The risk pertaining to disclosure of personal data and data subject to insurance secrecy to unauthorized persons.
PZU and PZU Życie have implemented principles for client identification and provision of information depending on the client’s requests. In addition, access to personal data and data subject to insurance secrecy is granted only to authorized persons using the Central Information Security Management System (CSZBI). Additionally, PZU has implemented a DLP class monitoring system, which comprises appropriate rules minimizing the risk of disclosure of information, including personal data, to unauthorized persons. The companies regularly implement and update procedures and safeguards in electronic channels of communication with clients, thereby minimizing the risk of unauthorized disclosure of legally protected information.
Security policy of PZU SA and PZU Życie SA, Information Security Procedure in PZU SA and PZU Życie SA, Security procedure in the area of personal data protection in PZU SA and PZU Życie SA.
Security Policy
Security Procedure
Activities following from the Procedure in the area of information security include ensuring the protection of all information in conformity with the relevant security level, ensuring information access control and the integrity and availability of information, and preventing theft and unauthorized outflows of information. The document defines the rules for protecting and sharing information protected by law and for managing security risks.
Best practices of PZU Group
Cybersecurity
The cybersecurity management system in PZU SA and PZU Życie complies with the requirements of the ISO 27001 standard, which is the highest Information Security Management System standard renowned and recognizable all over the world. IT security is considered one of the most significant challenges faced by in the domain of modern technologies. Efforts focused on prioritizing the strategic objectives in this area within the PZU Group are aimed at responding to new threats, in terms of both organization and technology. Appropriate policies, procedures and detailed requirements are in place in all Group companies in order to ensure an adequate level of protection for clients’ information and data. A comprehensive multiple-layer system to protect against cybersecurity threats functions in PZU and PZU Życie and is being constantly developed – new tools and competences are acquired on an ongoing basis.
Cyber security – Management Board oversight
Management Board member Ernest Bejda is in charge of the supervisory and security cell. He has many years of experience in this area. Prior to his employment in the PZU Group he worked in the General Customs Inspectorate in Warsaw, and then he ran his own advocate practice. He cofounded the Central Anti-Corruption Bureau in which he served as its Deputy Head (2006-2009), and then headed it up (2016-2020).
| Effectiveness of the security management system in PZU and PZU Życie | 2021 | 2022 |
|---|---|---|
| Number of potential infections blocked | >14 thousand | >7.5 thousand |
| Number of blocked connection attempts to send malicious emails | 132 million | 210 million |
| Number of high-risk attacks blocked | 200 thousand | 744 thousand |
| Number of blocked redirects to unsafe resources | > PLN 3 million | > PLN 1 million |
| Number of malicious emails blocked | > PLN 1.3 million | 0.7 million |
| Security management system in PZU and PZU Życie – selected activities | 2021 | 2022 |
|---|---|---|
| Number of analyses | 46 thousand | 70 thousand |
| Number of initiatives reviewed | 1.3 thousand | 1.2 thousand |
| Number of manual security tests | 173 | 148 |
| Number of vulnerabilities detected | 137 thousand | 129 thousand |
| – including critical | 27.4 thousand | 27.0 thousand |
Security tests
Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the Group’s information systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing a broad set of tests and verification methods. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.
Vulnerability assessment tests are conducted by the Group on the company’s systems. Infrastructure vulnerability detection is an ongoing and automated process in which dedicated Vulnerability Assessment solutions are used. Security tests form part of the change, release and project management processes.
Opinion and coordination of the implementation of cloud-based solutions
On 23 January 2020, the KNF Office (UKNF) has published an announcement regarding the processing of information by supervised entities in public or hybrid cloud computing. By decision of the Management Board on 7 April 2020, the Security Department was designated as the coordinating and competent unit for the approval of the implementation of cloud computing-based solutions.
In accordance with the guidelines of the above-mentioned communication, procedures have been adopted to standardize the process of classification and evaluation of information and the process of risk estimation, i.e.:
- procedure for classification and evaluation of information for the purpose of its processing in cloud computing in PZU and PZU Życie,
- procedure for estimating the risk of cloud computing in PZU and PZU Życie.
Senior executives (WKK) of PZU and PZU Życie have been briefed on the responsibilities of BBE and the responsibilities of business owners of cloud-based processes. The statuses for the WKK include information on current deployments as well as other relevant information related to the implementation of cloud solutions. In addition, cyclical reporting to the Management Board of PZU and PZU Życie has been introduced, as part of quarterly information from the information security area, which includes a list of topics based on cloud solutions that have been reviewed.
The implementation of the above-mentioned measures has helped to standardize the process of implementing cloud solutions, thus reducing the risk of non-compliance with UKNF guidelines and transparently informing the organization about the actions taken.
| Implementation of cloud-based solutions at PZU and PZU Życie | 2021 | 2022 |
|---|---|---|
| Number of cloud computingbased solutions reviewed at PZU SA/PZU Życie | 98 | 97 |
| Number of processes requiring notification to the UKNF | 0 | 1 |
- Newly employed persons participate in onboarding training during which they are acquainted with security principles and then undergo obligatory e-learning training in this field. Refresher training courses are also conducted on an ongoing basis, along with internal information campaigns on information security, personal data protection and cybersecurity. These issues are most frequently raised jointly, as they complement one another;
- Refresher training courses on these issues were conducted for employees and agents of units, mainly in the form of webinars. Their participants included employees of branches, claims handling and benefits units, and exclusive agents (i.e., in particular, those who process clients’ personal data); informational materials – articles published on the PZU intranet on the subject;
- internal information campaign – the theme of the campaign was cyber threats, related attacks, including social engineering, as well as information security and best practices to counter threats such as phishing, social engineering, dangerous links and attachments, and misinformation, among others;
- online meeting with external experts – with examples of threats and the most common attacks and advice on how to avoid them;
- educational animations (on the internal e-learning platform) – on current cyber threats, safe remote work and the quality of processed information.
| E-learning trainings at PZU and PZU Życie | Number of participants | |
|---|---|---|
| 2021 | 2022 | |
| Information security, cybersecurity and crime prevention for new hires | 877 | 1,468 |
| Onsite trainings or webinars with a trainer on the topics of information security/personal data protection/cybersecurity of PZU SA and PZU Życie | Number of trainings | Number of participants | ||
|---|---|---|---|---|
| 2021 | 2022 | 2021 | 2022 | |
| Onboarding training for new hires | 37 | 35 | 842 | 992 |
| Refresher training | 38 | 16 | 3,619 | 586 |
Commenting on the 2021/2022 changes – a large number of refresher trainings were related to the pandemic situation and the increased demand for webinars, which could be attended by more employees at the same time than in a stationary mode.
Best practices of PZU and PZU Życie
Training campaign
one GoPhish training campaign was conducted in 2022. It consisted in employees who accidentally clicked the link in a specially prepared e-mail being shown a training video produced by the Security Department presenting information on how to avoid such threats in the future. The results show that there is still a need for anti-phishing campaigns. Also, since 2020, special e-learning training has been provided under the name Phishing quiz, showing how to distinguish between safe and unsafe messages. The training is mandatory for all staff who have clicked on the links in fake e-mails.
Security procedures in subsidiaries
Procedures to manage the security of information processes were implemented in PZU companies as well as in all foreign companies:
A package of regulations pertaining to personal data processing, including security policies containing requirements pertaining to IT processes, was implemented in the PZU Zdrowie Group;
In turn, PTE PZU introduced the guidelines issued by the KNF (Polish Financial Supervision Authority) concerning the management of areas involving information technology and ICT environment security in universal pension fund management companies;
Internal regulations have been implemented at TUW PZUW to support the organization in the process of ensuring the confidentiality, integrity and availability of information, as well as the implementation of obligations required by law and KNF guidelines. Internal acts have implemented policies and procedures governing the area of information security and personal data, including information processing, security mechanisms, response to potential incidents, risk analysis, reporting and employee education. In addition, TUW PZUW, using solutions developed by the PZU Group, applies a number of technological safeguards aimed at reducing the risks associated with loss of confidentiality, integrity or availability of information. TUW PZUW implements training to continuously improve employees’ knowledge, including simulated phishing attacks. In order to achieve a high level of security, these tests use various attack techniques. The Director of the Security Department is responsible for the security area at TUW PZUW. Moreover, a Data Protection Officer (DPO) was appointed in TUW PZUW. The Security Department performs tasks related to ensuring information security and carrying out the tasks of a personal data controller. A Data Protection Officer has been appointed within the Compliance Office structure and monitors the organization’s compliance with the GDPR.
Security procedures in subsidiaries – banks
In Bank Pekao, in order to ensure that comprehensive actions are taken in the area of personal data protection, a number of internal regulations have been implemented related to the various areas of the bank’s business. They include, among others, the “Information Security Policy along with Information Security Policy Documents”, the “Security policy for applications in Bank Polska Kasa Opieki Spółka Akcyjna”, the “Procedure to be followed by Bank Polska Kasa Opieki Spółka Akcyjna when examining requests from data subjects under the GDPR”, the “Procedure for managing personal data protection breaches in Bank Pekao S.A.” and the “Protection of electronic information in Bank Polska Kasa Opieki S.A.”.
Throughout Alior Bank there are strict security procedures in place that comply with legal and regulatory requirements to ensure the confidentiality, integrity and availability of processed information. The implemented Security Policy, standards and all procedures in this area are updated on an ongoing basis in response to the changing market conditions in the field of cyber security, as well as new requirements and guidelines from regulators, including those resulting from Alior Bank’s obligations as a key service operator under the National Cyber Security System Act (implementing the requirements of the European NIST Directive). In 2022, Alior Bank’s key IT systems involved in the processing of client data and participating in the processing of financial transactions were subjected to in-depth security tests.
Best practices of subsidiaries
A “Cloud Security Competency Center” has been established at Alior Bank to support the business in the secure use of new cloud-based solutions.
Security procedure in the area of personal data protection
The fundamental document governing the issues of personal data protection in PZU SA and PZU Życie is the “Personal Data Protection Procedure”. The document defines, in particular, the rules for processing personal data, accessing them, handling requests from data subjects, responding to security incidents, assessing and reporting breaches and selecting and auditing processors, as well as the role and tasks of the Data Protection Officer.
Additionally, in PZU and PZU Życie, this area is governed by a number of procedures and rules, in particular:
- IT security risk management procedure;
- Risk assessment and personal data protection impact assessment procedure in PZU SA and PZU Życie SA;
- Management of anti-malware safeguards;
- Rules for secure personal data processing,
- Rules for managing the IT infrastructure vulnerabilities and security tests;
- IT security rules – IT Security Management System.
- Classification of information and security levels at PZU SA and PZU Życie SA
GDPR*
PZU and PZU Życie act with all diligence in taking care of information security and data protection in compliance with the GDPR. Client personal data is collected, processed and transmitted in PZU and PZU Życie in compliance with law. Data which is subject to insurance secrecy is made available on the basis of Article 35 of the Insurance and Reinsurance Activity Act which provides the list of the entities and institutions to which data may be made available. External entities are entrusted with personal data processing on the basis of an agreement for entrusting the processing of personal data. Where third party entities are provided with protected information, it is a standard practice to enter into a confidentiality agreement. The content of such an agreement includes, among other things, an undertaking to implement at least the same measures to ensure the protection of information, as well as a provision guaranteeing a possibility of conducting an audit.
* from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
In order to maintain the highest privacy of clients, each person whose data is processed is entitled to access data and to erase, rectify, complete or modify his or her personal data, as well as has a possibility to ask questions concerning privacy. Appropriate processes have been put in place for this purpose, which ensure the exercise of the rights of data subjects, as defined in Articles 12 to 22 of the GDPR.
Audits of entities that have been entrusted with personal data processing are conducted by PZU and PZU Życie on a regular basis. During an audit it is verified whether the processing of the entrusted personal data by the processor complies with the GDPR and the agreement for entrusting personal data processing. PZU and PZU Życie also conduct audits of the processors in the case of which security incidents have occurred. Recommendations for changing processes or systems for particular business owners are issued on the basis of audits.
-
2-16
Data Protection Officer
- Fulfilment of the duties of a personal data controller (PDC) and a data protection officer (DPO) set forth by law, monitoring of information security incidents, in particular relating to personal data and breaches reported to the President of the Personal Data Protection Office (PUODO), periodic data reporting to the Management Board of PZU and PZU Życie.
- Cyclical reporting to the Management Board – as part of implementing procedures, cyclical reporting to the management boards of PZU and PZU Życie is conducted, including data on information security incidents. The management information concerning the security of the processed data in terms of the identified risks and vulnerabilities includes data on information security incidents, particularly in the area of personal data protection, including information on the implementation of the obligations set forth in Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject) of the GDPR. The ongoing data monitoring of data processing, as well as data analysis and reporting guarantee the transparency and accountability. With the use of the established mechanisms, the areas requiring the implementation of changes are identified and recommendations concerning the improvement of personal data processing security in these areas are issued.
Data protection impact assessment (DPIA)
Following the obligations set forth expressly in the GDPR, processes have been implemented in PZU and PZU Życie which guarantee a documented process relating to the carrying out of the provisions of Article 35 (Data protection impact assessment) of the GDPR, requiring companies to assess the data protection impact in order to estimate, in particular, the source, nature, specifics and seriousness of the risk.
GDPR – implemented procedures
Opinion issuing process
Internal documents, contracts and processes are reviewed in terms of compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices.
| Number of analyzed processes related to data processing in PZU SA and PZU Życie | 2021 | 2022 |
|---|---|---|
| Initiatives | 823 | 674 |
| Subthemes | 1,235 | 935 |
| Proof of Concept | 8 | 8 |
| Data Protection Impact Assessment – new processes | 42 | 24 |
| Assessment – existing processes | 10 | 4 |
The implementation of the opinion issuing process by PZU and PZU Życie has contributed to ensuring compliance of the Group’s data processing operations with the applicable laws, accountability and the implementation of the privacy by design principle. It allows to identify irregularities at an early stage and to adapt actions to the standards in force.
The implemented opinion issuing process encompasses the rollout of new functionalities or changes in the existing functionalities of IT systems, internal documents, processes and contracts in which a personal data related element is or may be present. For this process to be carried out in the best possible way, a dedicated e-mail box has been set up to which queries from business units are sent. Matters are assigned to employees specializing in various data protection areas. The opinion issuing process ends with the issuing of a recommendation in compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices. All matters on which opinions are issues are entered in a register in order to ensure accountability.
-
418-1
| Data protection violations reported to PUODO by PZU Group entities | 2021* | 2022 |
|---|---|---|
| PZU Group, including: | 1,211 | 1,053 |
| – PZU | 404 | 198 |
| – PZU Życie | 186 | 84 |
| Number of complaints about PZU’s operations filed by external entities with PUODO | 2021 | 2022 |
|---|---|---|
| PZU | 7 | 13 |
| PZU Życie | 5 | 4 |
Commentary: in 2022, the number of complaints filed against the activities of PZU and PZU Życie by external entities with the supervisory authority was 13 and 4, respectively. In 2022, the supervisory authority issued 16 decisions on complaints filed by external parties in 2022 and in previous years (14 decisions in PZU cases and 2 decisions in PZU Życie cases). The regulatory authority issued 7 reprimands for breaches of Article 6(1) of the GDPR (6 to PZU and 1 to PZU Życie). In the remaining cases, the supervisory authority refused to allow the request or discontinued the proceedings, or has not taken a decision yet.