Please note that the website might not function correctly using an outdated browser. We recommend updating your browser or using another one.
Sampo Group companies are exposed to information security and cybersecurity risks due to the high quantity of sensitive data the companies handle and due to operations in countries with strict data protection regulations. It is important to address these risks to ensure that customers and other stakeholders’ data is always protected, and operations can continue without disruption.
Sampo Group companies are committed to performing regular risk analyses, conducting continuity planning, and having effective internal processes, high-quality systems, and infrastructure to ensure information security and cybersecurity preparedness. At Sampo Group, the requirements in relation to information security and cybersecurity are set and expected to be met by both internal and external stakeholders.
Sampo Group companies strive to ensure that the services provided to customers are secure. It is vital to the Group companies that the level of information and cybersecurity is adequate to the nature and scope of the business and the general level of technical development, and that it corresponds to the level generally expected from a financial corporation. The group-level guidance document on information security and cybersecurity is the Sampo Group Code of Conduct. In addition, each Group company has adopted more detailed policies and guidelines for their own commercial purposes.
All Sampo Group companies are required to report major information security incidents to the local authorities annually and on an ad-hoc basis. During 2020, one information security incident was reported to the FSA in Estonia.
|Information Security and Cybersecurity Incidents Reported to the Authorities, Sampo Group||2020||2019||2018|
If has comprehensive information security and cybersecurity governance, including information security policies, standards, roles and responsibilities, defined controls, risk management, and reporting structures. The company’s Information Security Policy and Information Security Standards are based on the ISO 27001 standard and express the minimum requirements for information security and cybersecurity that are expected to be met by each If Group company and relevant partners and suppliers, which are regularly assessed for risks and compliance. Non-conformance may lead to disciplinary actions.
Training on information security and cybersecurity is provided for all employees upon hire, and annually through a combination of e-learning, in-person sessions, intranet articles, and regular phishing simulations. Topics covered in the training sessions include requirements, roles and responsibilities, current security risks, and how to report potential security issues.
The Chief Information Security Officer (CISO) has the overall responsibility for coordinating the information security and cybersecurity work within If. The CISO also supports the Boards of Directors with regard to the status of information security and its deployment. The CISO works in the second line of defense and reports directly to the CRO, together with the Data Protection Office. This strengthens the focus on business information risk and compliance management. In the first line of defense, reporting to the CIO, there is an IT security manager specialized in information and communications technology security, who leads a team of IT security specialists and application testers, as well as an IT risk and security compliance officer.
Information security and cybersecurity risks are reported to If’s Operative Risk Committee as part of regular risk reporting from the business and IT organization. A full report is provided semi-annually, and any new or changed substantial risks are reported quarterly. In addition, as part of the overall risk reporting coordinated by the Risk Management function, these risks are reported to the Board of Directors, the CEO, and the board-level Own Risk and Solvency Assessment Committee (ORSA) responsible for information and cybersecurity. An overview of If's risk profile and capital situation is reported quarterly to the ORSA Committee and to the Board of Directors. A more detailed ORSA report is submitted to the Board of Directors once a year. The report contains a three-year forward-looking Own Risk and Solvency Assessment. Metrics on security controls and risk activities are measured and reported monthly to the CIO and key stakeholders, such as the Head of IT Services, CRO, Head of Business Continuity, Risk Control and Reporting staff, and IT Service Delivery staff.
If has procedures, such as due diligence in the selection process, contract requirements, and monitoring and review, to ensure information security in outsourced data processing. Before signing a contract with any third-party, If’s procurement and outsourcing processes ensure that risks are assessed, and relevant contractual security requirements are fulfilled. Supplier deliveries are followed up in delivery and governance forums. If continuously monitors its own and key suppliers’ security posture using a third-party service capable of alerting of security deviations and incidents.
If’s ICT applications, systems, and infrastructure are designed for resilience, and security controls are implemented to protect systems from cyberattacks. System events and anomalies are monitored 24/7 by an external security operations center, which supports If by identifying and responding to security incidents.
Before any new solutions are launched, and before changes in any critical applications or systems are made, an independent internal team of experts conducts security tests using a risk-based approach as a part of change management procedures. Security tests are also conducted regularly by specialized third-party security testers.
At If, information security and cybersecurity audit activities are carried out on a subsidiary-level, where these matters are considered and covered. However, the group-level Internal Audit of If performs audits regarding the governance of information security and cybersecurity annually. All audit activities are based on risk and are targeted at different areas, according to the internal audit activity plans. The plans are approved by the Board of Directors of each respective If subsidiary. As a part of statutory audits, general IT controls in all key systems involved in If’s financial reporting are audited annually by third-party auditors.
Independent reviews and audits over the past two years have confirmed that cybersecurity and resilience maturity at If is above the industry average.
To ensure information security and cybersecurity preparedness, Topdanmark has an Information Security Policy and an Information Security Management System (ISMS), which are both based on the ISO 27001 standard. Topdanmark’s Information Security Policy is part of the overall risk management system, and it applies to both company employees and external business partners.
Each year, the Board of Directors approves the Information Security Policy and an IT contingency plan based on an updated IT risk assessment. A risk assessment of significant or critical operational IT risks, including cyber risk, is performed regularly, and in addition to the Board of Directors, it is reported to the Executive Board, the Risk Committee, and Topdanmark’s Compliance department. The day-to-day responsibility for information security and cybersecurity at Topdanmark lies with the CISO, who reports to the Vice President of Technology, Architecture and Security (VP TAM). VP TAM reports to the CTO on the Executive Board.
Topdanmark uses several levels of security systems to prepare for information security and cybersecurity threats. For example, the company has invested in early warning and incident management technologies. Topdanmark also performs vulnerability assessments continuously, and tests new systems for weaknesses before they are put into production. To counteract business interruption caused by information security or cybercrime, Topdanmark has a comprehensive contingency plan to ensure that business can be re-established as soon as possible.
According to various risk scenarios, Topdanmark experiences an increasing risk from cybercrime. Topdanmark’s Cyber Security Board (including members such as the VP TAM, Director IT Operations, DPO, and CISO) regularly assesses the risk and the measures necessary to secure the required security level. The risk is managed and reduced, for example, by collaborating with external specialists within the field. Topdanmark's Board of Directors is annually briefed on cyber risks and the planned initiatives to reduce those risks.
Topdanmark’s IT systems are reviewed by external IT auditors in connection with the annual financial audits. This ensures that IT systems provide valid data for the annual report, and that Topdanmark complies with the information security and IT requirements set by the Danish FSA.
All new employees are introduced to Topdanmark’s Information Security Policy. In addition, Topdanmark has a separate e-learning course on information security. All employees and external consultants are obliged to complete and pass the course annually. An employee’s breach of Topdanmark’s information security policy can have employment-related consequences, including, at worst, dismissal.
Mandatum Life’s information security and cybersecurity are developed systematically and in accordance with the information security strategy approved by the management, considering the ever-changing threat environment. The primary objective of the strategy is to ensure that the management has visibility of the status of information security, to determine the priorities of development activities and to provide adequate resourcing to implement these. In 2020, the strategy was updated for the years 2021–2022. The most emphasis will be put on enhancing capabilities in monitoring and developing the security architecture.
Daily operations in information and cybersecurity management at Mandatum Life are based on the Information Security Policy, approved by the company’s Board of Directors annually. The policy applies to all Mandatum Life employees and the representatives of stakeholders who process Mandatum Life’s information in connection with their assignments. The requirements of the policy are also included in agreements with subcontractors, service providers, and other external stakeholders. The policy is closely linked to other internal policies, such as the Information Management Policy and Information Management Principles, which include more detailed guidelines, putting emphasis on the perspective of information confidentiality and customer trust.
The Information Security team led by the CISO is responsible for the operative management of information and cybersecurity. The level of information security and cybersecurity is continuously assessed, and tests on processes and systems are conducted on a regular basis. Both information security and cybersecurity risks are monitored actively and reported quarterly to the Operational Risk Committee.
Everyone employed by Mandatum Life or working on behalf of the company has the obligation to comply with the information security policy, principles, and guidelines, and to ensure compliance with relevant legislation. The information security awareness and competence of employees is ensured through information security training and guidelines. The completion rate for e-learning is monitored periodically. In addition to general e-learning, different teams and units are provided with customized training throughout the year. The information security awareness and competence of third parties is ensured through agreements and guidelines and, where applicable, through training. Employees are also regularly notified of security issues to raise awareness of, for example, phishing attempts and identity theft.
Suspected breaches, abuses, or shortcomings in information or cybersecurity are reported directly to either the CISO or the Information Security team. In addition, employees can report these using an internal notification channel on the intranet. Reported incidents are managed according to the Data Protection and Information Security Incident Management process and, if necessary, escalated to the Crisis Management Team.
More information in Sampo Group’s Corporate Responsibility report, p. 41.