For us “Cyber Security” means protecting our customers, employees and the data of our business partners, guaranteeing the security of the company’s services and the continuity of our business activities. The current context, characterised by the ongoing evolution of cyber threats and the more stringent regulations imparted by the authorities, presents several major challenges to businesses. We are committed to guaranteeing that the Group is constantly equipped with appropriate security systems, thus becoming increasingly more reliable for our stakeholders.
More specifically, we pledge to:
- protect the company’s services and strengthen its security standards
- define internal security regulations and monitor their implementation
- define a solid management process for IT risks
- ensure the implementation of security measures for the management of cyber threats
- raise awareness and understanding around the issue among all employees
We have therefore developed a strategy to continuously improve the Group’s security level, in four key areas
The Generali Group has developed a long-term IT security program to address the cyber security issues analysed. This includes suitable countermeasures for specific situations. All projects defined and included in the program are regularly reviewed according to a schedule while the long-term strategy is reviewed annually.
The IT security program has been agreed upon by the Senior Management of the Group and the Board of Directors, having been previously reviewed by the Risk and Control Committee.
The Chief Information Security Officer is identified within the Group IT & Operations Risk & Security structure. To strengthen IT security risk management, the Group Risk Management Department has set up a unit specifically dedicated to monitoring and managing cyber risk. The unit is called “Group IT Risk Framework”.
We continue to strengthen our ability to prevent, identify and respond to potential cyber attacks, implementing the most innovative security solutions and constantly improving our response processes. Through the Security Operation Center (SOC) we are able to monitor all events recorded by our security solutions 24 hours a day, identify potential incidents and intervene with containment and refreshment measures. We carry out internal and external vulnerability assessments every year in order to identify potential vulnerabilities in our systems and we also test the response capacities of our SOC through cyber attack simulations. All customer solutions, including those based on IoT technology, are carefully tested in terms of security.
We believe that the human factor is crucial to protecting our information. In fact, we have developed an IT security awareness program for all our employees which consists of various initiatives such as dedicated training courses, videos and ad hoc communications. Awareness-raising events have also been held in both the company sites and the virtual domain with challenges like “Capture the Flag” and “Cyber Quiz” designed to increase the engagement of employees and promote best practices in the area of IT security conduct. All of the material is available on the Group portal dedicated to employees. Some episodes are connected with specific information security areas, such as the classification of information, smartphone and tablet security and social engineering.
Generali Shared Service, the company that provides IT services and infrastructures to the main Group countries, is certified according to the following standards:
1) ISAE 3402 Type2 – Third party assurance report
2) ISO 27001 - Information security management system
We underwent an EY audit for the ISAE3402 report and an audit by DNV GL for the ISO27001, as well as being regularly audited for the financial report.