Cybersecurity

Ensuring the availability, confidentiality and integrity of systems, data and information is a central component of the internal control system. In this way, Swiss Life is thus also meeting the expectations of its business partners.

Swiss Life has a comprehensive set of instruments and processes to ensure strong cyber resilience. Along with integration into the internal control system, the Group-wide directives define relevant minimum requirements for information security. These are based on leading and internationally recognised data security standards such as British Standards ISO/IEC 27001/2, the Control Objectives for Information and Related Technology (CobiT) Framework, the Center of Internet Security (CIS) Controls and the Cybersecurity Framework of the National Institute of Standards and Technology (NIST). Swiss Life also maintains business continuity management (BCM) plans that are tested annually. The Switzerland Division is certified according to ISO 27001:2002 and other divisions are working towards certification.

The market units implement the standards and assess their own compliance with them together with the relevant information security specialists at Group and divisional level. This process encompasses many different topics, such as end-device encryption, remote network access control, vulnerability management, security operations, disaster recovery and cross-functional IT controls. Corporate Internal Audit reviews information security, including with regard to IT infrastructure, several times a year and periodically reviews data protection to assess the risk exposure as part of its internal auditing activities. Potential vulnerabilities are continuously optimised with appropriate measures.

Moreover, these measures undergo continuous development to ensure that the rapidly changing methods of cyberattack are taken into account. As a member of the Center for Internet Security (CIS), Swiss Life is guided, among other things, by the Center’s recommendations. The security measures implemented are internally validated by Risk Management and subjected to a regular independent external review. Cybersecurity is also a regular item on the agenda of the Corporate Executive Board and the Audit Committee.

As part of this development process, a three-year Group-wide programme to further improve cybersecurity was successfully completed at the end of 2023. 137 sub-controls from the CIS’s Critical Security Controls Framework were introduced in all business divisions. These controls have been validated by the internal Risk function and reviewed by Internal Audit and an external auditor.

The Group-wide gap analysis initiated at the end of 2023 was carried out within the framework of the EU Digital Operational Resilience Act (DORA), including the technical standards, and further measures were implemented to meet the regulatory requirements by mid-January 2025.

For several years now, all divisions have been conducting regular cybersecurity awareness training for internal and external employees, which also addresses the latest methods of attack (e.g. voice cloning). A particular focus here is on phishing prevention. Employees are sent several fake phishing e-mails each year with varying degrees of difficulty for detection. Click-through rates are measured.

The current risk situation – including the effectiveness of controls, improvement measures and findings from incidents concerning the Risk and/or Compliance function – is reported quarterly to the Corporate Executive Board and half-yearly to the Audit Committee of the Board of Directors. There were no reportable breaches in relation to cybersecurity or data security during the year under review and there were no substantiated complaints.

More information on the subject of protecting personal data can be found in the “Regulatory Compliance” section.