The financial resilience of individuals, organisations and society relies on a functioning, stable and secure financial system that participants can trust. Cybercrime and cybersecurity risks threaten the system and are becoming more sophisticated and targeted.
We have to protect our clients’ assets, including the information that they disclose to us. This includes, for example, ID and tax numbers, personal demographic details and employment information.
We create cyber-resilience by developing, implementing and continuously refining a robust information governance framework. Sanlam applies a range of measures to prevent unauthorised use, disclosure, disruption, modification, inspection, recording or destruction of information – whether in physical or electronic format.
These measures are determined by a range of information technology policies that are continuously enhanced and expanded to embrace, for example, the requirements from Policyholder Protection Rule 13 (data management), the Protection of Personal Information Act, 4 of 2013 (POPIA) and Prudential Standard GOI 5 (outsourcing by insurers). We are also finalising a policy on the quality of data in Sanlam, giving recognition to data and information as an asset. This will address the risk related to a significant amount of structured and unstructured data in multiple locations due to Sanlam’s size and geographic footprint.
Cyber-related incidents at Sanlam can impact our ability to serve the needs of our clients.
Sanlam Emerging Markets is particularly exposed to cyber-risks, amplified by a spread of smaller businesses without the necessary resources and skills. We mitigate this through a multi-faceted combination of activities that include an investment in people in country, the standardisation of key technologies, and setting up several structures at either cluster or Group level to provide assistance.
An incident in Kenya in 2019 highlighted the risk of cyber-related attacks. Although it did not impact our ability to serve our clients, several key security controls were breached. This was remedied through a cyber-response team consisting of internal and external resources. Subsequently, the deployment of additional security controls was prioritised to guard against future risk.
Cybersecurity is regarded as one of Sanlam’s tight principles in terms of its business philosophy. This means that the information strategy, planning and execution is driven from a central team within the Group. We have specialist centralised functions that provide security across multiple entities that include centrally hosted data centres.
Cyber-resilience relies on sharing threat intelligence and other information that can contribute to improved security in the industry. Sanlam is an active member in managing security risks across the industry as a member of the Association for Savings and Investment South Africa (ASISA) and working with the South African Banking Risk Information Centre (SABRIC).
To equip our network of advisers, consultants, administrators and funds to effectively manage their cyber-related exposure, we established the Cyber Resilience Benchmark. It offers a basic evaluation to improve awareness of cybercrime. We encourage the relevant stakeholders to:
Sanlam has a well-established disaster recovery and business continuity programme. For applications hosted on-premises, a second data centre provides a failover should it be required. We established a work area recovery site should temporary workspace be required. We test the ability of our employees to effectively make use of these facilities in the event of a disaster and to ensure that our documented procedures and processes are appropriate. During 2019 specific simulations were done against different storage types to highlight where applications were hosted incorrectly.
During 2019 we conducted a review of how IT is managed and governed in the Group. No significant changes were made other than re-emphasising different roles and ensuring good understanding of these.
The Group IT Steering committee has been bolstered to include all cluster chief information officers (CIOs) to jointly drive IT strategy at a Group level, with additional accountability to the Group CIO for executing several processes. Read more about IT governance structures and mandates in the 2019 Sanlam Governance Report.
Sanlam sells peace of mind and hope to its clients and shareholders. We care deeply for our clients’ information and respect all of Sanlam’s information. Processing payments and financial information is critical for our stability, and we acknowledge that we play a role in the stability of the financial systems of the countries where we operate. The stability of our operations is critical for our stakeholders and the Group.
Cyber-risk threatens all of these and other aspects of Sanlam directly and significantly.
Our intent is therefore to create a system of cyber-resilience in the context of our risk appetite and at least comparable to our peers in the insurance, pensions and savings industries.
This policy defines the Group’s minimum requirements for managing cyber-risk based on the agreed set of controls. The cyber-resilience policy reinforces the focus and discipline required for the base preventive controls and establishes focus on the core operational cyber-related capabilities being threat intelligence, monitoring, detection and response. It also states the requirements for a top-down approach that should include the Board and senior management involvement, sponsorship and guidance. In acknowledgement of the severity and nature of cyber-risk, it sets the requirements for cyber crisis management that needs to be treated as an inevitability.
This policy therefore sets out the controls that are deemed critical for the establishment and sustainability of businesses’, clusters’ and the Group’s cyber-resilience.