Swiss Life depends on strong cyber resilience to achieve its business strategy and goals. Ensuring the availability, confidentiality and integrity of systems, data and information is a central component of its internal control system. By doing so, Swiss Life is thus also meeting the expectations of its business partners.
Swiss Life has a comprehensive set of instruments and processes to ensure strong cyber resilience. Along with integration into the internal control system, the Group-wide directives define relevant minimum requirements for information security. These are based on leading and internationally recognised data security standards such as British Standards ISO/IEC 27001/2, the Control Objectives for Information and Related Technology (CobiT) Framework, the Center of Internet Security (CIS) Controls and the Cybersecurity Framework of the National Institute of Standards and Technology (NIST). Swiss Life also maintains business continuity management (BCM) plans that are tested annually. The Switzerland Division is certified according to ISO 27001/2 and other divisions are working towards it.
The market units implement the standards and assess their own compliance with them together with the relevant information security specialists at Group and divisional level. This process encompasses many different topics, such as end-device encryption, remote network access control, vulnerability management, security operations, disaster recovery and cross-functional IT controls. Corporate Internal Audit reviews information security, including in IT infrastructure, several times a year and periodically reviews data protection to assess the risk exposure as part of its internal auditing activities. Any deficiencies are countered with appropriate measures. Depending on the vulnerability identified, measures may include improving processes, updating documentation, rectifying access rights or launching a project to sustainably mitigate residual risk.
The “continuous development” approach is also intended to ensure that rapidly changing cyber-attack methods are taken into account. Among other things, Swiss Life follows the recommendations of the Center for Internet Security (CIS) and is an active member of this organisation. The security measures implemented are internally validated by Risk Management and subjected to a regular independent external review. Cybersecurity is also a regular item on the agenda of the Corporate Executive Board and the Audit Committee.
There were no significant reportable breaches of cybersecurity in the 2022 reporting year.
Further information on data protection can be found in the “Regulatory Compliance” and “Risk Management” sections.