close

Navigation Map

Download our best practices
Interactive navigation is a tool that goes beyond the standard navigation of the integrated content (available in the report drop-down bar). New approach allowed to navigate in the two additional business dimensions of the PZU Group, i.e .:
  • strategy (insurance, health, investments, finances);
  • sustainable development (sales, employees, social responsibility, natural environment and ethics).
The above-mentioned areas were additionally supplemented with related GRI indicators, within each selected issue.
Employees
Society
Ethics
Environment
Products
Overview
Health
Banking
Investments
Insurance
Business
practices
Non-financial data
Strategic data

In the Chapter

PZU Group Overview
PZU Group’s financial effectiveness
Business model [UoR] [IIRC]
PZU Group’s value creation model
Structure of the PZU Group
Non-life insurance (PZU, LINK4 and TUW PZUW)
Life insurance (PZU Życie)
Banking (Bank Pekao, Alior Bank)
Mutual funds and Employee Capital Schemes (TFI PZU)
International operations
Medical services (Health)
Pension funds (PTE PZU)
Other operating areas

GRIs

102-7 Scale of the reporting organization
201-1 Direct economic value generated and distributed

In the Chapter

Employee issues
Human Capital Management
Working conditions
Employee development
Knowledge sharing

GRIs

102-8 Data pertaining to employees and other persons working for the organization
103-2 Approach to management and its elements
401-1 New employee hires and employee turnover
403-2 403-2 Rate for injury, occupational diseases, lost days, and absenteeism, and number of work-related fatalities
404-1 Average number of hours of training per year per employee
404-2 Managerial skill development and continuing education programs supporting continuity of employment of employees and facilitating the retirement process
404-3 Percentage of employees subject to regular assessments of work quality and professional development reviews, by gender and employment category
G4-FS16 Initiatives to enhance financial literacy by type of beneficiary

In the Chapter

PZU Group’s social commitment
Safety
Health
Cultural patronage
Improvement of living conditions in local communities

GRIs

102-12 Externally developed economic, environmental and social charters, principles, or other initiatives to which the organization subscribes or which it endorses
103-2 Approach to management and its elements

In the Chapter

Business in the face of climate change
Direct environmental impact

GRIs

103-2 Approach to management and its elements
301-1 Raw materials/materials used by weight and volume
302-1 Energy consumption by the organization, taking into account the types of raw materials
302-4 Reduction of consumption of energy
303-1 Total water consumption by source
305-1 Total direct GHG emissions (Scope 1)
305-2 Electricity indirect GHG emissions (Scope 2)
305-3 Other indirect GHG emissions (Scope 3)
305-4 GHG emissions intensity
307-1 Cash value of penalties and total number of non-financial sanctions for non-compliance with the law and/or regulations on environmental protection

In the Chapter

Ethical foundations of business operations
Corporate governance and risk management, giving consideration to ESG and climate factors
Preventing corruption and conflict of interests
Diversity and respecting human rights
Whistleblowing system
Transaction security
Cooperation with supplier

GRIs

102-5 Organization’s form of ownership and legal form
102-9 Description of the supply chain
102-11 Explanation of whether and how the precautionary principle is addressed by the organization
102-12 Externally developed economic, environmental and social charters, principles, or other initiatives to which the organization subscribes or which it endorses
102-15 Description of key impacts, opportunities and risks
102-16 Organization’s values, code of ethics, principles and norms of behavior
102-17 Internal and external mechanisms making it possible to obtain advice regarding the behaviors in ethical and legal issues and issues associated with the organization’s integrity
102-18 Organization’s supervisory structure along with the commissions that report to the highest supervisory body
103-2 Approach to management and its elements
103-3 Evaluation of the approach to management
205-1 Actions assessed in terms of threats associated with corruption
205-2 Communication and training on anti-corruption policies and procedures in the organization
205-3 Confirmed cases of corruption and actions taken
206-1 Legal steps taken against the organization for cases of violating the principles of free competition and monopolistic practices
405-1 Composition of supervisory bodies and employees broken down into employee groups by gender, age and other diversity factors
406-1 Total number of discrimination cases and corrective measures taken in this regard
419-1 Non-compliance with the law and socio- economic regulations

In the Chapter

PZU Group’s new operating model
Insurance
Health
Banking and strategic partnerships
Management of the PZU Group’s brands
Client at the center of attention
Innovations
Responsible sales
Cybersecurity

GRIs

103-2 Approach to management and its elements
G4-FS13 Access points to sparsely populated areas that are less economically developed
G4-FS14 Initiatives undertaken to improve access to financial services for disfavored persons
G4-FS15 Policies for the fair design and sale of financial products and services
417-1 Internal requirements concerning the labeling of products and services and information regarding them
417-2 Incidents of non-compliance with regulations and voluntary codes concerning the labeling of products and services and information regarding them
417-3 Incidents of non-compliance with regulations and voluntary codes concerning marketing communications
418-1 Substantiated complaints regarding breaches of client privacy and data loss

In the Chapter

Operating model
PZU Group’s financial effectiveness
Digitization – the future of insurance undertakings
Client at the center of attention
Innovations
Responsible sales
Cybersecurity
Climate
Business in the face of climate change
Direct environmental impact
Employee
Working conditions
Employee development
Knowledge sharing
Risk and ethics
Safety
Corporate governance and risk management, giving consideration to ESG and climate factors
Preventing corruption and conflict of interests
Diversity and respecting human rights
Whistleblowing system
Transaction security
Cooperation with suppliers
Dialogue with the environment
Risk appetite
PZU Group’s risk profile
Reinsurance operations
Business
Polish and Baltic States insurance sector compared to Europe
Non-life insurance (PZU, LINK4 and TUW PZUW)
Life insurance (PZU Życie)
International operations
Insurance
Contribution made by the market segments to the consolidated result

In the Chapter

Operating model
Client at the center of attention
Responsible sales
Climate
Direct environmental impact
Employee
Working conditions
Employee development
CSR
PZU Group’s social commitment
Risk and ethics
Ethical foundations of business operations
Corporate governance and risk management, giving consideration to ESG and climate factors
Diversity and respecting human rights
Whistleblowing system
Transaction security
Market
Polish banking sector compared to Europe
Banking (Bank Pekao, Alior Bank)
Banking and strategic partnerships
Risk appetite
PZU Group’s risk profile
Business
Contribution made by the market segments to the consolidated result
Banking sector on the Warsaw Stock Exchange

In the Chapter

Operating model
Client at the center of attention
Climate
Business in the face of climate change
Employee
Working conditions
Risk and ethics
Ethical foundations of business operations
Diversity and respecting human rights
Business
Situation on the financial markets
Banking (Bank Pekao, Alior Bank)
Mutual funds and Employee Capital Schemes (TFI PZU)
Contribution made by the market segments to the consolidated result

In the Chapter

Operating model
Client at the center of attention
Health
Employee
Working conditions
Employee development
Risk and ethics
Diversity and respecting human rights
Whistleblowing system
Business
Medical services (Health)

In the Chapter

Operating model
Client at the center of attention
Innovations
Responsible sales
Cybersecurity
Climate
Business in the face of climate change
Direct environmental impact
Employee
Working conditions
Employee development
Knowledge sharing
CSR
PZU Group’s social commitment
Safety
Health
Improvement of living conditions in local communities
Risk and ethics
Ethical foundations of business operations
Corporate governance and risk management, giving consideration to ESG and climate factors
Preventing corruption and conflict of interests
Diversity and respecting human rights
Transaction security
Cooperation with supplier
Dialogue with the environment
a a a

Cybersecurity

Annual Report 2019 > Cybersecurity
Facebook Twitter All
Integrated Navigation
Insurance
Health
Investments
Banking
Best Pratices in PZU
Compare

We protect personal data - “everyone’s personal data, in particular the data of our clients, employees, business partners and users of our websites – are subject to strict protection. This pertains to all data facilitating the identification of a given person. The regulations of the personal data protection law apply to every work position and all information systems which employees use. Only those persons obtain access to such data if they need it on account of the work they do.”

“Data pertaining to our relations with clients, their identity and financial situation have become extremely sensitive in the modern world. The security of such data must be protected at all costs, and clients should be informed about procedures that safeguard data confidentiality at every opportunity. We exercise extreme care with regard to the flow of information through our website to ensure that confidentiality of relations with all our clients is fully guaranteed. We deploy the most stringent IT system protection standards set by Polish, European and global regulations.”

Tomasz Cichoń, Director of Security Office in PZU and PZU Życie

PZU Group’s Policies [UoR]

The issue of IT security is treated by the PZU Group extremely seriously. A multiple-layer system to protect against cybersecurity threats functions across the company and is being developed. In some companies, various internal procedures are implemented additionally. For instance, at Pekao Faktoring, Medica and REVIMED, the IT process security management procedure is in place.

In 2018 a special training platform called GoPhish was launched. It explains in an easy to understand way the threats following from messages, among others, containing malicious elements and prompting people to open suspicious pages. In 2019, this training ws continued.

In 2019, we managed to prevent:

approx. 25 thousand potential infections;

more than 198 million attempts of making a connection to send malicious e-mails;

more than 882 thousand high risk attacks;

references to more than 8.5 million dangerous resources.

Additionally:

more than 2.3 million malicious e-mails were blocked;

40 thousand analyses were carried out;

599 initiatives were opined;

183 manual safety tests were conducted;

300 thousand vulnerabilities to threats were detected, including 28 thousand critical cases.

In the future, further development of security systems is scheduled, including production deployment of the IPS, automation of SOC processes through the purchase of a Security Orchestration Automation and Response (SOAR) system, review of the market for static and dynamic code analysis tools, expansion of existing and acquired security tools (e.g. PIM, VA, EDR), as well as the conduct of new anti-phishing campaigns and other forms of education for PZU employees and agents.

BEST PRACTICE

Four training campaigns were conducted in which employees who accidentally clicked the link in a specially prepared e-mail were shown a training video produced by the Security Department presenting information on how to avoid such threats in the future. Furthermore, employees had the opportunity to participate in a number of training courses, workshops and conferences and obtain new certifications (SANS GMON, Certified Information Security Manager – CISM).

According to data collected during the campaign, it is necessary to keep the anti-phishing effort up and running. Among the persons interested in the content of the test e-mail, as many as 88% clicked on the link and 67% provided their login details.

In 2019, the following were conducted:

BEST PRACTICE

CyberSec – cybersecurity conferences

The purpose of these events is to build awareness of the risks and costs associated with online threats at the time of accelerating digital transformation and the technological revolution that alters the operation of all branches of the economy and areas of social life. Security incidents are a threat to client confidence. On the other hand, addressing this issue properly may give the company a competitive advantage.

PZU, as an experienced player in the financial sector, approaches innovation in a special manner, taking into consideration the issues of security and confidence.

Every year, PZU supports, in terms of organization and content, cybersecurity conferences held by the Kosciuszko Institute Association.

In 2019, the following conferences were held:

  • CyberSec – Brussels Leaders’ Foresight 2019 in Brussels;
  • CyberSec CEE 2019 in Katowice.

During these conferences, discussion panels were held to focus on various issues, including the protection of digital democracies, anti-drone defense, IIoT security, digital transformation of financial services, threats arising from the use of artificial intelligence, support for the creation of the European cybersecurity system, building awareness of the threats among governments, international organizations and key private sector entities, and others.

During the event in Katowice, the participants signed a declaration outlining 10 recommendations on how to secure global digital DNA. PZU representatives participated in these panel discussions.

Procedures to manage the security of information processes were implemented in PZU and Pekao Group companies as well as in several foreign companies. A package of regulations pertaining to personal data processing, including security policies containing requirements pertaining to IT processes was implemented in the PZU Zdrowie Group. In turn, PTE PZU introduced the guidelines issued by the Polish FSA concerning the management of areas involving information technology and ICT environment security in universal pension fund management companies.

In 2019, a total of 3,705 incidents of personal data leakage were recorded across the PZU Group, of which 1,632 in LINK4, 1,368 in PZU, 387 in PZU Życie, 95 in the Pekao Group, 71 in the Alior Group, 42 in the PZU Zdrowie Group, 70 in foreign companies and 40 in the rest companies of the Group. 678 incidents of providing data without an entity’s consent in the PZU Group companies were registered in 2018. 613 of these cases occurred in LINK4, 27 in the Alior Group, 5 in the PZU Zdrowie Group, 2 in the Pekao Group, 28 in foreign companies, 2 in PZU Życie and 1 in PZU SA. These incidents concerned the disclosure of personal data and data subject to banking or insurance secrecy to unauthorized persons. They were related to sending e-mail correspondence to an improper address to unauthorized persons and in most cases they resulted from human errors. The number of cases reported with respect to LINK4 results from the nature of this sales channel – the direct channel handles personal data provided by clients – a large percentage of incidents was related to errors in the e-mail addresses provided by clients. The increase in the number of security breaches in LINK4 compared to the previous year resulted from the greater awareness of employees and proved the effectiveness of training in personal data protection.

Three grievances were lodged by external entities in 2018 with PZU and PZU Życie. The grievances were for the provision of data without an entity’s consent and were recognized by the organization. In 2019, a total of 8 grievances were submitted to PZU by external entities, while PZU Życie received 3 grievances from external entities. All the incidents were analyzed to improve processes. According to the outcome of internal investigations conducted in PZU, 3 cases of data disclosure were confirmed where no consent of the data subject was obtained and yet the data were disclosed to a third party.

Tests of IT systems


Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the Group’s information systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing a broad set of tests and verification methods. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.