Information security and cybersecurity 

Materiality

It is of paramount importance to Sampo Group companies that the level of information and cybersecurity is adequate for the nature and scope of the business and the general level of technical development, and that it corresponds to the level generally expected from a financial company.

The Group companies are exposed to information security and cybersecurity risks due to the high quantity of sensitive data the companies handle and due to operations in countries with strict data protection regulations. It is important to address these risks to ensure that customers and other stakeholders’ data is always protected, and operations can continue without disruption.

Group-level approach

The group-level guidance documents regarding information security and cybersecurity are the Sampo Group Code of Conduct and the Sampo Group Information Security Principles, which are both reviewed annually and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies and guidelines for its own purposes.

The Sampo Group companies perform regular risk analyses, conduct continuity planning, and have effective internal processes, high-quality systems, and infrastructure to ensure information security and cybersecurity preparedness. The Group companies measure their performance regularly and are committed to continuous development. At Sampo Group, the requirements in relation to information security and cybersecurity are set and expected to be met by both internal and external stakeholders (e.g., third-party data processors).

All Sampo Group employees must adhere to the highest standards of information security and cybersecurity by following internal rules and guidelines, using appropriate tools, and acting responsibly. The Sampo Group companies ensure that suitable training is provided to all their employees and contingent workers.

Group goals and ambitions

Sampo Group’s goal is to protect all types and forms of information according to its sensitivity and importance, and in compliance with applicable rules and regulations. 

Information security and cybersecurity incidents reported to the authorities
Sampo Group

  2022 2021 2020
If 1 1 1
Topdanmark 0 0 0
Hastings 0 0 -
Mandatum* 0 0 0
Sampo plc 0 0 0
Sampo Group 1 1 1

* Mandatum was part of Sampo Group until and including 30 September 2023.

Company-level information

Governance

If has comprehensive information security and cybersecurity governance, including information security policies, standards, roles and responsibilities, defined controls, risk management, and reporting structures. The company’s Information Security Policy and Information Security Standards are aligned with the ISO 27001 standard and express the minimum requirements for information security and cybersecurity that are expected to be met by each If Group company and relevant partners and suppliers, which are regularly assessed for risks and compliance. Non-conformance may lead to disciplinary actions.

The CISO has the overall responsibility for coordinating the information security and cybersecurity work within If. The CISO also supports the Board of Directors in matters related to the status of information security and its deployment. The CISO works in the second line of defence and reports directly to the Chief Risk Officer. In the first line of defence, reporting to the Chief Information Officer CIO, there is an IT security manager who specialises in information and communications technology security and leads a team of IT security specialists and application testers, as well as an IT risk and security compliance officer.

Information security and cybersecurity risks are reported to the board-level ORSA Committee, responsible for information and cybersecurity. An overview of If ’s risk profile and the capital situation is reported quarterly to the ORSA Committee and to the Board of Directors. A more detailed ORSA report is submitted to the Board of Directors once a year. The report contains a three-year forward-looking Own Risk and Solvency Assessment. Metrics on security controls and risk activities are measured and reported monthly to the CIO and key stakeholders, such as the Head of IT Services, the CRO, the Head of Business Continuity, Risk Control and Reporting staff, and IT Service Delivery staff.

Before If launches any new solutions, and before major changes in any critical applications or systems are made, an independent internal team of experts conducts security tests using a risk-based approach as a part of change management procedures. Specialised third-party security testers also conduct regular security penetration tests of applications and IT infrastructure. 

Employee training

If provides training on information security and cybersecurity for all employees and contractors upon hire, and annually through a combination of e-learning, in-person sessions, and intranet articles. Topics covered in the training sessions include requirements, roles and responsibilities, current security risks, and reporting potential security issues. Security awareness is provided to all individuals through intranet articles, webinars, and regular phishing simulations replicating real attacks. 

All employees and consultants are subject to an annual security awareness programme, which includes web-based training, webinars, and continuous phishing training. 

Outsourced data processing

If has procedures, such as due diligence in the selection process, contractual requirements, and assessment and reassessment of risks, to ensure information security is addressed in outsourced data processing. Before signing a contract with any third party, If’s procurement and outsourcing processes ensure that risks are assessed, and relevant contractual security requirements are fulfilled. Contractual clauses include requirements to ensure that adequate information and cybersecurity measures are implemented and that contractual requirements are transferred to sub-suppliers. Supplier deliveries are followed up in delivery and governance forums. If continuously monitors its own and key suppliers’ security posture using a third-party service capable of alerting about security deviations and incidents.

If reviews third-party data processors before entering into an agreement with them. The review is conducted by completing a risk assessment including a counterparty evaluation. The risk assessment is reviewed on an annual basis and reported to If’s Outsourcing Committee and Board of Directors to follow up on performance and risk. The annual risk assessment includes a review of the data processor’s overall contractual performance and specific questions on the occurrence of any incidents and possible consequences thereof.

In addition, If has third-party data processing performed by partners. The processing is reviewed regularly as part of the contractual follow-up of performance and delivery under the agreements. 

Audits

At If, information security and cybersecurity audit activities are carried out on a subsidiary level, where these matters are considered and covered. However, the group-level Internal Audit of If performs audits annually regarding the governance of information security and cybersecurity. All audit activities are based on risk and are targeted at different areas, according to the internal audit activity plans. The plans are approved by the board of directors of each respective If subsidiary. As a part of statutory audits, general IT controls in all key systems involved in If’s financial reporting are audited annually by third-party auditors.

Incident reporting

If’s ICT applications, systems, and infrastructure are designed for resilience and include security controls protecting systems from cyberattacks. System events and anomalies are monitored 24/7 by an external security operations centre, supporting If by identifying and responding to security incidents. Automatically and manually reported security incidents are recorded in an issue tracking system and acted upon by the Incident Management team according to a documented and agreed incident process. Incidents are followed up in monthly follow-up meetings and reported monthly and quarterly to senior management, executives, and board members. 

Governance

Topdanmark has an Information Security Policy and an Information Security Management System (ISMS), which are both based on the ISO 27001 standard. Topdanmark’s Information Security Policy is part of the overall risk management system, and it applies to both company employees and external business partners.  

Each year, Topdanmark’s Board of Directors approves the Information Security Policy and an IT contingency plan based on an updated IT risk assessment. A risk assessment of significant or critical operational IT risks, including cyber risk, is performed regularly, and in addition to the Board of Directors, it is reported to the Executive Board, the Risk Committee, and Topdanmark’s Compliance department. The day-to-day responsibility for information security and cybersecurity at Topdanmark lies with the CISO, who reports to the Vice President of Technology, Architecture and Security (VP TAM). VP TAM reports to the CTO on the Executive Board.

Topdanmark uses several levels of security systems to prepare for information security and cybersecurity threats. For example, the company has invested in early warning and incident management technologies. Topdanmark also performs vulnerability assessments continuously, and tests new systems for weaknesses before they are put into production. To counteract business interruption caused by information security or cybercrime, Topdanmark has a comprehensive contingency plan to ensure that business can be re-established as soon as possible.

Topdanmark’s Cyber Security Board (including members such as the VP TAM, Director IT Operations, DPO, and CISO) regularly assesses the risk arising from cybercrime and the measures necessary to achieve the required security level. The risk is managed and reduced, for example, by collaborating with external specialists within the field. Topdanmark's Board of Directors is annually briefed on cyber risks and the planned initiatives to reduce those risks.

Furthermore, Topdanmark sets requirements for external data processors on implementing sufficient security measures. This requirement is also applicable to suppliers.  

Employee training

All new employees are introduced to Topdanmark’s Information Security Policy. In addition, Topdanmark has a separate e-learning course on information security. All employees and external consultants are obliged to complete and pass the course every second year. An employee’s breach of Topdanmark’s information security policy can have employment-related consequences, including, at worst, dismissal.

Audits

Topdanmark’s IT systems are reviewed by external IT auditors in connection with the annual financial audits. This ensures that the IT systems provide valid data for the annual report, and that Topdanmark complies with the information security and IT requirements set by the Danish FSA.

Governance

Hastings has an information security framework, which seeks to address process and human vulnerabilities, reduce the complexity of Hastings’ technology and data estate, and embed security considerations by design in all its business decision-making. The framework is aligned to the ISO 27001 standard, with appropriate supporting policies and processes.  

Hastings has measures in place to monitor and respond to information security and cybersecurity events and incidents, which are routinely and independently validated and tested. Testing is undertaken by CBEST-certified partners and includes vulnerability assessments and penetration testing alongside internally run phishing campaigns and exercises to check the resilience and robustness of incident management procedures.  

Hastings has dedicated Information Security, Cyber Security, Data Protection, and Compliance teams, which are in place to protect and support its business, manage policies and controls, assess risks, and prevent unauthorised or inappropriate access to information. Hastings is active across the industry in the areas of cyber and security threat intelligence and has membership of cyber co-ordination groups sponsored by the industry regulators and supported by government agencies such as the UK National Cyber Security Centre (NCSC). 

Employee training

Hastings has mandatory training for all employees and supplementary cyber awareness training available as required. The company regularly engages with employees, so they are aware of threats and what to do if something goes wrong.

Outsourced data processing

Hastings reviews third-party data processors at least once in each calendar year, and more frequently for high volume and/or high-risk processors. A third-party due diligence service is used to monitor and review suppliers. In addition, Hastings has an established supplier management protocol involving regular performance and compliance assessments including, when appropriate, site visits.

Incident reporting

Incidents and concerns are reported to a central information security team for triage, recording, and support. Escalation processes are in place to engage the CISO and other senior roles, as required, as part of the organisation-wide incident management process. 

Governance

Sampo plc’s information security and cybersecurity systems are a part of If’s IT infrastructure. Sampo plc also follows If's incident management process. In addition, Sampo plc has strong internal controls and additional resources for company-specific purposes. Before any new applications or services are taken into use, or before changes are done to any of Sampo plc's critical systems, a risk assessment process will be conducted. Regular penetration tests, as well as vulnerability scanning of applications and IT infrastructure, are conducted regularly by specialised third-party security testers. Information on cyber threats is updated continuously by internal experts and by specialised third-party security partners, and instructions on IT security are updated frequently on the company intranet.

Employee training

At Sampo plc, information security and cybersecurity are part of new employees’ onboarding. Existing employees are offered internal training sessions twice a year, and employee participation is monitored. Training sessions and other resources (e.g. training material) are available to employees at all times.

Updated