We protect personal data - “everyone’s personal data, in particular the data of our clients, employees, business partners and users of our websites – are subject to strict protection. This pertains to all data facilitating the identification of a given person. The regulations of the personal data protection law apply to every work position and all information systems which employees use. Only those persons obtain access to such data if they need it on account of the work they do.”
“Data pertaining to our relations with clients, their identity and financial situation have become extremely sensitive in the modern world. The security of such data must be protected at all costs, and clients should be informed about procedures that safeguard data confidentiality at every opportunity. We exercise extreme care with regard to the flow of information through our website to ensure that confidentiality of relations with all our clients is fully guaranteed. We deploy the most stringent IT system protection standards set by Polish, European and global regulations.”
The issue of IT security is treated by the PZU Group extremely seriously. A multiple-layer system to protect against cybersecurity threats functions across the company and is being developed. In some companies, various internal procedures are implemented additionally. For instance, at Pekao Faktoring, Medica and REVIMED, the IT process security management procedure is in place.
In 2018 a special training platform called GoPhish was launched. It explains in an easy to understand way the threats following from messages, among others, containing malicious elements and prompting people to open suspicious pages. In 2019, this training ws continued.
In 2019, we managed to prevent:
approx. 25 thousand potential infections;
more than 198 million attempts of making a connection to send malicious e-mails;
more than 882 thousand high risk attacks;
references to more than 8.5 million dangerous resources.
more than 2.3 million malicious e-mails were blocked;
40 thousand analyses were carried out;
599 initiatives were opined;
183 manual safety tests were conducted;
300 thousand vulnerabilities to threats were detected, including 28 thousand critical cases.
In the future, further development of security systems is scheduled, including production deployment of the IPS, automation of SOC processes through the purchase of a Security Orchestration Automation and Response (SOAR) system, review of the market for static and dynamic code analysis tools, expansion of existing and acquired security tools (e.g. PIM, VA, EDR), as well as the conduct of new anti-phishing campaigns and other forms of education for PZU employees and agents.
Four training campaigns were conducted in which employees who accidentally clicked the link in a specially prepared e-mail were shown a training video produced by the Security Department presenting information on how to avoid such threats in the future. Furthermore, employees had the opportunity to participate in a number of training courses, workshops and conferences and obtain new certifications (SANS GMON, Certified Information Security Manager – CISM).
According to data collected during the campaign, it is necessary to keep the anti-phishing effort up and running. Among the persons interested in the content of the test e-mail, as many as 88% clicked on the link and 67% provided their login details.
In 2019, the following were conducted:
CyberSec – cybersecurity conferences
The purpose of these events is to build awareness of the risks and costs associated with online threats at the time of accelerating digital transformation and the technological revolution that alters the operation of all branches of the economy and areas of social life. Security incidents are a threat to client confidence. On the other hand, addressing this issue properly may give the company a competitive advantage.
PZU, as an experienced player in the financial sector, approaches innovation in a special manner, taking into consideration the issues of security and confidence.
Every year, PZU supports, in terms of organization and content, cybersecurity conferences held by the Kosciuszko Institute Association.
In 2019, the following conferences were held:
During these conferences, discussion panels were held to focus on various issues, including the protection of digital democracies, anti-drone defense, IIoT security, digital transformation of financial services, threats arising from the use of artificial intelligence, support for the creation of the European cybersecurity system, building awareness of the threats among governments, international organizations and key private sector entities, and others.
During the event in Katowice, the participants signed a declaration outlining 10 recommendations on how to secure global digital DNA. PZU representatives participated in these panel discussions.
Procedures to manage the security of information processes were implemented in PZU and Pekao Group companies as well as in several foreign companies. A package of regulations pertaining to personal data processing, including security policies containing requirements pertaining to IT processes was implemented in the PZU Zdrowie Group. In turn, PTE PZU introduced the guidelines issued by the Polish FSA concerning the management of areas involving information technology and ICT environment security in universal pension fund management companies.
In 2019, a total of 3,705 incidents of personal data leakage were recorded across the PZU Group, of which 1,632 in LINK4, 1,368 in PZU, 387 in PZU Życie, 95 in the Pekao Group, 71 in the Alior Group, 42 in the PZU Zdrowie Group, 70 in foreign companies and 40 in the rest companies of the Group. 678 incidents of providing data without an entity’s consent in the PZU Group companies were registered in 2018. 613 of these cases occurred in LINK4, 27 in the Alior Group, 5 in the PZU Zdrowie Group, 2 in the Pekao Group, 28 in foreign companies, 2 in PZU Życie and 1 in PZU SA. These incidents concerned the disclosure of personal data and data subject to banking or insurance secrecy to unauthorized persons. They were related to sending e-mail correspondence to an improper address to unauthorized persons and in most cases they resulted from human errors. The number of cases reported with respect to LINK4 results from the nature of this sales channel – the direct channel handles personal data provided by clients – a large percentage of incidents was related to errors in the e-mail addresses provided by clients. The increase in the number of security breaches in LINK4 compared to the previous year resulted from the greater awareness of employees and proved the effectiveness of training in personal data protection.
Three grievances were lodged by external entities in 2018 with PZU and PZU Życie. The grievances were for the provision of data without an entity’s consent and were recognized by the organization. In 2019, a total of 8 grievances were submitted to PZU by external entities, while PZU Życie received 3 grievances from external entities. All the incidents were analyzed to improve processes. According to the outcome of internal investigations conducted in PZU, 3 cases of data disclosure were confirmed where no consent of the data subject was obtained and yet the data were disclosed to a third party.
Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the Group’s information systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing a broad set of tests and verification methods. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.