Our ambition requires us to safeguard against any IT and cybercrime that is a real threat to our business and to the sensitive data of our customers – this is an increasing threat. Therefore, we have established a policy and management system for data security.

The policy complies with relevant sections of ISO 27001, and an Information Security Management System (ISMS), which also complies with the standard, has been set up.

Topdanmark’s objective is to minimise the risk of customers, partners and the group:

• Suffering a loss due to unauthorised access and handling of Topdanmark’s information assets
• Suffering a loss due to prolonged business interruption causing inaccessibility
• Suffering a loss due to data being lost, destroyed, altered or made inaccessible
• Suffering a loss of competitive advantages due to the disclosure of business secrets
• Losing reliability and trust due to lack of protection of sensitive customer data.

Topdanmark’s data security policy is a part of our overall risk management system, and it applies to both our employees and external business partners.

Each year, the Board of Directors adopts our data security policy and IT contingency plan based on an updated IT risk assessment which also includes cyber risk. The Board of Directors is annually briefed specifically on cyber risk and the planned initiatives to the reduce risk.

The day-to-day responsibility for the policy lies with our CISO (Chief Information Security Officer) who reports to our CIO (Chief Information Officer).

Risk assessment of significant or critical operational IT risks, including cyber risk, is performed regularly, and the result of the assessment is reported to the Board of Directors, the Executive Board, the Risk Committee and Topdanmark’s Compliance department.

Among various risk scenarios, Topdanmark generally sees an increased risk of cybercrime. This is managed by a Cyber Security Board that regularly assesses the threat and the measures necessary to ensure the required level of security. The risk is managed and reduced i.a. by an external collaboration with specialists within the field.

To counteract business interruption caused by IT or cybercrime, a comprehensive contingency plan has been prepared to ensure that business can be re-established as soon as possible.

We make use of several levels of security systems to ensure in depth security. Furthermore, we have invested in the latest technology within security incident and event management for early warning of cyberattacks.

We continuously perform vulnerability assessments, and new systems are tested for weaknesses before they are put in production.

Topdanmark’s IT systems are reviewed by external IT auditors in connection with the auditing of the financial annual report. This way we ensure that our IT systems supply valid data to the annual report, and that Topdanmark complies with the requirements on IT security set by the Danish FSA.

All new employees are introduced to our data security policy. Furthermore, classroom training is conducted for IT developers on an ad hoc basis. A separate e-learning course on data security was implemented in 2018. All employees and external consultants are under obligation to complete and pass the course annually.

Employees’ breach of Topdanmark’s data security policy can have employment-related consequences – at worst dismissal or firing.

Topdanmark’s commercial customers are also exposed to the risk of cybercrime to a great extent. Therefore, we have developed a cyber insurance that will help the customers back to normal operations after a hacker or virus attack e.g. in the recreation of data.  Our emergency service is available around the clock, and the expenses for re-establishing normal operations are covered.

In 2019, Topdanmark joined Paris Call. This is an international network of companies, organisation etc. which focus attention on a safe internet and the fight against cybercrime.

The companies in Paris Call are obliged to work together on:

• Increase prevention and resistance towards malicious online activity
• Protect the availability and integrity of the internet
• Prevent interference in electoral processes
• Fight breaches on intellectual property rights via the internet
• Prevent the rapid growth in malicious online programmes and techniques
• Strengthen security of digital products and services – and generally ensure improved cyber hygiene 
• Prevent cybercriminal activities and offensive actions from non-state actors 
• Strengthen relevant international norms

We agree with the objectives described in the Paris Call, and as a company we wish to support them. Through Paris Call, we want to gain both inspiration and knowledge on how we continuously can improve the internal IT systems, and how we can improve our customer guidance.

Topdanmark contributes to the national strategy on cyber and data security by participating in a working group under the sectoral association Insurance & Pension Denmark (Forsikring & Pension)