Menu

Annual Report 2023
Annual Report 2023
Open more reports

Download Center

Home

Cybersecurity

Ensuring the availability, confidentiality and integrity of systems, data and information is a central component of the internal control system. In this way, Swiss Life is thus also meeting the expectations of its business partners.

Swiss Life has a comprehensive set of instruments and processes to ensure strong cyber resilience. Along with integration into the internal control system, the Group-wide directives define relevant minimum requirements for information security. These are based on leading and internationally recognised data security standards such as British Standards ISO/IEC 27001/2, the Control Objectives for Information and Related Technology (CobiT) Framework, the Center of Internet Security (CIS) Controls and the Cybersecurity Framework of the National Institute of Standards and Technology (NIST). Swiss Life also maintains business continuity management (BCM) plans that are tested annually. The Switzerland Division is certified according to ISO 27001/2 and other divisions are working towards certification.

The market units implement the standards and assess their own compliance with them together with the relevant information security specialists at Group and divisional level. This process encompasses many different topics, such as end-device encryption, remote network access control, vulnerability management, security operations, disaster recovery and cross-functional IT controls. Corporate Internal Audit reviews information security, including with regard to IT infrastructure, several times a year and periodically reviews data protection to assess the risk exposure as part of its internal auditing activities. Any vulnerabilities are countered with appropriate measures. Depending on the vulnerability identified, measures may include improving processes, updating documentation, rectifying access rights or launching a project to sustainably mitigate residual risk.

Moreover, these measures undergo continuous development to ensure that the rapidly changing methods of cyberattack are taken into account. As a member of the Center for Internet Security (CIS), Swiss Life is guided, among other things, by the Center’s recommendations. The security measures implemented are internally validated by Risk Management and subjected to a regular independent external review. Cybersecurity is also a regular item on the agenda of the Corporate Executive Board and the Audit Committee.

As part of this development process, a three-year Group-wide programme to further improve cybersecurity was completed at the end of 2023. 137 sub-controls from the CIS’s Critical Security Controls Framework were introduced in all business divisions. These controls are validated by the Risk function and reviewed by Internal Audit. Progress in cybersecurity is reviewed by the Corporate Executive Board on a quarterly basis.

In 2024, the focus will be on a Group-wide gap analysis for the implementation of further-reaching aspects under the EU Digital Operational Resilience Act (DORA), including the technical standards.

All divisions have set up a comprehensive cybersecurity awareness programme for all employees. A particular focus here is on phishing prevention. Employees are repeatedly sent fake phishing e-mails with varying degrees of difficulty for detection. Click-through rates are measured accordingly.

The current risk situation – including the effectiveness of controls, improvement measures and findings from incidents concerning the Risk and/or Compliance function – is reported quarterly to the Corporate Executive Board and half-yearly to the Audit Committee of the Board of Directors. There were no reportable breaches with regard to cybersecurity or data protection during the year under review.

Further information on data protection can be found in the “Regulatory Compliance” and “Risk Management” sections.