Information security and cybersecurity

Sampo Group is exposed to information security and cybersecurity risks due to the high quantity of sensitive data the company handles, and due to operations in countries with strict data protection regulations. It is important to address these risks to ensure that customers and other stakeholders’ data is always protected, and that operations can continue without disruption.

Governance

The group-level guidance documents regarding information security and cybersecurity are the Sampo Group Code of Conduct and the Sampo Group Information Security Principles, which are both reviewed annually and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies,  guidelines, processes and governance structures for its own purposes. For example, at If, the Chief Information Security Officer (CISO), reporting to the Chief Risk Officer (CRO), has the overall responsibility for coordinating the information security and cybersecurity work within If. The CISO also supports If’s Board of Directors in matters related to the status of information security and its deployment. Dedicated teams of IT security specialists and application testers, as well as IT risk and security compliance, report to If’s Chief Information Officer (CIO). Information security and cybersecurity risks are reported quarterly and annually to If’s board-level ORSA Committee and Board of Directors.

Sampo Group has comprehensive information security and cybersecurity governance, including information security policies, standards, roles and responsibilities, defined controls, risk management, and reporting structures. The Group’s information security policies and standards are aligned with the ISO 27001 standard. Sampo Group performs regular risk analyses, conducts continuity planning, and has effective internal processes, high-quality systems, and infrastructure to ensure information security and cybersecurity preparedness. Sampo Group measures its performance regularly and is committed to continuous development. At Sampo Group, the requirements in relation to information security and cybersecurity are set and expected to be met by both internal and external stakeholders (e.g. relevant partners and suppliers, third-party data processors), which are regularly assessed for risks and compliance. Non-conformance may lead to disciplinary actions.

Before any new applications or services are taken into use, or before changes are done to critical systems, Sampo Group conducts a risk assessment process. Regular penetration tests, as well as vulnerability scanning of applications and IT infrastructure, are conducted regularly by specialised third-party security testers. Information on cyber threats is updated continuously by internal experts and by specialised third-party security partners, and instructions on IT security are updated frequently in Sampo Group’s internal channels.

Employee training

All Sampo Group employees must adhere to the applicable information security and cybersecurity standards by following internal rules and guidelines, using appropriate tools, and acting responsibly. Sampo Group provides both mandatory and voluntary training to all employees and contingent workers as part of onboarding, and annually through a combination of e-learning, in-person sessions, simulations and intranet articles. Topics covered in the training sessions include requirements, roles and responsibilities, current security risks, and reporting potential security issues, for example. Security awareness is provided to all individuals through intranet articles, web-based training, webinars, and regular phishing simulations replicating real attacks.

Outsourced data processing

Sampo Group reviews third-party data processors regularly for example through due diligence in the selection process, contractual requirements, and assessment and reassessment of risks, to ensure information security is addressed in outsourced data processing. Before signing a contract with any third party, Sampo Group’s procurement and outsourcing processes ensure that risks are assessed, and relevant contractual security requirements are fulfilled. Contractual clauses include requirements to ensure that adequate information and cybersecurity measures are implemented and that contractual requirements are transferred to sub-suppliers. Sampo Group continuously monitors its own and key suppliers’ security posture using a third-party service.

Sampo Group completes a risk assessment on third-party data processors before entering into an agreement with them. The risk assessment is reviewed at least annually and includes a review of the data processor’s overall contractual performance and specific questions on the occurrence of any incidents and possible consequences thereof. In addition, third-party data processing performed by partners is reviewed regularly as part of the contractual follow-up of performance and delivery under the agreements.

Audits

At Sampo Group, information security and cybersecurity audit activities are conducted regularly. All audit activities are based on risk and targeted at different areas, according to the internal audit activity plans. As part of statutory audits, general IT controls in all key systems involved in Sampo Group’s financial reporting are audited annually by external auditors.

Incident reporting

Sampo Group’s ICT applications, systems, and infrastructure are designed for resilience and include security controls protecting systems from cyberattacks. Information security and cybersecurity events and anomalies are continuously monitored, recorded and acted upon according to documented and agreed incident processes. Incidents are followed-up and reported regularly to senior management, executives and board members, according to each Group company’s processes.