• Information & Communication Technology (ICT) Security @SCOR

  •  

    Protecting digital assets to strengthen resilience, enable innovation, and build trust.

     

    Our Commitment to Information Security

    At SCOR, safeguarding information is a strategic priority.

    We protect our clients, employees, and partners by ensuring the Confidentiality, Integrity, Availability and Safety of Data. Our security approach aligns with international standards and regulatory requirements, combining strong governance, advanced technology, and continuous improvement to maintain trust and resilience.

    SCOR is committed to:

    • Protect the integrity and confidentiality of data across its lifecycle.
    • Respond to Information Security threats and incidents promptly and effectively.
    • Hold the entire workforce accountable. Every employee and contractor must follow security requirements and report anomalies through documented procedures.
    • Enforce security requirements on Third Parties that access SCOR Data or Systems, embedded through our procurement and Third-Party Risk Management (TPRM) framework.
    • Continuously improve our Information Security Management practices and controls.

    Governance & Oversight

    A robust governance model is essential to managing Information Security effectively. Our governance framework ensures accountability at the highest levels.

    SCOR’s Chief Information Security Officer (CISO) leads the Group Information security function and oversees security domains, ensuring that policies, guidelines, and controls are implemented effectively.

    Security governance is integrated with IT Governance and Risk management and is supported by dedicated meetings at Senior Management and Board level that provide oversight, accountability, and alignment with business priorities:

    • The Information Security Steering Committee (ISSC) sets strategic directions, allocates resources, and ensures that security goals support the Group’s strategic objectives.
    • The Group Operational Risk Committee (ORC) integrates cyber and ICT risks into enterprise risk management, reviewing appetite, control effectiveness, and scenario analyses.

    Additionally, Security Forums foster knowledge sharing, accelerate learning from incidents and audits, and champion innovation in security tooling and methods.

    This model ensures that decisions are timely, evidence based and connected to business priorities. It also reinforces a culture where security is embedded in everyday operations, not addressed only at moments of crisis.

    Compliance rules and law regulation policy concept of virtual screen

    Information Security Policy

    SCOR’s Information Security Policy establishes the principles and controls that safeguard our digital assets and ensure operational resilience across all business activities. It is designed to prevent unauthorized access, maintain operational resilience, and comply with the best global practices.

    The Information Security Policy undergoes annual reviews to align with evolving regulations and best practices, including ISO/IEC 27001 and the EU Digital Operational Resilience Act (DORA). It applies to all SCOR entities, employees, contractors, and third parties who process or access SCOR Data, Systems, Applications or facilities.

    The Information Security Policy is anchored in four core principles:

    • Confidentiality: protecting information from unauthorized access.
    • Integrity: preserving the accuracy and reliability of Data throughout the value chain.
    • Availability: ensuring timely and reliable access to Systems and Information.
    • Safety: minimizing Technology-related risks through prevention, detection, and recovery mechanisms.

    It is aligned to recognized standards and frameworks (e.g., ISO, CIS, NIST, MITRE, OWASP, AICPA TSC1), and controls are organized using the Secure Controls Framework (SCF).

    Internal control responsibilities are clearly structured into three Lines of Defense (LoD): operational teams apply processes and execute controls, Risk Management reviews control effectiveness, and Group Internal Audit provides independent assurance through regular testing.

    This ensures high service quality, system availability, and compliance while promoting innovation, accountability, and resilience.

    Download the full Information Security Policy (PDF)

    Information Security Management Program

    SCOR implements a comprehensive Information Security Management Program through a set of dedicated policies, standards, guidelines, processes, controls, and safeguards designed to protect SCOR’s systems and data in line with its information security objectives. The program defines governance and accountability, establishes minimum requirements applicable across the Group, and supports the protection of information throughout its lifecycle.

    To ensure that information security measures remain effective and efficient over time, and to continuously strengthen SCOR’s digital resilience in the face of evolving threats, SCOR relies on the following mechanisms:

    • Digital Operational Resilience Testing Program: risk-based testing methodologies and test plans covering IT Disaster Recovery (DR), Threat-Led Penetration Testing (TLPT), penetration testing and internet-facing services, and business resilience/crisis testing, including communication and coordination exercises.
    • Continuous vulnerability management and internal security assessments: ongoing identification, prioritization, and remediation of vulnerabilities through continuous monitoring and security assessments across applications and environments to reduce exposure to known threats.
    • Control reviews and audits: periodic internal reviews and audits, complemented where relevant by independent external assurance activities, to validate the design and operating effectiveness of security controls and to drive remediation and continuous improvement.
    • Employee training and awareness programs: mandatory cybersecurity and data-privacy awareness in addition to role-based training, refreshed annually to reflect new regulations and threats, and reinforced through practical exercises.
    • Phishing resilience and reporting mechanisms: phishing simulation activities and established processes for employees to report suspected phishing, data leakage, or other suspicious activity, enabling timely triage, escalation, and response.
    • Incident detection and response: monitoring, detection, escalation, response, and recovery processes supported by a maintained Incident Response Plan (IRP), including scenario-based exercises to strengthen readiness and improve response capabilities.

    Building a security-first culture

    SCOR promotes a strong security culture by implementing comprehensive security awareness and training programs to create a workforce that is vigilant, informed, and prepared to respond to evolving information security and cyber threats.

    Training initiatives cover both Cybersecurity and Data privacy, ensuring that employees understand the risks, compliance obligations, and best practices that apply to their roles. Programs are tailored to organizational needs and work environments, including remote work scenarios, and range from foundational awareness sessions to advanced role-based training for specialized functions.

    Training content is regularly updated to reflect new regulations, emerging threats, and lessons learned from audits or incidents. Practical exercises, such as simulated phishing attacks, social engineering scenarios, and data protection drills, reinforce learning and prepare employees for real-world challenges. We also teach staff how to recognize suspicious communications and anomalous system behavior, providing early warnings against potential breaches.

    Every training session is documented, and participation records are maintained as evidence of compliance. By combining education, simulation, and continuous improvement, SCOR fosters a security-first culture that strengthens resilience and protects sensitive information.

    How we maintain alignment with Standards

    Security is not static.

    We monitor key indicators such as vulnerability remediation time, patch compliance rates, incident resolution time and resilience test success to ensure continuous improvement and maintain audit readiness.

    We benchmark our practices against recognized frameworks and standards (e.g., ISO, CIS, NIST, MITRE, OWASP, AICPA TSC1) and organize our controls using the Secure Controls Framework to support consistent adoption across domains such as operations, architecture, data protection, access management and business continuity.

    These measures ensure that our controls are comprehensive, coherent, and recognizably best-in-class, while updates reflect technology change, new Threats, and shifting regulatory expectations.

     

    Through rigorous oversight and continuous improvement, SCOR aligns Information Security with business value, ensuring resilience and trust across the reinsurance ecosystem for clients, employees, shareholders, and society.

     

    Contact and information

    If you have questions about Information Security, please contact our CISO Office.

    Find out more

    SCOR Information Security Policy

    SCOR Code of Conduct

    SCOR Sustainable Business Report 2024

    SCOR Activity Report 2024

    Last update: January 2026

    Footnotes

    1 ISO: International Organization for Standardization
    CIS: Center for Internet Security
    NIST: National Institute of Standards and Technology
    MITRE: MITRE ATT&CK cybersecurity framework
    OWASP: Open Worldwide Application Security Project
    AICPA TSC: American Institute of Certified Public Accountants – Trust Services Criteria.