Information Security at Zurich
Zurich’s commitment to information security
At Zurich, protecting data and safeguarding confidential data of all our stakeholders is a top priority. Our approach to information security is based on three key focus areas:
Maintaining a multi-layered security strategy that considers people, processes, technology and data.
Employing a risk-based approach that considers external and internal risks, looking at past, present and future threats.
Addressing the human element of cybersecurity with awareness and education activities for customers, employees and business partners.
Zurich maintains a global information security framework that includes Group policies and processes regarding data and information security and the usage of IT equipment and assets. This covers, for example, the use of email, social media, removable media, physical security, etc.
Zurich’s Group Chief Information Security Officer (GCISO) sets the overall strategy and security roadmap for the Group. The GCISO ensures that employees have the required security skills and knowledge and that regular forums track progress and ensure alignment across the organization. The GCISO reports to the Group Chief Information and Digital Officer who is a member of the Executive Committee reporting to the Zurich Group CEO. The Group Chief Information and Digital Officer is responsible at the Group Executive Committee for information/cyber security.
Zurich’s Group Risk Management, Group Compliance, and Group Internal Audit functions provide independent challenge, analysis, advice, monitoring and assurance on cyber-risk matters and contribute to the overall strengthening of a risk-aware culture on information security and cyber-risk issues. External audits, regular third-party maturity assessments, and targeted deep dives are part of the overall assurance framework and strategy.
Zurich’s Group Cyber Security function has a regional and local presence that allows it to proactively address the rapidly-changing nature of cyber and information security risk. The function has dedicated teams that perform key supporting roles in areas such as application security, business information security, cyber incident response, cyber threat operations and detection, information security governance, information security strategy, information security education and awareness, penetration testing, threat intelligence and vulnerability management.
Our information security policy is reviewed at least once annually, with standards and guidance updated every other year, or more frequently as necessary. Exceptions to policies or standards must be approved by senior management and are overseen or challenged as needed by the Group Cyber Security.
Our approach to information security and covers the following areas: