• G1-6

For PZU, security is an important element in the functioning of a modern insurance institution that affects the Company’s reputation, enhances its credibility and builds client confidence. Therefore, PZU attaches great importance to operating in accordance with the law and the standards set, ensuring a high level of operational security.

PZU and PZU Życie have „Security Policy in PZU SA and Życie SA”.

The document, along with internal acts and decisions intended to implement the policy, is a comprehensive and complete regulation that covers the following areas:

  • information security;
  • counteracting crime;
  • counteracting money laundering and terrorism financing;
  • business continuity;
  • IT systems security;
  • physical security and occupational health and safety.

Second quarter of each year, the Director of the Security Department submits to the Management Board annually a report on the assessment of the level of security threats for the previous calendar year. Based on this report, the Management Board may oblige the relevant organizational units to take measures to reduce the level of the identified security threat to PZU and PZU Życie.

The policy also creates common security standards for other PZU Group companies. Each Group company participates in achieving operational security goals using common security standards.

Respect for the provisions of the Policy by external entities cooperating with PZU and PZU Życie, based on contracts and agreements, including individuals providing services to the Company under civil law contracts, is one of the priorities of operational security of PZU and PZU Życie.

  • 3-3
  • 2-25

Approach to Management

PZU strives to ensure the security of protected information, including data covered by insurance secrecy and personal data in accordance with applicable laws.

The department in charge of security in PZU and PZU Życie is supervised by a Board Member. For the period from January 1 to December 31, 2023, it was Ernest Bejda. He has many years of experience in the area supervised. Prior to his employment in the PZU Group he worked in the General Customs Inspectorate in Warsaw, and then he ran his own advocate practice. He cofounded the Central Anti-Corruption Bureau in which he served as its Deputy Head (2006-2009), acting Head of the CBA from December 2015, and then as the head of the institution (2016-2020).

PZU and PZU Życie implemented principles for client identification and provision of information depending on the client’s requests. Only persons authorized to do so have access to personal data and information covered by insurance secrecy. Authorizations are granted as per the duties performed, through the Central System for Information Security Management (Centralny System Zarządzania Bezpieczeństwem Informacji – CSZBI). In addition, a DLP-class monitoring system was implemented at PZU. Appropriate rules are implemented in the system to minimize the risk of disclosure of information, including personal data, to unauthorized persons. The companies regularly implement and update procedures and safeguards in electronic channels of communication with clients, thereby minimizing the risk of unauthorized disclosure of legally protected information.

The documents that govern the security of protected information at PZU and PZU Life are the „Security Policy in PZU SA and PZU Życie SA” and notably:

  • Security procedure in the area of information security - the scope of which includes, among other things, the principles of information protection and information security in information systems, information system management instruction, prevention and prophylactic measures, and security risk management. The document also regulates the sharing of legally protected information, including data covered by insurance secrecy;
  • Security procedure in the area of personal data protection - the document defines, in particular, the rules for processing personal data, accessing them, handling requests from data subjects, responding to security incidents, assessing and reporting breaches, as well as the role and tasks of the Data Protection Officer. The procedure also regulates the selection and audit of the processor;
  • Procedure for monitoring a service provider. It defines the legal basis, purpose and scope of monitoring. Following the procedure, audits are performed of contractors that have been entrusted with personal data processing by PZU.

A number of additional procedures and rules are also in place, including:

  • IT security risk management procedure;
  • Risk assessment and personal data protection impact assessment procedure in PZU SA and PZU Życie SA;
  • Management of anti-malware safeguards;
  • Rules for secure personal data processing,
  • Rules for managing personal data processing risk;
  • IT security rules – IT Security Management System;
  • Rules for managing the IT infrastructure vulnerabilities and security tests;
  • Instruction manual (methodology) for identification and risk assessment of personal data processing;
  • Classification of information and security levels at PZU and PZU Życie;
  • Periodic reporting to the Management Boards of PZU and PZU Życie as regards data concerning DPIA analyses performed;
  • Monitoring of processes and checking the observance of recommendations issued.

Transfer of Protected Information to Third Parties

Data subject to insurance secrecy are made available by PZU and PZU Życie under Article 35 of the Insurance and Reinsurance Activity Act which provides the list of the entities and institutions to which data may be made available. Third-party entities are entrusted by PZU and PZU Życie with personal data processing under a contract to entrust the processing of personal data. Where third party entities are provided with protected information, it is a standard practice to enter into a confidentiality agreement. The contents of such a contract include, among other things, an undertaking to implement at least the same measures to ensure the protection of information, as well as an audit guaranteeing provision.

The solutions in place are designed to ensure that each piece of information is protected according to an appropriate level of security, to ensure the control of access to information, the integrity and availability of information, and to prevent theft and unauthorized outflow of information, as well as to ensure an appropriate level of client privacy. Each person whose data is processed by PZU and PZU Życie is entitled to access data and to erase, rectify, complete or modify his or her personal data, and has an opportunity to ask questions concerning privacy. Appropriate processes have been put in place for this purpose, which ensure the exercise of the rights of data subjects, as defined in Articles 12 to 22 of the GDPR1.

Audits of entities that have been entrusted with personal data processing are conducted by PZU and PZU Życie on a regular basis. During an audit it is verified whether the processing of the entrusted personal data by the processor complies with the GDPR and the agreement for entrusting personal data processing. PZU and PZU Życie also conduct audits of the processors in the case of which security incidents have occurred. Recommendations for changing processes or systems for particular business owners are issued on the basis of audits.

  • 2-16
  • 418-1

Personal data protection officers

There is a designated Data Protection Officer at PZU who handles the duties of personal data controller (PDC) and a data protection officer (DPO) as prescribed by law, monitors information security incidents, in particular relating to personal data and breaches reported to the President of the Personal Data Protection Office (PUODO), and reports periodically to the Management Board of PZU and PZU Życie.

The scope of reporting as regards the security of the processed data in terms of the identified risks and vulnerabilities includes data on information security incidents, particularly in the area of personal data protection, including information on the implementation of the obligations set forth in Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject) of the GDPR. The ongoing data monitoring of data processing, as well as data analysis and reporting guarantee the transparency and accountability. With the use of the established mechanisms, the areas requiring the implementation of changes are identified and recommendations concerning the improvement of personal data processing security in these areas are issued.

Following the obligations set forth expressly in the GDPR, processes have been implemented in PZU and PZU Życie which guarantee a documented process relating to the carrying out of the provisions of Article 35 (Data protection impact assessment) of the GDPR, requiring companies to assess the data protection impact in order to estimate, in particular, the source, nature, specifics and seriousness of the risk.

Opinion issuing process

Internal documents, contracts and processes are reviewed in terms of compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices.

The implementation of the opinion issuing process by PZU and PZU Życie has contributed to ensuring compliance of data processing operations with the applicable laws, it ensures accountability and the implementation of the privacy by design principle. It allows to identify irregularities at an early stage and to adapt actions to the standards in force.

The implemented opinion issuing process encompasses the rollout of new functionalities or changes in the existing functionalities of IT systems, internal documents, processes and contracts in which a personal data related element is or may be present. For this process to be carried out in the best possible way, a dedicated e-mail box has been set up to which queries from business units are sent. Matters are assigned to employees specializing in various data protection areas. The opinion issuing process ends with the issuing of a recommendation in compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices. To ensure accountability, all the cases for which opinions have been issued are recorded in a register.

XLS

2022 2023
Initiatives 674 737
Subthemes 935 1,379
Proof of Concept 8 8
DPIA analysis New processes 24 27
DPIA analysis Existing processes 4 2
XLS

2022 2023
PZU 13 10
PZU Życie 4 3
Comments: in 2023, the number of complaints filed against the activities of PZU and PZU Życie by third parties with the supervisory authority was 10 and 3, respectively.

In 2023, the supervisory authority issued 9 administrative decisions on complaints filed by third parties in 2023 and in previous years (7 decisions in complaint cases for PZU SA and 2 for PZU Życie SA). Under the administrative decisions of 2023, the authority issued two reprimands for a breach of Article 6(1) of the GDPR (one to PZU and one to PZU Życie). In other cases of administrative decisions issued in 2023, the supervisory authority: refused to grant the application, discontinued the proceedings, revoked the reservation of business secrets.
XLS

2022 2023
PZU Group, including: 1,053 916
PZU 198 213
PZU Życie 84 69
XLS

2022 2023
Number of potential infections blocked >7.5 thousand >5.5 thousand
Number of blocked connection attempts to send malicious emails 210 million 263 million
Number of high-risk attacks blocked* 744 thousand 177 thousand
Number of blocked redirects to unsafe resources >PLN 1 million 0.97 million
Number of malicious emails blocked 0.7 million 0.65 million
Comment: The decrease in the number of blocked high-risk attacks is due to an adjustment in the measurement method.
XLS

2022 2023
Number of analyses 70 k ~104 k
Number of initiatives reviewed 1.2 k 1.03 k
Number of manual security tests 148 152
Number of vulnerabilities detected: 129 k 295.8 k
including critical 27.0 k 34.2 k

Cybersecurity

  • 3-3

Protecting data and internal systems from the threats posed by cyber-attacks is an important part of PZU’s security management system. The most important goal of ensuring network security is to reduce the risk of cyber-attacks and effectively protect against unauthorized use of data and programs.

Best practices of PZU and PZU Życie

Cybersecurity

The cybersecurity management system in PZU SA and PZU Życie complies with the requirements of the ISO 27001 standard, which is the highest Information Security Management System standard renowned and recognizable all over the world. IT security is considered one of the most significant challenges faced by in the domain of modern technologies. Efforts focused on prioritizing the strategic objectives in this area within the PZU Group are aimed at responding to new threats, in terms of both organization and technology. Appropriate policies, procedures and detailed requirements are in place in all Group companies in order to ensure an adequate level of protection for clients’ information and data. A comprehensive multiple-layer system to protect against cybersecurity threats functions in PZU and PZU Życie and is being constantly developed – new tools and competences are acquired on an ongoing basis.

Security tests

Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the PZU Group’s IT systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing a broad set of tests and verification methods. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.

Vulnerability assessment tests are conducted by the PZU Group on the company’s systems. Infrastructure vulnerability detection is an ongoing and automated process in which dedicated Vulnerability Assessment solutions are used. Security tests form part of the change, release and project management processes.

Opinion and coordination of the implementation of cloud-based solutions

On January 23, 2020, the Polish Financial Supervision Authority (Urząd Komisji Nadzoru Finansowego – UKNF) published an announcement regarding the processing of information by supervised entities in public or hybrid cloud computing. The Management Board of PZU designated the Security Department as the coordinating and competent unit for the approval of the implementation of cloud computing-based solutions.

In accordance with the guidelines of UKNF, procedures were adopted to standardize the process of classification and evaluation of information, and the process of risk estimation, i.e.:

  • procedure for classification and evaluation of information for the purpose of its cloud computing in PZU and PZU Życie;
  • procedure for estimating the risk of cloud computing in PZU and PZU Życie.

Periodical reporting to the Management Board was introduced, as part of quarterly information from the information security area, which includes a list of topics based on cloud solutions to which opinions were issued.

The implementation of the above-mentioned measures has helped to standardize the process of implementing cloud solutions, thus reducing the risk of non-compliance with UKNF guidelines and transparently informing the organization about the actions taken.

XLS

Effectiveness of the security management system in PZU and PZU Życie 2022 2023
Number of cloud computingbased solutions reviewed at PZU/ PZU Życie 97 137
Number of processes requiring notification to the UKNF 1 8
XLS

E-learning “Keep your data in the cloud, not your head – be compliant with regulations” 2023
Number of people trained 8,654
Comments: it is a mandatory training course in cloud computing for all employees of PZU SA and PZU Życie SA. The first edition of this course took place in October 2023, hence the lack of comparative data from previous periods.
  • Induction course – for newly hired employees who learned about security rules during the training, followed by mandatory e-learning courses, „GDPR” and „Information Security, Cybersecurity and Crime Prevention”;
  • Refresher course – for the employees of branches, claims handling and benefits units, and exclusive agents (i.e., in particular, those who process clients’ personal data);
  • Two educational campaigns featuring topics on new obligations under the Sanctions Policy, information security and cyber threats, including disinformation;
  • Online meeting with external experts, where examples of sociotechnical threats, including disinformation, and tips on how to avoid them were discussed;
  • Security information materials published on the PZU intranet.

An e-learning training course is planned for 2024 on the principles of security, information classification and secure data processing in publicly available artificial intelligence-based tools.

XLS

On-site training courses or webinars with a trainer on the topics of information security/personal data protection/cybersecurity at PZU SA and PZU Życie Number of trainings Number of participants
2022 2023 2022 2023
Implementation training for new hires 35 47 992 1,010
Refresher training 16 67 586 1,894

 

XLS

GDPR e-learning 2022 2023
Number of people trained 1,396 1,389
Comment: jest to szkolenie obowiązkowe. Dotychczas przechodzili je jedynie nowo zatrudnieni pracownicy. Planuje się jednak, że od 2024 roku odbywać się będą przynajmniej raz w roku szkolenia odświeżające z tego zakresu dla wszystkich pracowników PZU i PZU Życie.
XLS

“Information Security, Cybersecurity and Crime Prevention” e-learning course 2022 2023
Number of people trained 1,468 1,271
Comment: it is a mandatory course. So far, only newly hired employees have undergone the training.

Security procedures in subsidiaries

Procedures to manage the security of IT processes have been implemented in PZU companies as well as in all foreign companies.

PZU Zdrowie Group has a regulatory package of security policies that includes requirements for IT processes

Guidelines issued by KNF for the management of information technology and the security of the ICT environment at general pension companies have been implemented at PTE PZU;

Internal regulations have been implemented at TUW PZUW to support the process of ensuring the confidentiality, integrity and availability of information, as well as the implementation of obligations required by law and KNF guidelines.

In addition, TUW PZUW, using solutions developed by the PZU Group, applies a number of technological safeguards aimed at reducing the risks associated with loss of confidentiality, integrity or availability of information.

Security procedures in subsidiaries – banks

In Bank Pekao , in order to guarantee comprehensive measures in the area of personal data protection, there is an Information Security Policy, together with Information Security Policy Documents, and a number of internal regulations relating to specific areas of the bank’s operation. Directors of the Bank’s organizational units and owners of information are fully responsible for the organization, security, processing of personal data in the units that report to them. Employees, on the other hand, are required to process personal data in accordance with the authorization granted to them, based on the scope of activities specified for their position. The Bank has also implemented data protection rules on the use of technical and organizational measures to ensure the protection of processed data. An Operational Security Center (OCC) has been established, a unit to watch for unauthorized access to data (including personal data), and (through systems in place at the Bank) to prevent the leakage of such data.

At Alior Bank, there are strict security procedures in place that comply with legal and regulatory requirements to ensure the confidentiality, integrity and availability of processed information. The Security Policy in place, standards and all procedures in this area are updated on an ongoing basis in response to the changing market conditions in the field of cyber security, as well as new requirements and guidelines from regulators, including those resulting from Alior Bank’s obligations as a key service operator under the National Cyber Security System Act (implementing the requirements of the European IEC Directive based on the requirements of the norm ISO/IEC 27001). In 2023, Alior Bank’s key IT systems involved in the processing of client data and participating in the processing of financial transactions were subjected to in-depth security tests.

Good practices of subsidiaries

Strategy for the exercise of voting rights

“Cybersecurity on-premises Competence Center” was established at Alior Bank, which is a local environment security center. Together with the existing “Cloud Security Competency Center”, it is intended to provide interdisciplinary IT and business support for the provision and maintenance of secure ICT solutions.

1. from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)

Previous topic
Minimum safeguards
Next topic
Preventing crime