„Taking care of clients’ data is one of our priorities. Due to the pandemic, we attached even greater importance to the confidentiality of the information we processed. As a Group, we care for the best possible relations with clients and for their trust and we respect their privacy. Therefore, we constantly take measures to improve the security of the personal data made available to us, which includes following the highest standards of information system protection.”
Rafał Jeż, Director of the Security Department in PZU and PZU Życie
PZU Group’s policies [Accounting Act]
[GRI 103-2]
As the issues of IT security are very important for the PZU Group, it places great emphasis on them and treats them with particular thoroughness. Appropriate policies, procedures and detailed requirements are in place in all companies in order to ensure an adequate level of protection for clients’ information and data. A comprehensive multiple-layer system to protect against cybersecurity threats functions in PZU and PZU Życie and is being constantly developed. To meet high information security standards, the cybersecurity management system in operation complies with the requirements of the ISO 27001 standard, which is the highest Information Security Management System standard renowned and recognizable all over the world.
In 2020, we managed to prevent:
Additionally:
In the future, further development of security systems is scheduled, including production deployment of the IPS, automation of SOC processes through the purchase of a Security Orchestration Automation and Response (SOAR) system, review of the market for static and dynamic code analysis tools, expansion of existing and acquired security tools (e.g. PIM, VA, EDR). In addition, security is planned to be improved through the launch of the Threat Hunting process, and new anti-phishing campaigns are scheduled to be conducted along with other forms of education for PZU employees and agents.
The PZU Group ensures the security of the processed data and the protection of the personal data of its clients. It understands the complexity of the obligations following from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and makes sure all of its processes are compliant with the Regulation and local personal data protection regulations. The PZU Group expects an equally mature approach from its business partners.
The responsibility for the area of security in PZU and PZU Życie rests on the Director of the Security Department who answers directly to a Management Board member. Moreover, the Director for Information Protection and the Data Protection Officer (DPO) have been appointed in PZU and PZU Życie. Security structures for the processing of information, including personal data, have been established within the Security Department, which support the performance of the tasks of the Data Protection Officer (DPO).
Security policy
The purpose of the „Policy” is to ensure the security of protected information, including personal data, as well as to ensure their physical security, the security of the IT systems and the continuity of operation. The Policy is also aimed at counteracting insurance crime, money laundering and the financing of terrorism, as well as at ensuring occupational safety and health.
Information security procedure
Activities in accordance with the information security procedure are aimed at, inter alia, providing protection each piece of information in conformity with the relevant security level, ensure information access control and the integrity and availability of information, and to prevent theft and unauthorized outflow of information. The document defines the rules for protecting and sharing information protected by law and for managing security risks.
Personal data protection procedure
The purpose of the regulations is to ensure the protection of the personal data processed by PZU and PZU Życie. The document defines, in particular, the rules for handling requests from data subjects, responding to security incidents, assessing and reporting breaches and selecting and auditing processors, as well as the role and tasks of the Data Protection Officer.
Risk assessment and personal data protection impact assessment procedure
The procedure describes the rules for conducting a risk analysis for personal data protection, including the privacy by design assessment and the assessment of the likelihood of the high risk of infringements of the rights and freedoms of natural persons, and a data protection impact assessment (DPIA).
In addition, the following procedures and rules are in place in PZU and PZU Życie:
- IT process security management procedure;
- IT security risk management procedure;
- Rules for classifying IT system criticality;
- Personal data retention rules;
- Rules for secure personal data processing;
- Instruction for the secure transmission of protected data outside the PZU Group;
- Recommended template information security documents;
- Information classification and security levels
- Rules for managing the IT infrastructure vulnerabilities and security tests.
PZU and PZU Życie act with all diligence in taking care of information security and data protection. Therefore, they have committed to implement and follow the highest data protection standards and to that end they have, among other things, initiated processes ensuring the compliance with the provisions of Articles 5 and 6 of the GDPR. All personal data collected and processed by PZU and PZU Życie is obtained in a manner compliant with law and transparent, with the express consent of the data subject. The processes of obtaining consent guarantee that personal data be processed in compliance with Article 6 (Lawfulness of processing) of the GDPR. Client personal data is collected, processed and transmitted in PZU and PZU Życie in compliance with law. Data which is subject to insurance secrecy is made available on the basis of Article 35 of the Insurance and Reinsurance Activity Act which provides the list of the entities and institutions to which data may be made available. External entities are entrusted with personal data processing on the basis of an agreement for entrusting personal data. Where third party entities are provided with protected information, it is a standard practice to enter into a confidentiality agreement. The content of such an agreement includes, among other things, an undertaking to implement at least the same measures to ensure the protection of information, as well as a provision guaranteeing a possibility of conducting an audit.
In order to maintain the highest privacy of clients, each person whose data is processed is entitled to access data and to erase, rectify, complete or modify his or her personal data, as well as has a possibility to ask questions concerning privacy. Appropriate processes have been put in place for this purpose, which ensure the exercise of the rights of data subjects, as defined in Articles 12 to 22 of the GDPR.
The management information concerning the security of the processed data in terms of the identified risks and vulnerabilities is reported to the Management Board of PZU and PZU Życie on a periodic basis and includes information on the carrying out of the obligations set forth in Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject) of the GDPR. The companies monitor the data processing operations and the applied technical and organizational measures on an ongoing basis to identify possibilities for improving the level of security of the processed data.
Audits of processors are conducted in PZU and PZU Życie on a periodic and an ongoing basis (the business partners which PZU has entrusted with personal data processing). During an audit it is verified whether the processing of the entrusted personal data by the processor complies with the GDPR and the agreement for entrusting personal data processing. PZU and PZU Życie also conduct audits of the processors in the case of which security incidents have occurred. Recommendations for changing processes or systems for particular business owners are issued on the basis of audits.
Fulfilment of the duties of a personal data controller (PDC) and a data protection officer (DPO) set forth by law, monitoring of information security incidents, in particular relating to personal data and breaches reported to the President of the Personal Data Protection Office (PUODO), periodic data reporting to the Management Board of PZU and PZU Życie
Having regard to the security of processed personal data and in order to guarantee the compliance with the GDPR, a practice of periodic data reporting to the Management Boards of PZU and PZU Życie has been established, encompassing data concerning information security incidents, in particular relating to personal data and breaches reported to PUODO. The ongoing data monitoring, analysis and reporting guarantee the transparency and accountability of the process. With the use of the established mechanisms, the areas requiring the implementation of changes are identified and recommendations concerning the improvement of personal data processing security in these areas are issued.
The obligations imposed on the personal data controller and the data protection officer are complied with in the daily activity, which ensures compliance of the personal data processing with the laws.
The PZU Group works on a continuous basis for the strengthening of the functioning data protection system. In view of the above, steps will be taken in the future to maintain the quality of the carried out processes.
Tests of IT systems
Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the Group’s information systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing a broad set of tests and verification methods. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.
In order to monitor and respond to cyberattacks and data breaches on an ongoing basis, PZU and PZU Życie use systems of the following classes: SIEM, IPS/IDS, FW, Web Security Gateway, Email Security Gateway, Sandbox, DNS Firewall, AV, EDR, WAF, DAM, PIM, Anty DDoS, VA.
Vulnerability assessment tests are conducted by the Group on the company’s systems. Infrastructure vulnerability detection is an ongoing and automated process in which dedicated Vulnerability Assessment solutions are used. Security tests form part of the change, release and project management processes.
Following the obligations set forth expressly in the GDPR, processes have been implemented in PZU and PZU Życie which guarantee a documented process relating to the carrying out of the provisions of Article 35 (Data protection impact assessment) of the GDPR, requiring companies to assess the data protection impact in order to estimate, in particular, the source, nature, specifics and seriousness of the risk.
With a view to complying with the GDPR, the following procedures have been introduced: Rules for personal data processing risk management in PZU and PZU Życie and the Instruction (methodology) for identifying and assessing personal data processing risks in PZU and PZU Życie. Moreover, periodic reporting to the Management Boards of PZU and PZU Życie has been introduced, encompassing data concerning the conducted DPIA analyses. Processes are monitored on an ongoing basis and the fulfilment of the issued recommendations is checked. With the use of the established mechanisms, the areas requiring the implementation of changes are identified at the stage of protecting data in the design phase (privacy by design) and at the stage of data protection by default (privacy by default) and recommendations concerning the improvement of personal data processing security in these areas are issued. DPIA analyses are conducted also for the existing processes and the changes made and their impact on the personal data processing are checked on a periodic basis.
The undertaken measures have made it possible to establish, with the use of the Jira system, a regulated and tightened DPIA analysis process imposed on the controller under Article 35 (Data protection impact assessment) of the GDPR. Project product assessments in terms of the impact on data protection have been introduced for the Jira system. Having regard to data security, the implementation of topics which have not been assessed for compliance with the GDPR is blocked. A multi-track assessment of the impact of processing on data protection ensures the compliance of personal data processing with laws. 996 elements of processes were assessed in 2020, which includes the assessment of 565 initiatives/topics, 416 sub-topics, 6 Proof of Concept operations, 11 analyses of ongoing processes and 33 full DPIA tests.
In the future, the activities undertaken by the PZU Group will be oriented towards, among other things, conducting ongoing privacy by design and privacy by default analyses and an ongoing DPIA analysis on the basis of reported incidents. Update status checks will be conducted on the documentation regulating this process.
Process of issuing opinions on matters (including initiatives, documents, agreements, processes etc.) in terms of compliance with the applicable personal data protection laws, policies and procedures in place in PZU and PZU Życie and best market practices.
The implementation of the process of issuing opinions in PZU and PZU Życie contributes to ensuring the compliance of data processing with laws, accountability and the implementation of the privacy by design principle. It allows to identify irregularities at an early stage and to adapt actions to the standards in force.
The implemented process of issuing opinions encompasses all initiatives, documents, processes, agreements etc. in which a personal data related element is or may be present. For this process to be carried out in the best possible way, a dedicated e-mail box has been set up to which queries from business units are sent. Matters are assigned to employees specializing in various data protection areas; the issuing of an opinion ends with giving a recommendation which takes into account the applicable laws, the existing recommendations of the Personal Data Protection Office and best market practices. All matters on which opinions are issues are entered in a register in order to ensure accountability.
In 2020, opinions were issued in PZU and PZU Życie on more than a total of 1700 matters. The process of issuing opinions enables the identification and correction of irregularities, if any, and contributes to raising awareness of personal data protection and personal data processing security among employees.
Information security and cybersecurity are not just efficient systems and adequate procedures. Threat awareness and the knowledge of rules among employees and associates are of no less importance. Therefore, newly employed persons participate in onboarding training during which they are acquainted with security principles and then undergo obligatory e-learning training. Refresher training courses are also conducted on an ongoing basis, along with internal information campaigns on information security, personal data protection and cybersecurity. These issues are most frequently raised jointly, as they complement one another. In 2020, dedicated refresher training courses on these issues were conducted for employees and agents of particular units, mainly in the form of webinars. Their participants were, among others, employees of branches, exclusive agents, and operation centers and centers for handling claims and benefits (i.e. persons involved in collecting, storing, processing and managing data). In spring 2020, where the organization started to shift to remote work as a result of the COVID-19 pandemic, employees were reminded of the principles of work outside the office and in May an information campaign was organized, entitled „Don’t be taken by surprise – be cyber-alert!”. As part of the campaign, in addition to the publication of articles and advice, an on-line meeting with an external expert was held. It was devoted to cybersecurity, in particular threats faced during the pandemic and while working outside the office.
In 2020, training courses for employees on the special training platform called GoPhish (launched in 2018) were continued. The platform explains in an easy-to-understand way the threats following from messages, among others, containing malicious elements and prompting people to open suspicious pages, and raises employee awareness in this respect.
Procedures to manage the security of information processes were implemented in PZU and Pekao Group companies as well as in several foreign companies. The “Package of regulations pertaining to personal data processing”, including security policies containing requirements pertaining to IT processes, was implemented in the PZU Zdrowie Group. In turn, PTE PZU introduced the guidelines issued by KNF (Polish Financial Supervision Authority) concerning the management of areas involving information technology and ICT environment security in universal pension fund management companies. In Bank Pekao, in order to ensure that comprehensive actions are taken in the area of personal data protection, a number of internal regulations have been implemented related to the various areas of the bank’s business. They include, among others, the “Information Security Policy along with Information Security Policy Documents”, the security policy for the Bank’s applications, the procedure to be followed by the Bank when examining requests from data subjects under the GDPR, the procedure for managing personal data protection breaches at the Bank, as well as provisions concerning the protection of electronic information. Stringent security procedures ensuring confidentiality, integrity and availability of processed information are also in place throughout the Alior Bank Group. The security policy in place and all procedures in this area are updated on an ongoing basis in response to the changing market circumstances in the cybersecurity area as well as new requirements and guidelines issued by the regulatory authorities. Alior Bank, as a key service operator, pursuant to the Act on the National Cybersecurity System (implementing the requirements of the European NIST Directive), meets the high cybersecurity requirements following from the provisions of law and the recommendations of KNF. Additionally, the systems monitoring and protecting clients’ financial assets in mobile banking (e.g. the FDS and Malware Shield - a proprietary solution developed by the bank’s experts dealing with cybersecurity) were expanded in 2020.
[GRI 418-1]
In 2020, 400 personal data protection breaches in the PZU Group were reported to the President of the Personal Data Protection Office (PUODO), of which 212 breaches were recorded in PZU, 143 in PZU Życie, 21 in the Alior Group, 11 in the Pekao Group, 7 in LINK4 and 6 in PZU Zdrowie.
In 2020, the number of complaints filed against the activities of PZU by external entities with the supervisory authority was 17 and 4 complaints were filed against PZU Życie. In 2019, 8 complaints were filed against PZU and 2 complaints were filed against PZU Życie. In one of these cases in 2020, the supervisory authority issued a reprimand to PZU for a breach of Article 6(1) of the GDPR. In the remaining cases, the supervisory authority refused to allow the request or discontinued the proceedings, or has not taken a decision yet.
Two training campaigns were conducted in 2020 in which employees who accidentally clicked the link in a specially prepared e-mail were shown a training video produced by the Security Department presenting information on how to avoid such threats in the future. Additionally, employees had an opportunity to participate in a number of training courses, workshops and conferences and obtain the following new certificates (SANS:GIAC Certified Detection Analyst (GCDA), 210-250 SECFND - Understanding Cisco Cybersecurity Fundamentals, Mile2 – Certified Information Systems Security Officer C) ISSO, Certified Professional Ethical Hacker C)PEH, AttackIQ Academy Survey: Foundations of MITRE ATT&CK.
According to data collected during the campaign, it is necessary to keep the anti-phishing effort up and running. Among the persons interested in the content of the test e-mail, as many as 43% clicked on the link and 30% provided their login details. In 2020, special e-learning training was developed under the name Phishing quiz, showing how to distinguish between safe and unsafe messages.
In 2020, the following were conducted:
