or using another one.
Sampo Group companies handle large amounts of sensitive customer data. Therefore, information security and cybersecurity are both important factors in ensuring that the Group companies are successful in their business operations.
Sampo Group acknowledges the risks related to information security and cybersecurity. The areas of information security and cybersecurity are complex, and changes occur continuously and at a rapid pace. Beyond technology and pace, the complexity includes, among other things, governance, business processes, awareness, and regulatory compliance.
The group-level guiding document on information security and cybersecurity is the Sampo Group Code of Conduct. In addition, each Group company has adopted more detailed policies and guidelines for their own commercial purposes. At Sampo Group, the requirements in relation to information security and cybersecurity are set and expected to be met by both internal and external stakeholders. Sampo Group companies are committed to performing regular risk analyses, conducting continuity planning, and having effective internal processes, high-quality systems, and infrastructure to ensure information security and cybersecurity preparedness.
|Number of Information Security Incidents Reported to the Authorities, Sampo Group||2019||2018|
|Number of incidents reported to the authorities||0||2|
If has comprehensive information security and cybersecurity governance, including information security policies, standards, roles and responsibilities, defined controls, and reporting structures. Information security and cybersecurity at If are based on the company’s Information Security Policy and Information Security Standard, which are based on the ISO 27001 standard. These governance documents are part of If’s risk management system and express the minimum requirements for information security and cybersecurity that are expected to be met by each If Group company and relevant partners and suppliers, that are regularly assessed for risks and compliance. Non-conformance may lead to disciplinary actions.
The CISO has the overall responsibility for managing information security and cybersecurity at If. The CISO works in a 2nd line of defense and reports directly to the Chief Risk Officer (CRO) together with the Data Protection Office. This strengthens the focus on business information risk and compliance management. In addition, an IT Security Manager, specializing in ICT security, reports to the Chief Information Officer (CIO). Furthermore, there is a separate team, supported by internal IT security specialists, working with cyber insurance.
Information security and cybersecurity risks are reported to If’s Operative Risk Committee as part of the reporting from the IT organization. A full report is provided semi-annually and any new or changed substantial risks are reported quarterly. In addition, as part of the overall risk reporting coordinated by the Risk Management function, these risks are reported to the Board of Directors, the CEO, and board-level Own Risk and Solvency Assessment Committee (ORSA) responsible for information and cybersecurity. An overview of If's risk profile and capital situation is reported quarterly to the ORSA Committee and to the Board of Directors. A more detailed ORSA report is submitted to the Board of Directors once a year. The report contains a three-year forward-looking Own Risk and Solvency Assessment. Metrics on security controls and risk activities are measured and reported monthly to the CIO and key stakeholders, such as Head of IT Services, CRO, Head of Business Continuity, Risk Control & Reporting staff, and IT Service Delivery staff.
Training on information security and cybersecurity is provided for all employees upon hire, and annually through a combination of e-learnings, in-person sessions, intranet articles, and phishing simulation tests. Topics covered in the training sessions include requirements, roles and responsibilities, current security risks, and how to report potential security issues.
If has procedures, such as due diligence in the selection process, contract requirements, and monitoring and review, to ensure information security in outsourced data processing. Before signing a contract with any third-party, If’s procurement and outsourcing processes ensure that risks are assessed, and relevant contractual security requirements are fulfilled. Supplier deliveries are followed up at delivery and governance forums. If continuously monitors its own and key suppliers’ security posture using a third-party service capable of alerting of security deviations and incidents.
If’s ICT applications, systems, and infrastructure are designed for resilience, and security controls are implemented to protect systems from cyberattacks. System events and anomalies are monitored 24/7 by an external security operations center that supports If with identifying and responding to security incidents.
Before any new solutions are launched, and before changes in any critical applications or systems are made, an independent internal team of experts conducts security tests using a risk-based approach as a part of change management procedures. Security tests are also conducted regularly by specialized third party security testers.
At If, information security and cybersecurity audit activities are carried out on a subsidiary-level where these matters are considered and covered. However, If’s group-level Internal Audit performs audits regarding the governance of information security and cybersecurity annually. All audit activities are based on risk and targeted at different areas according to the internal audit activity plans. The plans are approved by the Board of Directors of each respective If subsidiary. As a part of statutory audits, General IT controls in all key systems involved in If’s financial reporting are audited annually by third party auditors. Independent reviews and audits over the past two years have confirmed that cybersecurity and resilience maturity at If is above the industry average.
If is required to report all severe information security incidents to the Swedish FSA.
To ensure information security and cybersecurity preparedness, Topdanmark has an Information Security Policy and an Information Security Management System (ISMS), which are both based on the ISO 27001 standard. Topdanmark’s Information Security Policy is part of the overall risk management system, and it applies to both company employees and external business partners. Each year, the Board of Directors approves the Information Security Policy and an IT contingency plan based on an updated IT risk assessment. A risk assessment of significant or critical operational IT risks, including cyber risk, is performed regularly, and in addition to the Board of Directors, it is reported to the Executive Board, the Risk Committee, and Topdanmark’s Compliance department. The day-to-day responsibility for information security and cybersecurity at Topdanmark lies with the CISO, who reports to the CIO.
IT and cyber risks pose threats to Topdanmark’s business and the sensitive data it handles. According to various risk scenarios, Topdanmark experiences an increasing risk from cybercrime. Topdanmark’s Cyber Security Board (including members such as CTO, CIO, CISO, Head of Compliance) regularly assesses the risk and the measures necessary to secure the required security level. The risk is managed and reduced, for example, by collaborating with external specialists within the field. Topdanmark's Board of Directors is annually briefed on cyber risks and the planned initiatives to reduce those risks.
Topdanmark uses several levels of security systems to prepare for information security and cybersecurity threats. For example, the company has invested in early warning and incident management technologies. Topdanmark also performs vulnerability assessments continuously, and tests new systems for weaknesses before they are put into production. To counteract business interruption caused by IT or cybercrime, Topdanmark has a comprehensive contingency plan to ensure that business can be re-established as soon as possible.
Topdanmark’s IT systems are reviewed by external IT auditors in connection with the annual financial audits. This ensures that IT systems provide valid data for the annual report, and that Topdanmark complies with the information security and IT requirements set by the Danish FSA.
All new employees are introduced to Topdanmark’s Information Security Policy. Classroom training sessions are held when needed for IT developers. A separate e-learning course on information security was implemented in 2018. All employees and external consultants are under obligation to complete and pass the course annually. An employee’s breach of Topdanmark’s information security policy can have employment-related consequences, including, at worst, dismissal.
Topdanmark is required to report major information security incidents to the Danish FSA on an ad-hoc basis, if the incident has a critical impact on the company’s business.
Information security and cybersecurity management and preparedness at Mandatum Life are based on the Information Security Policy, approved by the company’s Board of Directors annually. The policy applies to all Mandatum Life employees and the representatives of stakeholders who process Mandatum Life’s information in connection with their assignments. The requirements of the policy are also included in agreements with subcontractors, service providers, and other external stakeholders. The policy is closely linked to other internal policies, such as the Information Management Policy, which includes more detailed guidelines, putting emphasis on the perspective of information confidentiality and customer trust.
Along with the policy, there is a strategy for information security that is approved by the company management. The primary objective of the strategy is to ensure that management has visibility of the status of information security, to determine the priorities of development activities, and to provide adequate resourcing to implement these. The Information Security unit led by the CISO is responsible for the operative management of information security and also has oversight on cybersecurity. Information and cyber risks are monitored actively and reported quarterly to the Operational Risk Committee. There is a specialist working in the Information Security team, focusing solely on coordinating cybersecurity activities and development. In 2019, a new tool was implemented to execute regular vulnerability analysis to detect possible security flaws in the design or implementation of digital services.
Everyone employed by Mandatum Life or working on behalf of the company has the obligation to comply with the information security policy, principles, and guidelines, and to ensure compliance with relevant legislation. The information security awareness and competence of employees is ensured through information security training and guidelines. E-learning for information security and cybersecurity was renewed in 2019. Employees are also regularly notified of security issues to raise awareness of, for example, phishing attempts and identity theft. The information security awareness and competence of third parties is ensured through agreements and guidelines and, where applicable, through training.
The level of information security is continuously assessed, and tests on processes and systems are conducted on a regular basis. During 2019, Mandatum Life’s information security maturity was assessed as part of the ISAE 3000 Type I audit of Pension Insurance and Personnel Funds Services. Based on the results, Mandatum Life is planning to apply for ISO 27001 certification in the area of information security.
Suspected breaches, abuses, or shortcomings in information or cybersecurity are reported directly to either the CISO or the Information Security team. In addition, employees can report these using an internal notification channel on the intranet. Reported incidents are managed according to the Data Protection and Information Security Incident Management process and, if necessary, escalated to the Crisis Management Team.
Mandatum Life is required to report major information security incidents to the Finnish FSA annually and on an ad-hoc basis.
Further information can be found in the Corporate Responsibility Report (page 37).