Information Security

IT Risk Management and information security

Addressing IT risks is part of Group Risk Management

An explicit VIG Group guideline on the management of IT risks was created to ensure comprehensive risk management. This addresses the identification, analysis and evaluation of all IT risks that are considered significant and relevant for the Group. Based on this, group-wide guidelines are defined for the establishment of IT controls and the implementation of business impact analyses and adequate IT continuity management are ensured.

The Risk Committee meets quarterly to provide the management board regular updates on current developments in the IT risk management. To ensure a rapid and targeted response, acute risks are reported directly to the Management Board member responsible for IT.

Confidentiality, Availability and Integrity as fundamental protection goals

VIG's IT security efforts are aimed at protecting digital information, systems, applications, hardware and the underlying basic infrastructure from threats. The aim is to ensure ongoing operations, comply with legal requirements, protect knowledge, minimize business risks and seize opportunities. The security of information and information systems is essential for achieving the Group's fundamental business objectives and continued success.

VIG focuses on three fundamental protection goals to ensure the best possible protection of its customers' information assets and data:

    • Confidentiality 
      Information is provided exclusively to authorized users and protected against unauthorized access.
    • Integrity (inlcluding Authenticity)
      Information and identities are always correct, complete, verified and trustworthy.
    • Availability 
      Information and associated resources are reliably accessible to authorized users.

VIG takes comprehensive security measures in relation to its IT landscape to prevent cyberattacks and ensure compliance with protection objectives. The combined use of several security solutions at the physical, technical and administrative levels ensures that company resources and our customers’ data are fully protected.

All relevant external providers of IT services have current certifications in accordance with international information security standards, such as ISO 27001, or are able to submit reports in accordance with ISAE 3402.

To ensure the effective implementation of an information security management system (ISMS), all of VIG's internal IT providers are certified in accordance with ISO 27001.

VIG Cyber Defense Center programme (CDC)

With the Cyber Defense Center (CDC), Vienna Insurance Group (VIG) operates a central structure that proactively protects the Group's entire business and customer pool from cyber threats. The CDC ensures that cyber attacks are detected, analysed and defended against at an early stage in order to guarantee the highest level of security standards for the entire Group at all times.

Behind the CDC is a team of IT security experts who protect the company by detecting, analysing, investigating, and averting cyber threats using semi-automated processes and advanced technology. The IT systems in the VIG Group (such as networks, servers, end devices, applications, and databases) are continuously monitored for signs of a cyber security incident. The CDC works around the clock to ensure a rapid response to any threats that arise.

The benefits of the VIG CDC for the Group are:

  • Protection of the business and customers
  • Joint action against a global cyber threat landscape
  • Increased security maturity and ensured Group-wide trust
  • Achievement of Group-wide regulatory security

VIG has established three competence centers for the Group in Austria, Poland and the Czech Republic, which provide services to the Group companies. This ensures that VIG's capacity to recognise and prevent security incidents and problems is supported and strengthened, that resilience is increased by the use of new security solutions and that knowledge and best practices are shared across the borders within the Group.

The programme under the Grant Agreement Nummer 101145844 was supported by the European Union.

Disclaimer: Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.

white Vienna Insurance Group lettering on glass door

Monitoring IT security, mitigating risk and raising employees’ awareness

VIG has established supplementary measures to achieve the protection goals and ensure resilient operations additional to the technical provisions:

  • IT security incidents are reported to the VIG Group CISO on a monthly basis.
  • Critical incidents are reported without delay to the board member responsible for IT/COO.
  • In case any relevant information security breach appears, affected parties and responsible authorities are informed immediately. 

Corporate Governance Report

Find out more about transparency and trust in VIG

2023 VIG Corporate Governance Report
VIG News