Key non-financial risks

Key non-financial risks

From the perspective of the impact on issues related to social, employee, environmental, human rights and prevention of corruption, compliance risk and operational risk are of special importance. Accordingly, the PZU Group has implemented an operational risk management system under which it prevents operational risk incidents and reduces operational losses. The operational risk management principles and structure in PZU are based on the adopted operational risk management policy. Operational risk is controlled on multiple levels in the organization. Supervision over the operational risk management system is exercised by an independent, dedicated unit within the Risk Department structure.

The key tool used to monitor operational risk is the key risk indicator system, covering areas with special exposure to operational risk. The indicators are subject to regular reviews: at least once a year.

As part of compliance risk and operational risk, employee, environmental, social, ethical, including interactions with clients and prevention of corruption issues have been identified. Detailed references to these risks and methods of mitigating them are described in the following sections of this report:

Information security

Area-specific risk: the risk pertaining to disclosure of personal data and data subject to insurance secrecy to unauthorized persons.

Approach to management: PZU and PZU Życie have implemented principles for client identification and provision of information depending on the client’s requests. In addition, access to personal data and data subject to insurance secrecy is granted only to authorized persons using the Central Information Security Management System (CSZBI). Additionally, PZU has implemented a DLP class monitoring system, which comprises appropriate rules minimizing the risk of disclosure of information, including personal data, to unauthorized persons. The companies regularly implement procedures and safeguards in electronic channels of communication with clients, thereby minimizing the risk of unauthorized disclosure of legally protected information.

Key regulations: Security Policy

Active existence within any global network is associated with a number of threats; therefore, in order to successfully face the constantly changing challenges, the fundamental units responsible for ensuring the Group’s IT security keep getting reinforced. For 2022, production deployment and expansion of solutions addressing the need for defense against new threats, incident analysis and identity management are scheduled. Among the key elements of the strategy adopted with a view to solidifying PZU’s IT security is the introduction and improvement in 2022 of the process of proactive search for potential threats and threat mitigation modeling. In 2022, educational activities for PZU employees and agents will also be continued, including exercises in identifying phishing attempts.

Cybersecurity management system

IT security is considered one of the most significant challenges faced by in the domain of modern technologies. Efforts focused on prioritizing the strategic objectives in this area within the PZU Group are aimed at responding to new threats, in terms of both organization and technology. Appropriate policies, procedures and detailed requirements are in place in all Group companies in order to ensure an adequate level of protection for clients’ information and data. A comprehensive multiple-layer system to protect against cybersecurity threats functions in PZU and PZU Życie and is being constantly developed – new tools and competences are acquired on an ongoing basis.

In 2021, we managed to prevent:

Additionally:

Security tests

Rolling out and selling products and customizing the offer to evolving client needs is an enormous challenge for the Group’s information systems. For these changes to proceed smoothly and not to disrupt client service, the organization has crafted a recurring information procedure embracing a broad set of tests and verification methods. This procedure guarantees early detection of threats and possible problems and supports the appropriate management thereof.

Vulnerability assessment tests are conducted by the Group on the company's systems. Infrastructure vulnerability detection is an ongoing and automated process in which dedicated Vulnerability Assessment solutions are used. Security tests form part of the change, release and project management processes.

Security training

Information security and cybersecurity are not just efficient systems and adequate procedures. Threat awareness and the knowledge of rules among employees and associates are of no less importance. For this reason, newly employed persons participate in onboarding training during which they are acquainted with security principles and then undergo obligatory e-learning training. Refresher training courses are also conducted on an ongoing basis, along with internal information campaigns on information security, personal data protection and cybersecurity. These issues are most frequently raised jointly, as they complement one another. In 2021, dedicated refresher training courses on these issues were conducted for employees and agents of particular units, mainly in the form of webinars. Their participants were, among others, employees of branches, exclusive agents, and operation centers and centers for handling claims and benefits (in particular, individuals involved in data processing operations). In June 2021, an internal information campaign was held, entitled “Cyberthreats come in different colors”. Cybersecurity was also among the topics of the fall campaign “We care for super security”. As part of the campaign, in addition to the publication of useful articles and pieces of advice, on-line meetings with external cybersecurity experts were held, devoted in particular to some of the most common threats and attacks currently experienced.

In 2021, employee training programs continued on GoPhish platform launched in 2018. Such actions are taken to improve the awareness among employees of the threats following from suspicious messages, including those containing malicious elements and prompting people to open suspicious pages or attachments.

GDPR

The PZU Group ensures the security of the processed information and the protection of the personal data of its clients. It understands the complexity of the obligations following from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and makes sure all of its processes are compliant with the Regulation and local personal data protection regulations. The PZU Group expects an equally mature approach from its business partners.

The responsibility for the area of security in PZU and PZU Życie rests on the Director of the Security Department who answers directly to a Management Board member. Moreover, the Data Protection Officer (DPO) was appointed in PZU and PZU Życie. Security structures for the processing of information, including personal data, have been established within the Security Department, which support the performance of the tasks of the Data Protection Officer (DPO).

PZU and PZU Życie act with all diligence in taking care of information security and data protection in compliance with the GDPR. Client personal data is collected, processed and transmitted in PZU and PZU Życie in compliance with law. Data which is subject to insurance secrecy is made available on the basis of Article 35 of the Insurance and Reinsurance Activity Act which provides the list of the entities and institutions to which data may be made available. External entities are entrusted with personal data processing on the basis of an agreement for entrusting the processing of personal data. Where third party entities are provided with protected information, it is a standard practice to enter into a confidentiality agreement. The content of such an agreement includes, among other things, an undertaking to implement at least the same measures to ensure the protection of information, as well as a provision guaranteeing a possibility of conducting an audit.

GDPR – access to data

In order to maintain the highest privacy of clients, each person whose data is processed is entitled to access data and to erase, rectify, complete or modify his or her personal data, as well as has a possibility to ask questions concerning privacy. Appropriate processes have been put in place for this purpose, which ensure the exercise of the rights of data subjects, as defined in Articles 12 to 22 of the GDPR.

GDPR – management information

The management information concerning the security of the processed data in terms of the identified risks and vulnerabilities is reported to the Management Board of PZU and PZU Życie on a periodic basis and includes information on the carrying out of the obligations set forth in Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject) of the GDPR. The companies monitor the data processing operations and the applied technical and organizational measures on an ongoing basis to identify possibilities for improving the level of security of the processed data.

GDPR - audits

Audits of entities that have been entrusted with personal data processing are conducted by PZU and PZU Życie on a regular basis. During an audit it is verified whether the processing of the entrusted personal data by the processor complies with the GDPR and the agreement for entrusting personal data processing. PZU and PZU Życie also conduct audits of the processors in the case of which security incidents have occurred. Recommendations for changing processes or systems for particular business owners are issued on the basis of audits.

Personal data protection officers

Fulfilment of the duties of a personal data controller (PDC) and a data protection officer (DPO) set forth by law, monitoring of information security incidents, in particular relating to personal data and breaches reported to the President of the Personal Data Protection Office (PUODO), periodic data reporting to the Management Board of PZU and PZU Życie.

Having regard to the security of processed personal data and in order to guarantee the compliance with the GDPR, a practice of periodic data reporting to the Management Boards of PZU and PZU Życie has been established, encompassing data concerning information security incidents, in particular relating to personal data and breaches reported to PUODO. The ongoing data monitoring, analysis and reporting guarantee the transparency and accountability of the process. With the use of the established mechanisms, the areas requiring the implementation of changes are identified and recommendations concerning the improvement of personal data processing security in these areas are issued.

The obligations imposed on the personal data controller and the data protection officer are complied with in the daily activity, which ensures compliance of the personal data processing with the laws.

The PZU Group works on a continuous basis for the strengthening of the functioning data protection system. In view of the above, steps will be taken in the future to maintain the quality of the processes carried out.

Data protection impact assessment (DPIA)

Following the obligations set forth expressly in the GDPR, processes have been implemented in PZU and PZU Życie which guarantee a documented process relating to the carrying out of the provisions of Article 35 (Data protection impact assessment) of the GDPR, requiring companies to assess the data protection impact in order to estimate, in particular, the source, nature, specifics and seriousness of the risk.

With a view to complying with the GDPR, the following procedures have been introduced: Rules for personal data processing risk management in PZU and PZU Życie and the Instruction (methodology) for identifying and assessing personal data processing risks in PZU and PZU Życie. Moreover, periodic reporting to the Management Boards of PZU and PZU Życie has been introduced, encompassing data concerning the conducted DPIA analyses. Processes are monitored on an ongoing basis and the fulfilment of the issued recommendations is checked. With the use of established mechanisms, the areas requiring the implementation of privacy by design and privacy by default are identified and recommendations concerning the improvement of personal data processing security in these areas are issued. DPIA analyses are conducted also for the existing processes and the changes made and their impact on the personal data processing are checked on a periodic basis.

The undertaken measures have made it possible to establish, with the use of the Jira system, a regulated and tightened DPIA analysis process imposed on the controller under Article 35 (Data protection impact assessment) of the GDPR. Project product assessments in terms of the impact on data protection have been introduced for the Jira system. Having regard to data security, the implementation of topics which have not been assessed for compliance with the GDPR is blocked. A multi-track assessment of the impact of processing on data protection ensures the compliance of personal data processing with laws. 2,081 elements of distinct processes were assessed in 2021, including the assessment of 823 initiatives/topics, 1,235 sub-topics, 8 proof-of-concept operations and 42 full DPIA tests, including 10 DPIA analyses of ongoing processes.

Opinion issuing process

Internal documents, contracts and processes are reviewed in terms of compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices.

The implementation of the opinion issuing process by PZU and PZU Życie has contributed to ensuring compliance of the Group’s data processing operations with the applicable laws, accountability and the implementation of the privacy by design principle. It allows to identify irregularities at an early stage and to adapt actions to the standards in force.

The implemented opinion issuing process encompasses the rollout of new functionalities or changes in the existing functionalities of IT systems, internal documents, processes and contracts in which a personal data related element is or may be present. For this process to be carried out in the best possible way, a dedicated e-mail box has been set up to which queries from business units are sent. Matters are assigned to employees specializing in various data protection areas. The opinion issuing process ends with the issuing of a recommendation in compliance with the applicable provisions on the protection of personal data, judicial rulings, administrative decisions, regulations adopted by PZU and PZU Życie and best market practices. All matters on which opinions are issues are entered in a register in order to ensure accountability.

In 2021, opinions were issued in PZU and PZU Życie on more than a total of 1,768 matters. The process of issuing opinions enables the identification and correction of irregularities, if any, and contributes to raising awareness of personal data protection and personal data processing security among employees.

Breaches and complaints

In 2021, 816 personal data protection breaches in the PZU Group were reported to the President of the Personal Data Protection Office (PUODO), of which 404 breaches were recorded in PZU, 186 in PZU Życie, 23 in the Alior Group, 27 in Bank Pekao, 138 in LINK4 and 38 in PZU Zdrowie.

Counteracting corruption

Area-specific risk: the risk of corruption associated with inappropriate implementation in the Group’s structure of anti-corruption procedures, including the lack of protection for whistleblowers.

Approach to management: there is zero tolerance for any form of corruption in the PZU Group. Therefore, the Group companies have in place corruption prevention policies and rules for acceptance and giving of gifts. Additionally, PZU and PZU Życie have implemented a Whistleblowing Procedure and an Anti-Corruption Program which serves as the basis for establishing and supporting preventive and educational solutions in the field of counteracting corruption and defines a breakdown of responsibilities to control the risk of corruption.

Key regulations: Anti-Corruption Program; Whistleblowing Procedure

“We do not tolerate corruption; we do not give impermissible presents to business partners, their employees, agents or other third parties. Nor do we promise or expect to receive such presents, nor do we accept them. We have included these rules in the Best Practices of the PZU Group, which are a collection of fundamental ethical standards. We treat them as an inseparable element of our identity and a source of PZU Group's corporate governance.”

Monika Guzek, Director of the Compliance Department in PZU and PZU Życie

There is zero tolerance for corruption in the PZU Group. The organization’s implemented solutions define the method of corruption risk management, including identification, mitigation and monitoring.

The Group’s companies have in place internal regulations to prevent corruption, including, inter alia, rules for accepting and giving gifts, conflict of interest management, and ethical principles to be followed by members of the company’s statutory bodies. Relative to the entity in question, these rules have been covered by a range of implemented documents, regarding, inter alia, prevention of corruption, whistleblowing, conflict of interest management, and procurement. Those issues are also discussed during internal employee training.

The rules for Group employees to accept and give presents and the rules for registering them have been strictly defined. Gifts and entertainment, exclusively of low value, may be offered or received in the course of typical business practices. Under no circumstances can money or its equivalent be offered or received. Giving and receiving gifts cannot be so frequent, excessive or generous as to represent an actual or perceived risk of corruption, or breach local statutory or executive regulations,

The “Best Practices of the PZU Group” constitute the model for the standards, values and principles for all Group employees and they outright forbid corruption in companies. They obligate employees to act in compliance with the law and defined ethical standards: “We do not tolerate corruption. We act ethically and in accordance with the law when performing our business tasks and cooperating with our business partners”. All of the PZU Group companies implemented the “Best Practices”, except for the Alior Bank Group, which has in place the “Code of Conduct in Alior Bank” and except for the Pekao Group, which has in place its own “Code of Conduct in the Pekao Group”. In turn, LINK4 has in place its “Corruption Prevention Compliance Policy”.

Corruption risk is part of the ongoing management of compliance risk in various areas of activity. PZU has therefore implemented solutions imposing an obligation to identify and assess corruption risk. The 2021 corruption risk assessment confirms that the system solutions work correctly in PZU and that actions aimed at managing this risk were taken with due diligence.

The “Anti-Corruption Program” lays down the standards of conduct to mitigate corruption risk. The rules for managing conflicts of interest and the principles for accepting and giving gifts are in line with the Program.

Communication and training

These actions are supplemented by anti-corruption training and campaigns executed in the corporate communication channels, attracting the employees’ attention to the corruption risk.

The training course pertaining to the “Anti-Corruption Program in PZU and PZU Życie” is one of the mandatory training courses for all of the employees in these companies. PZU and PZU Życie employees submit declarations in the HR system that they have familiarized themselves with the “Program” and undertake to adhere to it and also that they are aware of the criminal liability for corruption. Every amendment to the “Program” will necessitate the submission of an updated declaration. 530 employees completed this training course in 2021.

Confirmed incidents

In 2021, 734 cases of corruption and fraud were identified in the entire PZU Group. Four situations were reported in PZU and PZU Życie that may have involved corruption. As a result of an investigation, in three cases no irregularities were found that would suggest corruptive conduct. In one case, however, it was confirmed that the counterparty offered a bribe to the client. In these circumstances, the client submitted an oral notification of a crime having been committed, and the Companies discontinued any cooperation with this counterparty.

Management of a conflict of interest

Rules for acceptance and giving of gifts

The rules in PZU and PZU Życie regulate in transparent and very detailed terms the categories and types of gifts, including permissible and impermissible gifts and they prescribe the procedure for accepting or offering gifts and the rules for registering gifts. These rules are in force regardless of the position held or function discharged in the company. Rules of acceptance and giving gifts are in force in all the PZU Group companies..

Topics concerning conflicts of interest, potentially risky situations and the rules of conduct if they are detected, are part of the e-learning training course on compliance. A newly developed e-learning course was introduced in 2020. In 2021, the training was addressed to newly-hired employees. At the same time, the training is available for employees of PZU and PZU Życie. These topics are also discussed during on-boarding training courses for newly-hired employees. Furthermore, employees submit declarations on adhering to the “Rules for Managing Conflicts of Interest”.

Compliance-related issues are regularly described in the Compliance Bulletin. Employees receive it quarterly by e-mail or in printed form. The Compliance Bulletin plays an educational role - it enriches the knowledge gained during training sessions thanks to the readily understandable manner of presenting information (in the form of tables and figures).

An important information tool is Compliance Alerts, i.e. e-mail messages describing planned changes to the law, new guidelines, communications and decisions made by regulatory authorities, as well as court decisions of significance from the viewpoint of the business conducted by PZU and PZU Życie. Compliance Alerts are sent to employees in selected areas and several hundred more people who have reported their interest in receiving this type of information. These alerts are critical to procure the company’s compliance with the legal regulations. They make it possible for them to obtain information quickly about the projected changes to the law and the regulator’s expectations and adapt to them on a timely basis.

Fraud prevention and counteracting of money laundering and terrorism financing

Area-specific risk: the risk of improper design and implementation of solutions in the area of fraud prevention and counteracting of money laundering and terrorism financing in the organization and a failure to execute these solutions correctly.

Approach to management: the PZU Group has in place special security procedures in the fraud prevention area, which includes counteracting of money laundering and terrorism financing. The PZU Group designates a single owner of the insurance fraud prevention and counteracting money laundering and terrorism financing area, who is responsible for the entire process, monitoring its quality and effectiveness, as well as for adhering to the prevailing procedures. This area contains the Team for Insurance Fraud Prevention (ZPPU) and the Team for Security Incident Management (ZZIB). The Team for Insurance Fraud Prevention fulfills tasks in the area of analyses of fraud prevention and operational activities undertaken to investigate the actual course of a given fraud event. The Team for Security Incident Management fulfills tasks in the area of counteracting in-house crime. In discharging these tasks both Teams are supported by the Fraud Management System - the most advanced system on the Polish market that profiles internal and external fraud, supports their analysis and provides for smooth and effective case workflow.

The money laundering and terrorism financing counteracting processes are executed in the Security Threat Analysis Team (ZAZB), while the standards of activities and the target process, including implementation of the IT system, is created within the AML Project. The Compliance Area is responsible for the observance of international sanctions.

Key regulations: The Security Procedure for the fraud prevention area and the Security Procedure for counteracting money laundering and terrorism financing, the Sanction Policy

PZU Group policies [Accounting Act]

Financial crime, money laundering and financing of terrorism are challenges that evince serious consequences for the financial markets across the globe. For many years the PZU Group has been taking legally required actions to prevent situations in which its transactions are used for unlawful purposes.

Prevention activities and training

Risk awareness is a crucial part of the company's security system functioning correctly; that is why all employees and intermediaries should be trained and have up-to-date knowledge of the applicable internal regulations and other necessary internal rules on fraud prevention, counteracting money laundering and terrorism financing. The head of the organizational cell or unit in which the employee is employed is responsible for overseeing training. The head of the organizational cell or unit of the Head Office supervising a given structure is responsible for supervising the employees of local structures of divisions and tied intermediaries.

Detailed information on prevention and prophylactic security measures is set forth in the “Instructions regarding prevention and prophylactic security measures in PZU and PZU Życie”. It spans actions to raise the awareness of security risks in the following areas:

• information security;
• cybersecurity;
• physical safety;
• counteracting crime;
• counteracting money laundering and terrorism financing;
• business continuity.

In 2021, there were 250 incidents in the PZU Group related to insurance fraud (184 in PZU, 20 in PZU Życie, 26 in LINK4, 5 in TUW PZUW and 15 in its international companies). These cases were handed over to the law enforcement authorities.

In 2021, there were 794 pending fraud cases in the Alior Bank Group. Irregularities involving internal fraud were identified in 481 instances. The level of losses was PLN 113 thousand, of which PLN 50.1 thousand was recovered.

Alior Bank operates the “Program of counteracting money laundering and of terrorism financing in Alior Bank S.A.”.

Bank Pekao has in place a Fraud Management Process regulation which introduces the Official Instructions entitled Fraud Management Process in Bank Polska Kasa Opieki. The Official Instructions define the following:

• what a fraud is and what fraud categories may affect the bank in the course of its activity;
• who (which organizational unit in the bank and which employee of the unit) is obligated to take action in the event of fraud;
• how specifically fraud should be prevented (catalog of activities to be performed).

In addition, there are defined obligations and powers of the Financial Security Office in the Bank Pekao's Security Department, which performs the tasks associated with central coordination of prevention of financial crime in the bank.

The Fraud Management Process and the Official Instruction imposed on each bank employee the obligations and powers associated with prevention of financial crime threatening the organization and the bank's clients.

In 2021, the amount of fraud operations in Bank Pekao was PLN 63.7 million (4,699 fraud operations).

Whistleblowing system

In all Group companies, Polish and foreign alike, separate whistleblowing procedures are in place. Employees are advised of the prevailing standards of conduct, inter alia at onboarding training for new hires, during e-learning and during on-site and online training courses.

In 2021, roughly 140 suspected irregularities were reported in PZU and PZU Życie, which confirms that the Whistleblowing System actually functions. All reported cases were examined in accordance with the applicable regulations, including the “Whistleblowing Procedure in PZU and PZU Życie”.