Swiss Re has cyber risk on its radar and has implemented multiple layers of protection to minimise these risks. Correspondingly, we maintain a Group-wide Cybersecurity Programme designed to protect the confidentiality, integrity and availability of data and IT systems. Our Cybersecurity Programme is based on the ISO 27001 standard for information security management, which covers key areas of management, technical and physical controls, legal, compliance and business continuity management.
Effective governance of the programme is seen as crucial, which is why it is overseen by both the Group Chief Risk Officer and Group Chief Operating Officer, and is robustly implemented through a three-lines-of-defence model. Additionally, Swiss Re has a committee in place that provides Group-wide management oversight and direction in information security, cyber defence and data protection risks, with the Group Chief Information Security Officer ensuring that the Board of Directors is regularly informed on relevant matters.
A cyber risk assessment is conducted at least annually to inform senior management of the design and status of Swiss Re’s Cybersecurity Programme. The assessment allows for the revision of controls to respond to technological developments, evolving threats and changed cyber risk exposures. Areas identified that require improvements are addressed to enhance Swiss Re’s cyber security resilience.
Furthermore, Swiss Re issues an annual Service Organisation Controls (SOC) 2 report, which provides assurance to our clients that we provide our services in a reliable, secure and compliant manner. The SOC 2 report contains the opinion of an independent auditor who has tested the design and effectiveness of our controls according to international standards.