You are using an old version of your web browser.

Please note that the website might not function correctly using an outdated browser. We recommend updating your browser or using another one.

This site uses cookies to offer you the best user experience. By continuing browsing this site you agree to the use of cookies. Alternatively you may change your browser settings. For further information, please read our Privacy Notice.

I agree

Information Security and Cybersecurity

Materiality

It is of paramount importance to the Sampo Group companies that the level of information and cybersecurity is adequate for the nature and scope of the business and the general level of technical development, and that it corresponds to the level generally expected from a financial company.

The Group companies are exposed to information security and cybersecurity risks due to the high quantity of sensitive data the companies handle and due to operations in countries with strict data protection regulations. It is important to address these risks to ensure that customers and other stakeholders’ data is always protected, and operations can continue without disruption.

Group-level approach

The group-level guidance documents regarding information security and cybersecurity are the Sampo Group Code of Conduct and the Sampo Group Information Security Principles, which are both reviewed annually and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies and guidelines for its own purposes.

The Sampo Group companies are committed to performing regular risk analyses, conducting continuity planning, and having effective internal processes, high-quality systems, and infrastructure to ensure information security and cybersecurity preparedness. At Sampo Group, the requirements in relation to information security and cybersecurity are set and expected to be met by both internal and external stakeholders (e.g., third-party data processors).

All Sampo Group employees must adhere to the highest standards of information security and cybersecurity by following internal rules and guidelines, using appropriate tools, and acting responsibly. The Sampo Group companies ensure that suitable training is provided to all their employees and contingent workers.

Information Security and Cybersecurity Incidents Reported to the Authorities, Sampo Group 2021 2020 2019
If 1 1 0
Topdanmark 0 0 0
Hastings 0 - -
Mandatum 0 0 0
Sampo plc 0 0 0
Sampo Group 1 1 0

 

If

Governance

If has comprehensive information security and cybersecurity governance, including information security policies, standards, roles and responsibilities, defined controls, risk management, and reporting structures. The company’s Information Security Policy and Information Security Standards are based on the ISO 27001 standard and express the minimum requirements for information security and cybersecurity that are expected to be met by each If Group company and relevant partners and suppliers, which are regularly assessed for risks and compliance. Non-conformance may lead to disciplinary actions.

The Chief Information Security Officer (CISO) has the overall responsibility for coordinating the information security and cybersecurity work within If. The CISO also supports the Board of Directors in matters related to the status of information security and its deployment. The CISO works in the second line of defence and reports directly to the CRO, together with the Data Protection Office. This strengthens the focus on business information risk and compliance management. In the first line of defence, reporting to the CIO, there is an IT security manager specialised in information and communications technology security, who leads a team of IT security specialists and application testers, as well as an IT risk and security compliance officer.

Information security and cybersecurity risks are reported to If’s Operative Risk Committee as part of regular risk reporting from the business and IT organisation. A full report is provided semi-annually, and any new or changed substantial risks are reported quarterly. In addition, as part of the overall risk reporting coordinated by the Risk Management function, these risks are reported to the Board of Directors, the CEO, and the board-level Own Risk and Solvency Assessment Committee (ORSA) responsible for information and cybersecurity. An overview of If's risk profile and capital situation is reported quarterly to the ORSA Committee and to the Board of Directors. A more detailed ORSA report is submitted to the Board of Directors once a year. The report contains a three-year forward-looking Own Risk and Solvency Assessment. Metrics on security controls and risk activities are measured and reported monthly to the CIO and key stakeholders, such as the Head of IT Services, the CRO, the Head of Business Continuity, Risk Control and Reporting staff, and IT Service Delivery staff.

Before If launches any new solutions, and before major changes in any critical applications or systems are made, an independent internal team of experts conducts security tests using a risk-based approach as a part of change management procedures. Specialised third-party security testers also conduct security penetration tests of applications and IT infrastructure regularly.

Employee training

If provides training on information security and cybersecurity for all employees and contractors upon hire, and annually through a combination of e-learning, in-person sessions, intranet articles, and regular phishing simulations. Topics covered in the training sessions include requirements, roles and responsibilities, current security risks, and how to report potential security issues.

Outsourced data processing

If has procedures, such as due diligence in the selection process, contract requirements, and monitoring and review, to ensure information security in outsourced data processing. Before signing a contract with any third-party, If’s procurement and outsourcing processes ensure that risks are assessed, and relevant contractual security requirements are fulfilled. Contractual clauses include requirements to ensure that adequate information and cybersecurity measures are implemented, and that contractual requirements are transferred to sub-suppliers. Supplier deliveries are followed up in delivery and governance forums. If continuously monitors its own and key suppliers’ security posture using a third-party service capable of alerting of security deviations and incidents.

If reviews third-party data processers initially when entering into an agreement with them. The review is conducted by completing a risk assessment including a counterparty evaluation. The risk assessment is reviewed on an annual basis and reported to If’s Outsourcing Committee and Board of Directors to follow up on performance and risk. The annual risk assessment includes a review of the data processor’s overall contractual performance and specific questions on the occurrence of any incidents and possible consequences thereof.

In addition, If has third-party data processing performed by partners. The processing is reviewed regularly as part of contractual follow-up of performance and delivery under the agreements.

Audits

At If, information security and cybersecurity audit activities are carried out on a subsidiary level, where these matters are considered and covered. However, the group-level Internal Audit of If performs audits annually regarding the governance of information security and cybersecurity. All audit activities are based on risk and are targeted at different areas, according to the internal audit activity plans. The plans are approved by the board of directors of each respective If subsidiary. As a part of statutory audits, general IT controls in all key systems involved in If’s financial reporting are audited annually by third-party auditors.

Independent reviews and audits over the past two years have confirmed that cybersecurity and resilience maturity at If is above the industry average.

Incident reporting

If’s ICT applications, systems, and infrastructure are designed for resilience, and security controls are implemented to protect systems from cyberattacks. System events and anomalies are monitored 24/7 by an external security operations centre, supporting If by identifying and responding to security incidents. Automatically and manually reported security incidents are recorded in an issue tracking system and acted upon by the Incident Management team. Incidents are followed up in monthly follow-up meetings and are also reported monthly and quarterly to senior management, executives, and board members.

Topdanmark

Governance

To ensure information security and cybersecurity preparedness, Topdanmark has an Information Security Policy and an Information Security Management System (ISMS), which are both based on the ISO 27001 standard. Topdanmark’s Information Security Policy is part of the overall risk management system, and it applies to both company employees and external business partners.

Each year, Topdanmark’s Board of Directors approves the Information Security Policy and an IT contingency plan based on an updated IT risk assessment. A risk assessment of significant or critical operational IT risks, including cyber risk, is performed regularly, and in addition to the Board of Directors, it is reported to the Executive Board, the Risk Committee, and Topdanmark’s Compliance department. The day-to-day responsibility for information security and cybersecurity at Topdanmark lies with the CISO, who reports to the Vice President of Technology, Architecture and Security (VP TAM). VP TAM reports to the CTO on the Executive Board.

Topdanmark uses several levels of security systems to prepare for information security and cybersecurity threats. For example, the company has invested in early warning and incident management technologies. Topdanmark also performs vulnerability assessments continuously, and tests new systems for weaknesses before they are put into production. To counteract business interruption caused by information security or cybercrime, Topdanmark has a comprehensive contingency plan to ensure that business can be re-established as soon as possible.

Topdanmark’s Cyber Security Board (including members such as the VP TAM, Director IT Operations, DPO, and CISO) regularly assesses the risk arising from cybercrime and the measures necessary to achieve the required security level. The risk is managed and reduced, for example, by collaborating with external specialists within the field. Topdanmark's Board of Directors is annually briefed on cyber risks and the planned initiatives to reduce those risks.

Furthermore, Topdanmark sets requirements for external data processors on implementing sufficient security measures. This requirement is also applicable to suppliers. 

Employee training

All new employees are introduced to Topdanmark’s Information Security Policy. In addition, Topdanmark has a separate e-learning course on information security. All employees and external consultants are obliged to complete and pass the course annually. An employee’s breach of Topdanmark’s information security policy can have employment-related consequences, including, at worst, dismissal.

Audits

Topdanmark’s IT systems are reviewed by external IT auditors in connection with the annual financial audits. This ensures that the IT systems provide valid data for the annual report, and that Topdanmark complies with the information security and IT requirements set by the Danish FSA.

Hastings

Governance

Hastings has a continuous improvement-based approach towards its information security framework, which is aligned to the ISO 27001 standard, with appropriate supporting policies and processes. The framework seeks to address process and human vulnerabilities, reduce the complexity of Hastings’ technology and data estate, and embed security considerations by design in all of its business decision-making.

Hastings also has operational measures in place to monitor and respond to data breaches and cyber-attacks. These measures are routinely and independently validated and tested through vulnerability assessments and penetration testing. This includes carrying out phishing campaigns and exercises to check levels of resilience and that the incident management procedures are robust.

Hastings has dedicated Information Security, Cyber Security, Data Protection, and Compliance teams, which are in place to protect and support its business, manage policies and controls, assess risks, and prevent unauthorised or inappropriate access to information. Hastings is active across the industry in the areas of cyber and security threat intelligence and has membership of cyber co-ordination groups sponsored by the industry regulators.

Employee training

Hastings has mandatory training for all employees and supplementary cyber awareness training available as required. The company regularly engages with employees, so they are aware of threats and what to do if something goes wrong.

Outsourced data processing

Hastings reviews third-party data processors at least once in each calendar year, and more frequently for high volume and/or high-risk processors. A third-party due diligence service is used to monitor and review suppliers. In addition, Hastings has an established supplier management protocol involving regular performance and compliance assessments including, when appropriate, site visits.

Incident reporting

Hastings has operational measures in place to monitor and respond to information security and cybersecurity events and incidents. Incidents and concerns are reported to a central information security team for triage, recording, and support. Escalation processes are in place to engage the CISO and other senior roles as required, as part of the company-wide incident management process.

Mandatum

Governance

Mandatum’s information security and cybersecurity are developed systematically and in accordance with the information security strategy approved by the management, considering the ever-changing threat environment. The primary objective of the strategy is to ensure that the management has visibility of the status of information security, to determine the priorities of development activities, and to provide adequate resourcing to implement these.

Daily operations in information and cybersecurity management at Mandatum are based on the Information Security Policy, approved by the boards of directors of Mandatum Life and Mandatum Asset Management annually. The policy applies to all Mandatum employees and the representatives of stakeholders who process Mandatum’s information in connection with their assignments. The requirements of the policy are also included in agreements with subcontractors, service providers, and other external stakeholders. The policy is closely linked to other internal policies, such as the Information Management Policy and Data Protection Policy, which include more detailed guidelines, putting emphasis on the perspective of information confidentiality and customer trust. Supplementary principles include Principles for use of the internet, data network, and email, User right principles, Log entry principles, Principles for the use of cloud services, Encryption principles, and the Mandatum Information Security Management System, amongst several different guidelines and best practises.

Mandatum’s Information Security team, led by the CISO, is responsible for the operative management of information and cybersecurity. The level of information security and cybersecurity is continuously assessed, and tests on processes and systems are conducted on a regular basis. Both information security and cybersecurity risks are monitored actively and reported quarterly to the Information and Cyber Risk Committee.

Employee training

Everyone employed by Mandatum or working on behalf of the company has the obligation to comply with the information security policy, principles, and guidelines, and to ensure compliance with relevant legislation. The information security awareness and competence of employees is ensured through information security training and guidelines. The completion rate for e-learning is monitored periodically. In addition to general e-learning, different teams and units are provided with customised training on a needs basis. The information security awareness and competence of third parties is ensured through agreements and guidelines and, where applicable, through training.

Outsourced data processing

Mandatum monitors and reviews third-party data processors by conducting follow-up audits on a risk basis at least annually. The methods used in monitoring include, for example, tools or services providing risk ratings (e.g., risk rating platforms). In addition, third-party data processors’ level of service is reviewed regularly, typically monthly or quarterly.

Incident reporting

Suspected breaches, abuses, or shortcomings in information or cybersecurity are reported directly to either the CISO or the Information Security team. In addition, employees can report these using an internal notification channel on the intranet. Reported incidents are managed according to the Data Protection and Information Security Incident Management process and, if necessary, escalated to the Crisis Management Team.

Sampo plc

Sampo plc’s information security and cybersecurity systems are a part of If’s IT infrastructure. In addition, Sampo plc has strong internal controls and additional resources for company-specific purposes. At Sampo plc, information security and cybersecurity are part of new employees’ onboarding. Existing employees are offered internal training sessions when considered necessary.

More information in Sampo Group’s Sustainability Report.

Updated 25 Apr 2022