Issues relating to information security are treated in the PZU Group with great diligence and attention. A multiple-layer system to protect against cybersecurity threats functions across the company and is being developed.
In 2018 a special training platform called GoPhish was launched. It explains in an easy to understand way the threats following from messages, among others, containing malicious elements and prompting people to open suspicious pages. In addition, two campaigns were organized in which the Security Department’s training film was shown to employees who by oversight opened a link to pre-prepared messages containing information on how to avoid those threats in the future.
In 2018 a contract was executed to buy Infoblox technology concerning the ability to monitor and protect the DNS (Domain Name System) channel. The WAF (Web Application Firewalls) system was also expanded. It is used to protect web applications and the PIM system (Priviledged Identity Management) used to manage priviledged accounts and monitor the actions of priviledged users and external suppliers in information systems to provide for the squaring of accounts on access to systems, in particular with the utilization of shared accounts.
Procedures to manage the security of information processes were implemented in PZU, Pekao Group companies and in several foreign companies. A package of regulations pertaining to personal data processing, including security policies containing requirements pertaining to IT processes was implemented in PZU Zdrowie and its subsidiaries. In turn, PTE PZU introduced the guidelines issued by the Polish FSA concerning the management of areas involving information technology and ICT environment security in universal pension fund management companies.
1,296 incidents of providing data without an entity’s consent in the PZU Group companies were registered in 2018. 771 of these cases occurred in the Pekao Group, 457 in Link4, 19 in the Alior Group, 41 in the foreign companies and eight in the other Group companies, including PZU, PZU Życie and PZU Zdrowie and its subsidiaries. These incidents concerned the disclosure of personal data and data subject to banking or insurance secrecy to unauthorized persons. They were related to sending e-mail correspondence to an improper address to unauthorized persons and in most cases they resulted from human errors.
Three grievances were lodged by external entities in 2018 with PZU and PZU Życie. The grievances were for the provision of data without an entity’s consent and were recognized by the organization.
All the incidents were analyzed to improve processes.
Cybersecurity in 2018:
Combating new forms of internet attacks calls for constantly refreshing knowledge. That is why the employees responsible for PZU’s information security are honing their skills the entire time. PZU experts participated in 11 training courses, 10 conferences and two workshops in 2018. The following certifications were obtained: Certified Ethical Hacker, Continuous Monitoring Certification (GMON), Cisco CCNA Cyber Ops.
Tests of IT systems
Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the Group’s information systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing the widest possible set of tests and checks. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.