Information security and cybersecurity
Materiality
It is of paramount importance to Sampo Group companies that the level of information and cybersecurity is adequate for the nature and scope of the business and the general level of technical development, and that it corresponds to the level generally expected from a financial company.
The Group companies are exposed to information security and cybersecurity risks due to the high quantity of sensitive data the companies handle and due to operations in countries with strict data protection regulations. It is important to address these risks to ensure that customers and other stakeholders’ data is always protected, and operations can continue without disruption.
Group-level approach
The group-level guidance documents regarding information security and cybersecurity are the Sampo Group Code of Conduct and the Sampo Group Information Security Principles, which are both reviewed annually and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies and guidelines for its own purposes.
The Sampo Group companies perform regular risk analyses, conduct continuity planning, and have effective internal processes, high-quality systems, and infrastructure to ensure information security and cybersecurity preparedness. The Group companies measure their performance regularly and are committed to continuous development. At Sampo Group, the requirements in relation to information security and cybersecurity are set and expected to be met by both internal and external stakeholders (e.g., third-party data processors).
All Sampo Group employees must adhere to the highest standards of information security and cybersecurity by following internal rules and guidelines, using appropriate tools, and acting responsibly. The Sampo Group companies ensure that suitable training is provided to all their employees and contingent workers.
Group goals and ambitions
Sampo Group’s goal is to protect all types and forms of information according to its sensitivity and importance, and in compliance with applicable rules and regulations.
Information security and cybersecurity incidents reported to the authorities
Sampo Group
| 2022 | 2021 | 2020 | |
| If | 1 | 1 | 1 |
| Topdanmark | 0 | 0 | 0 |
| Hastings | 0 | 0 | - |
| Mandatum | 0 | 0 | 0 |
| Sampo plc | 0 | 0 | 0 |
| Sampo Group | 1 | 1 | 1 |
Information security in Group companies
Governance
If has comprehensive information security and cybersecurity governance, including information security policies, standards, roles and responsibilities, defined controls, risk management, and reporting structures. The company’s Information Security Policy and Information Security Standards are aligned with the ISO 27001 standard and express the minimum requirements for information security and cybersecurity that are expected to be met by each If Group company and relevant partners and suppliers, which are regularly assessed for risks and compliance. Non-conformance may lead to disciplinary actions.
The CISO has the overall responsibility for coordinating the information security and cybersecurity work within If. The CISO also supports the Board of Directors in matters related to the status of information security and its deployment. The CISO works in the second line of defence and reports directly to the Chief Risk Officer. In the first line of defence, reporting to the Chief Information Officer CIO, there is an IT security manager who specialises in information and communications technology security and leads a team of IT security specialists and application testers, as well as an IT risk and security compliance officer.
Information security and cybersecurity risks are reported to the board-level ORSA Committee, responsible for information and cybersecurity. An overview of If ’s risk profile and the capital situation is reported quarterly to the ORSA Committee and to the Board of Directors. A more detailed ORSA report is submitted to the Board of Directors once a year. The report contains a three-year forward-looking Own Risk and Solvency Assessment. Metrics on security controls and risk activities are measured and reported monthly to the CIO and key stakeholders, such as the Head of IT Services, the CRO, the Head of Business Continuity, Risk Control and Reporting staff, and IT Service Delivery staff.
Before If launches any new solutions, and before major changes in any critical applications or systems are made, an independent internal team of experts conducts security tests using a risk-based approach as a part of change management procedures. Specialised third-party security testers also conduct regular security penetration tests of applications and IT infrastructure.
Employee training
If provides training on information security and cybersecurity for all employees and contractors upon hire, and annually through a combination of e-learning, in-person sessions, and intranet articles. Topics covered in the training sessions include requirements, roles and responsibilities, current security risks, and reporting potential security issues. Security awareness is provided to all individuals through intranet articles, webinars, and regular phishing simulations replicating real attacks.
All employees and consultants are subject to an annual security awareness programme, which includes web-based training, webinars, and continuous phishing training.
Outsourced data processing
If has procedures, such as due diligence in the selection process, contractual requirements, and assessment and reassessment of risks, to ensure information security is addressed in outsourced data processing. Before signing a contract with any third party, If’s procurement and outsourcing processes ensure that risks are assessed, and relevant contractual security requirements are fulfilled. Contractual clauses include requirements to ensure that adequate information and cybersecurity measures are implemented and that contractual requirements are transferred to sub-suppliers. Supplier deliveries are followed up in delivery and governance forums. If continuously monitors its own and key suppliers’ security posture using a third-party service capable of alerting about security deviations and incidents.
If reviews third-party data processors before entering into an agreement with them. The review is conducted by completing a risk assessment including a counterparty evaluation. The risk assessment is reviewed on an annual basis and reported to If’s Outsourcing Committee and Board of Directors to follow up on performance and risk. The annual risk assessment includes a review of the data processor’s overall contractual performance and specific questions on the occurrence of any incidents and possible consequences thereof.
In addition, If has third-party data processing performed by partners. The processing is reviewed regularly as part of the contractual follow-up of performance and delivery under the agreements.
Audits
At If, information security and cybersecurity audit activities are carried out on a subsidiary level, where these matters are considered and covered. However, the group-level Internal Audit of If performs audits annually regarding the governance of information security and cybersecurity. All audit activities are based on risk and are targeted at different areas, according to the internal audit activity plans. The plans are approved by the board of directors of each respective If subsidiary. As a part of statutory audits, general IT controls in all key systems involved in If’s financial reporting are audited annually by third-party auditors.
Incident reporting
If’s ICT applications, systems, and infrastructure are designed for resilience and include security controls protecting systems from cyberattacks. System events and anomalies are monitored 24/7 by an external security operations centre, supporting If by identifying and responding to security incidents. Automatically and manually reported security incidents are recorded in an issue tracking system and acted upon by the Incident Management team according to a documented and agreed incident process. Incidents are followed up in monthly follow-up meetings and reported monthly and quarterly to senior management, executives, and board members.
Governance
Topdanmark has an Information Security Policy and an Information Security Management System (ISMS), which are both based on the ISO 27001 standard. Topdanmark’s Information Security Policy is part of the overall risk management system, and it applies to both company employees and external business partners.
Each year, Topdanmark’s Board of Directors approves the Information Security Policy and an IT contingency plan based on an updated IT risk assessment. A risk assessment of significant or critical operational IT risks, including cyber risk, is performed regularly, and in addition to the Board of Directors, it is reported to the Executive Board, the Risk Committee, and Topdanmark’s Compliance department. The day-to-day responsibility for information security and cybersecurity at Topdanmark lies with the CISO, who reports to the Vice President of Technology, Architecture and Security (VP TAM). VP TAM reports to the CTO on the Executive Board.
Topdanmark uses several levels of security systems to prepare for information security and cybersecurity threats. For example, the company has invested in early warning and incident management technologies. Topdanmark also performs vulnerability assessments continuously, and tests new systems for weaknesses before they are put into production. To counteract business interruption caused by information security or cybercrime, Topdanmark has a comprehensive contingency plan to ensure that business can be re-established as soon as possible.
Topdanmark’s Cyber Security Board (including members such as the VP TAM, Director IT Operations, DPO, and CISO) regularly assesses the risk arising from cybercrime and the measures necessary to achieve the required security level. The risk is managed and reduced, for example, by collaborating with external specialists within the field. Topdanmark's Board of Directors is annually briefed on cyber risks and the planned initiatives to reduce those risks.
Furthermore, Topdanmark sets requirements for external data processors on implementing sufficient security measures. This requirement is also applicable to suppliers.
Employee training
All new employees are introduced to Topdanmark’s Information Security Policy. In addition, Topdanmark has a separate e-learning course on information security. All employees and external consultants are obliged to complete and pass the course every second year. An employee’s breach of Topdanmark’s information security policy can have employment-related consequences, including, at worst, dismissal.
Audits
Topdanmark’s IT systems are reviewed by external IT auditors in connection with the annual financial audits. This ensures that the IT systems provide valid data for the annual report, and that Topdanmark complies with the information security and IT requirements set by the Danish FSA.
Governance
Hastings has an information security framework, which seeks to address process and human vulnerabilities, reduce the complexity of Hastings’ technology and data estate, and embed security considerations by design in all its business decision-making. The framework is aligned to the ISO 27001 standard, with appropriate supporting policies and processes.
Hastings has measures in place to monitor and respond to information security and cybersecurity events and incidents, which are routinely and independently validated and tested. Testing is undertaken by CBEST-certified partners and includes vulnerability assessments and penetration testing alongside internally run phishing campaigns and exercises to check the resilience and robustness of incident management procedures.
Hastings has dedicated Information Security, Cyber Security, Data Protection, and Compliance teams, which are in place to protect and support its business, manage policies and controls, assess risks, and prevent unauthorised or inappropriate access to information. Hastings is active across the industry in the areas of cyber and security threat intelligence and has membership of cyber co-ordination groups sponsored by the industry regulators and supported by government agencies such as the UK National Cyber Security Centre (NCSC).
Employee training
Hastings has mandatory training for all employees and supplementary cyber awareness training available as required. The company regularly engages with employees, so they are aware of threats and what to do if something goes wrong.
Outsourced data processing
Hastings reviews third-party data processors at least once in each calendar year, and more frequently for high volume and/or high-risk processors. A third-party due diligence service is used to monitor and review suppliers. In addition, Hastings has an established supplier management protocol involving regular performance and compliance assessments including, when appropriate, site visits.
Incident reporting
Incidents and concerns are reported to a central information security team for triage, recording, and support. Escalation processes are in place to engage the CISO and other senior roles, as required, as part of the organisation-wide incident management process.
Governance
Mandatum’s information security management system is certified by the ISO/IEC 27001:2013 standard. Annual audits are performed by the certificate issuer. The information security risk management model is being adapted as part of the operational risk management model. In addition, Mandatum has determined KPIs and risk appetite, and there is a separate category for cyber risks in the risk taxonomy.
Mandatum’s information security and cybersecurity are developed systematically and in accordance with the information security strategy approved by the management. Considering the ever-changing cyber threat environment, amendments may be possible during the strategy period. The primary objective of the strategy is to ensure that the management has visibility of the status of information security, to determine the priorities of development activities, and to provide adequate resourcing to implement them.
Daily operations in information and cybersecurity management at Mandatum are based on the Information Security Policy, approved by the boards of directors of Mandatum Life and MAM annually. The policy applies to all Mandatum employees and the representatives of stakeholders who process Mandatum’s information in connection with their assignments. The requirements of the policy are also included in agreements with subcontractors, service providers, and other external stakeholders. The policy is closely linked to other internal policies, such as the Information Management Policy and Data Protection Policy. Supplementary principles include Principles for use of the internet, data network, and email, User right principles, Log entry principles, Principles for the use of cloud services, Encryption principles, and the Mandatum Information Security Management System, amongst several different guidelines and best practices.
Mandatum’s first and second lines of defence have their own information security organisations. Operational information security work is the responsibility of the Business Technology unit, which plans and implements technical and administrative solutions related to information and cybersecurity. The strategic and tactical control of information security, as well as the monitoring and supporting of other units, is centralised in the risk management function, where it is led by the CISO.
The level of information security and cybersecurity is continuously assessed, and tests on processes and systems are conducted on a regular basis. Both information security and cybersecurity risks are monitored actively and reported quarterly to the Information Security and Cyber Risk Committee.
Employee training
Everyone employed by Mandatum or working on behalf of the company has the obligation to comply with the information security policy, principles, and guidelines, and to ensure compliance with relevant legislation. The information security awareness and competence of employees is ensured through information security training and guidelines. The completion rate for e-learning is monitored periodically. In addition to general e-learning, different teams and units are provided with customised training as needed.
The information security awareness and competence of third parties is ensured through agreements and guidelines and, where applicable, through training.
Outsourced data processing
Mandatum monitors and reviews third-party data processors by conducting follow-up audits at least annually. The methods used in monitoring include, for example, risk ratings. In addition, the third-party data processors’ level of service is reviewed regularly, typically monthly or quarterly.
Incident reporting
Suspected breaches, abuses, or shortcomings in information or cybersecurity are reported to the incident reporting system or directly to either the CISO or other information security personnel. Reported incidents are managed promptly according to the Data Protection and Information Security Incident Management process and, if necessary, escalated to the Crisis Management Team.
Sampo plc’s information security and cybersecurity systems are a part of If’s IT infrastructure. In addition, Sampo plc has strong internal controls and additional resources for company-specific purposes. Sampo plc updates information on cyber threats continuously, and updates instructions on IT security frequently on the company intranet.
At Sampo plc, information security and cybersecurity are part of new employees’ onboarding. Existing employees are offered internal training sessions twice a year, and employee participation is monitored. Training sessions and other resources (e.g. training material) are available to employees at all times.
Related information:
Updated