Our ambition is to be the security leader in the re/insurance industry. One key element for our strategy is to be close to the business. We need to be at the table early and participate in discussions, negotiations, and project implementations. We also have to decide what to do in-house and what to buy as a service. For instance, we don’t want to do first level support for incident management in-house anymore. We focus on second and third level support that requires skilled security engineers. To attract the best talents, we must continue to create an inspiring work environment where people can grow and constantly learn – for example by giving them challenging tasks with clear responsibilities and fast decision processes. Our agile transformation process allows us to provide such an environment and to give our people a space where they can thrive and lead in a shared leadership.
This can be a challenge as we compete with different industry players (e.g. big tech companies). Despite Swiss Re being a tech- and data-driven risk knowledge company, we needed to start building a tech brand. To gain the attention of the best talents, we must share authentic and relevant content, communicate our purpose, show what impact people can have at Swiss Re, let candidates experience our activities around data, resilience, partnerships, and leadership. Important are also so-called network referrals which are highly effective since candidates trust friends. Scarce talents do not react to LinkedIn or recommendations from unknown people. Once in the company, you need to retain them. Here we realised that, besides offering an inspiring and learning environment, people are also looking for clear career and development opportunities. Being a large security organisation with various capabilities, this is something we can offer.
The pandemic has shown that for certain jobs it does not matter where people are located. Collaboration happened regardless of where people were sitting. However, issues can arise from a legal and labour law perspective. This must be carefully looked at.
“Reporting lines matter.”
Reporting lines matter. In the past, the CISO at Swiss Re was reporting to the head of the IT department. With the creation of the CSO organisation in 2021, combining cyber and physical security, the Chief Security Officer reports directly to the Group COO, which helps a lot. I am a member of the tech management board where all key technology projects are evaluated and discussed. In addition, we have a strong digital governance framework that allows us to check all new and enhanced digital solutions prior to roll-out from many different aspects such as architecture, sourcing, data management, legal and ethic, and of course security. Thereby, we own the security gate where we advise and control what is going on. Besides the exchange on technology-related topics, we also have a cyber council where all experts from the different divisions (e.g. also from the cyber insurance side) discuss relevant cyber topics. All these various bodies allow us to get a good understanding of what is going on in the organisation and to be at the table at an early stage. And we can make sure that the business leaders have security on their mind when launching new initiatives.
Today, risk engineers and underwriters have access to much more data and therefore better insights of a company’s security profile than previously. This helps them to calculate the risk premiums for policies more accurately and allows them to see where a company needs to improve its maturity around security. As part of insuring an organisation, insurers can impose certain standards on clients, and the overall security maturity of the insured organisations can be increased. We see that the cyber defence of large corporations is typically stronger than the one of smaller and medium-sized companies – which results in less attacks on big organisations and more on smaller companies.
“The increase of supply chain attacks is one of the big concerns in the industry.”
The increase of supply chain attacks is one of the big concerns in the industry. Such attacks are often taking place via small- and medium-sized third-party organisations which sometimes don’t apply the same security standards as larger enterprises. For larger organisations it can be challenging and sometimes almost impossible to ensure that all the security measures are at an adequate level. Swiss Re interacts with a growing number of third parties, many of them small and specialised ones, and we take this very seriously. It is also crucial to do this in an efficient way. Hence you must apply a risk-based approach and focus on the critical third parties. Additionally, when installing third-party software and components in our environment, we absolutely want to avoid unwanted functionality or the introduction of attacker codes. The industry has seen some prominent recent attacks such as SolarWinds or Kaseya, but such attacks can also happen when installing a required software from governments (e.g. tax software) or a specific software from small providers. Since some backdoor attacks only get triggered several days or weeks after implementation, you need to combine static and long-term dynamic analysis with delta investigation, which is not an easy undertaking, especially for small- and medium-sized third parties.
This is an interesting question. At Swiss Re, for example, we had to ask ourselves if we really need three different finance systems for three different business units. The answer was no; one platform is good enough, also from a technological point of view. In the past, many organisations allowed their different business units, also as part of their growth strategy, to implement the technology they wanted. Once established, these different solutions then needed to be integrated into company-wide systems. However, each integration point and interface cause costs – not only from an infrastructural point of view, but also in terms of security. This applies to technology platforms in general and to cybersecurity tools. In addition, the maintenance of such complex environments becomes more and more difficult, and the security handling and monitoring gets almost impossible (for example timely patching of security vulnerabilities). To cope with this increasing complexity, we need more standardisation, and the cybersecurity function must be able to monitor the solutions comprehensively and transparently to react swiftly in case something happens.
Philipp Krayenbuehl is Chief Security Officer at Swiss Reinsurance Company. The CSO organisation (CSO) is Swiss Re's central body for security activities with the mission to keep cyber and physical risks across the group within the acceptable tolerance limits. The CSO defines Swiss Re's group-wide security vision and strategy and sets cyber and physical defence priorities and objectives. In addition, the CSO drives and implements security capabilities that are required to address the fast-changing threat landscape, regulatory developments, and clients' expectations. As a proactive partner, they play a leading role in advising on and exploiting the potential of emerging technology for Swiss Re's operations and business units in a secure manner. For this, they build and foster partnerships with players in the internal and external security ecosystem.
The C-suite guide to simplifying for cyber readiness, today and tomorrow.
At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.
Partner and Leader Cybersecurity and Privacy, PwC Switzerland
Tel: +41 58 792 42 21