Menu

Annual Report 2025
Annual Report 2025
Open more reports

Download Center

Home

Cybersecurity

Swiss Life has compiled a comprehensive set of directives and measures to ensure strong cyber resilience. In addition, Swiss Life’s Cyber Security Strategy 2025+ focuses on further improv­ing cyber resilience against modern cyber and supply chain attacks.

Group-wide guidelines define relevant minimum requirements for information security. These are based on leading and internationally recognised information security standards such as ISO/IEC 27001, the Control Objectives for Information and Related Technology (COBIT) Framework, the Center for Internet Security (CIS) Controls and the Cybersecurity Framework of the National Institute of Standards and Technology (NIST). The Switzerland Division is certified according to ISO/IEC 27001:2022, while other divisions have obtained ISO/IEC 27001:2022 certification or are working towards it. IT and information security also form an integral part of the Group-wide third-party risk management framework. This frame­work ensures risk-based due diligence during the vendor selection process, including the integration of regulatory and Swiss Life-specific security requirements into contracts, as well as the continuous monitoring of providers. Ensuring the availability, confidentiality and integrity of systems, data and information is also a central component of the internal control system. In this way, Swiss Life also meets the expectations of its business partners. Requirements for handling information security incidents are regulated consistently across the Group as part of operational risk management. More information on the internal control system can be found in the “Risk Management” section.

The divisions implement the measures defined in the guidelines and assess their own compliance with them together with the relevant information security specialists at Group and divisional level. The measures comprise many different aspects, including end-device encryption, access controls for remote network access, vulnerability management, endpoint detection and response, security operations, round-the-clock monitoring via security operation centres, disaster recovery, and application-independent IT controls.

Furthermore, Swiss Life classifies all data according to the applicable protection requirements. All data is secured and protected with the appropriate organisational and technical protection measures.

These measures undergo continuous development to ensure that the rapidly changing methods of cyberattack are taken into account. As a member of the CIS, Swiss Life is guided by its recommendations and has introduced defined controls from its Critical Security Controls Framework across the Swiss Life Group.

For several years now, all divisions have been providing regular, compulsory cybersecurity awareness training courses for internal and external employees, which also address the latest methods of attack. A particular focus is on phishing prevention. Each year, employees are sent several fake phishing e-mails, which vary in how difficult they are to detect. Click-through rates are measured.

The security measures and controls implemented in relation to information security and the IT infrastructure are validated by the second-line function and are regularly and indepen­dently reviewed by the third line and external parties. Potential vulnerabilities are continuously addressed through the implementation of appropriate measures. Swiss Life also maintains business continuity management (BCM) plans that are regularly updated and tested. These set out the procedures, fallback options and appropriate substitute resources required to ensure the continuity and/or restoration of critical business processes.

The responsibilities relating to the directives system are described in the Strategic anchoring, processes and training section. As a Member of the extended Corporate Executive Board, the Group CRO monitors the cybersecurity strategy.

Information on the current risk situation – including the effectiveness of controls, improvement measures and findings from incidents concerning the Risk and/or Compliance function – is submitted quarterly to the Corporate Executive Board and half-yearly to the Audit Committee of the Board of Directors. In the reporting year, there were no incidents relating to cybersecurity or data security that were subject to mandatory reporting under the FINMA Supervision Act, nor were there any substantiated complaints.