Information security is defined as the framework, processes and controls defined within PIB Group España (hereinafter PIB) that seek to maintain the confidentiality -only those authorized can access the information-, integrity -the information and its processing are accurate and complete- and availability -the information and its assets can be accessed when required- of the information.
In the context of this policy, information security relates to the protection and safeguarding of all PIB data throughout its lifecycle from malicious or accidental disclosure, modification or destruction. For this reason, this policy affects information systems and applications that store, process or transfer such data. Likewise, printed documents and handwritten notes or conversations must be adequately protected.
For this reason, PIB’s Management Committee has decided to establish a group-wide Information Security Management System (ISMS) in order to achieve and maintain adequate levels of information security. The ISMS is oriented towards the internationally recognized standard ISO 27001: 2022. In addition, it takes into account the EIOPA (hereinafter DGSEIOPA) Information Technology Governance and Security Guidelines.
This document defines the information security principles for the entire Group and therefore takes into account the applicable legal and regulatory requirements.
In addition, the “Business Continuity Policy” establishes the minimum requirements, objectives, responsibilities, processes and reporting procedures for Business Continuity Management (BCM) in accordance with DGSEIOPA guidelines 19, 21, 22 and 23.
Therefore, ISMS and BCM support PIB in the protection of information, as well as in business recovery from emergency and crisis situations.
Information security – confidentiality, integrity and availability – is a key success factor for PIB and is becoming increasingly important due to the digitalization of our business.
The data we collect, store and process as part of our daily operations has significant value both to GDP and to other external parties who may misuse it. Information systems and the data they process can expose us to risks ranging from unauthorized access, unauthorized disclosure of information, theft, data corruption or business discontinuity due to loss of systems.
Risks can materialize as a result of an accidental or intentional action by an employee or by malicious actions carried out by criminal organizations. These risks can endanger the Group through loss of customer confidence, non-compliance with a regulation and/or loss of a competitive advantage.
Therefore, it is necessary to implement adequate control measures to protect the Group’s information assets and the processes that support them.
This document defines the information security principles for PIB and therefore takes into account the applicable legal and regulatory requirements, in accordance with DGSEIOPA Guideline 6. The policy serves as a basis for information security management and specific regulations to protect the confidentiality, integrity and availability of information within PIB against internal or external threats, whether intentional or unintentional, in order to ensure the development, implementation, operation, maintenance and use of PIB’s information systems.
This policy applies to all employees, whether temporary or not, and to service providers who make use of the Group’s information or information systems and/or its facilities.
The ISO’s primary responsibility is to advise, coordinate, monitor and review information security and technology related risks within PIB. The ISO’s responsibilities include, but are not limited to:
It is not possible to provide total security for all information. Moreover, not all information requires the same protection. PIB therefore manages information security based on risk (DGSEIOPA Guideline 4). This makes it possible for PIB to provide and use resources in the areas where they are most urgently needed. The ISO, for this reason, defines unified requirements for information security risk management and thus facilitates and monitors risk-based decisions.
Both internal and external PIB employees are among the most important success factors in ensuring the required levels of information security. Numerous security measures can only be implemented effectively if internal and external employees are sufficiently aware of information security and have sufficient skills in the field of information security. The ISO will therefore develop an information security training and awareness plan to enable all employees to fulfill their duties and responsibilities and minimize the risks associated with the use of information technology and information security (DGSEIOPA Guideline 13).
The level of information security required throughout the Group can only be guaranteed by unified and binding minimum requirements and their local characteristics. For this reason, there are three levels of information security policy based on each other:
The ISO creates and maintains the Information Security Policy and level 2 documents for all services shared by the Group. Procedures or work instructions are created and maintained by the responsible functional units respectively.
Cooperation with external service providers and partners must not reduce PIB’s level of information security. For this reason, external service providers and partners may only have access to PIB information and IT resources after PIB has assessed and classified the information security levels of external service providers and partners accordingly. Furthermore, PIB only grants access to information and IT resources that are necessary for cooperation (need-to-know principle). The ISO therefore defines unified requirements for security-oriented cooperation with external parties.
The required information security levels must be independently verified, monitored and evaluated in order to maintain and continuously optimize them (DGSEIOPA guideline 12). This is also supported in the area of Information Security Management through the “Three Lines of Defense Model”.
The 1st line of defense is composed of operational management and is responsible for the definition, implementation and control of information security measures for risk management and compliance with information security requirements.
The second line of defense is in the hands of the ISO and PIB’s information security unit, supported by locally established risk management functions. The second line defines the information security requirements and oversees the definition, implementation and control of 1st line information security measures.
Internal audit acts as an independent third line unit, assessing the effectiveness of the first two lines of defense. Audits should be conducted on a regular basis and in line with the corresponding audit plan by auditors with sufficient knowledge, skills and experience in ICT and security risks to independently ensure their effectiveness (DGSEIOPA guideline 5).
This policy will be reviewed annually by the Security Manager. The following concepts will be taken into account during the review process:
In the event of changes to the current version, they shall be submitted to the Safety Committee for approval, and the decision taken and the justification shall be documented.
The modification made must be duly documented in the Change History section, indicating who made the change and the reason for it.
Listed below are the security policies that define the security requirements for each scope of action. These policies complement what is defined in this policy.
Solutions For Businesses
Individuals' insurances
* In Madrid and Barcelona.
