Cybersecurity

Security measures to prevent data loss and leakage in PZU’s systems and end devices form an extensive and multi-layered system.

In 2025, PZU implemented an innovative cyber threat early detection system. The solution allows PZU’s cybersecurity teams to accelerate the identification of potential incidents and respond to them effectively. The project is being implemented in cooperation with Polish startup RIFFSEC. RIFFSEC’s cyber threat early warning system monitors the Internet, deep web and dark net, detecting data breaches – from login and password leaks to brand incidents. Information collected by RIFFSEC for PZU concerns, among other things, situations potentially threatening the confidentiality of data (including logins and passwords), monitoring cybercriminals’ conversations about PZU, and monitoring the registration of domains similar to PZU. The platform also reminds the insurer to pay for domains and SSL certificates. PZU experts also have constant access to information about new attacks on other organizations, as well as the latest viruses and types of fraud used by cybercriminals.

In addition, PZU conducted activities including thematic training for employees, both induction and refresher training, which addressed key issues in data protection, cybersecurity and crime prevention. PZU attached particular importance to raising employee awareness through educational campaigns and meetings with experts, which focused on the topics of information security and threats such as disinformation. In 2025, internal information materials were published on the intranet, and experts held regular online meetings. That year PZU joined as a partner in the Scamming Out! campaign organized by the editors of Puls Biznesu and Bankier.pl, which aimed to build public awareness of cybersecurity.

At Link4, internal informational materials were published on the intranet, and employees’ knowledge of cyber threats was assessed through periodic phishing tests.

The Cybersecurity Team at PZU Zdrowie conducted a training program for employees of the company and its subsidiaries, aimed at raising employee awareness of cyber threats. The training was practical and engaging, and its key elements included:

• presentation of real-life threat scenarios – participants learned about the most common attack methods, such as phishing, social engineering and account takeover attempts, along with discussing their effects in business and private environments;
• live demonstrations of hacking techniques – training sessions included demonstrations of actual methods used by cybercriminals, including password cracking, attacks on web applications and exploitation of vulnerabilities in systems. This allowed participants to see how easily an unconscious action can lead to compromised data;
• discussing security best practices – specific ways to secure accounts, devices and data were presented, along with procedures for responding to suspicious incidents at work and in private life;
• interactive exercises and discussions – participants had the opportunity to ask questions, analyze cases and participate in simulations that allowed them to practice proper responses in crisis situations.

The training program was designed not only to impart theoretical knowledge, but also to make employees aware of real risks and teach them practical ways to protect themselves from threats.

At TUW PZUW, informative newsletters were sent out to increase employees’ knowledge regarding information security and cyberattacks. TUW PZUW held a Cyber Day in 2025, which included training for employees on cyberattacks and information security. Throughout the day, employees and associates had the opportunity to talk to cybersecurity experts.

In 2025, BALTA incorporated issues related to cybersecurity into the onboarding process for new employees as part of a mandatory training program. Upon joining the company, each employee is required to acquaint themselves with the Information Processing Policy and Acceptable Use Policy and to pass a knowledge test in this area.

Within the PZU Group, the efforts of Pekao Group and Alior Group, which focus on protecting information systems and educating employees and clients, are also vital.

The Pekao Group, as part of the implementation of its Information and Communication Technology Security Strategy for 2025-2027, is taking steps to enhance client data security. Solutions are being introduced to support the secure use of banking services, including identity verification mechanisms and client communication security. One example is the development of functions that support employee and client identification in mobile applications, which significantly increases the security of telephone interactions with clients and minimizes the risk of clients losing funds due to fraud. Pekao Group also conducts education and communication activities in the area of cybersecurity, including awareness campaigns and training for clients and employees. In terms of raising awareness of cybersecurity, the cyberPEKAO educational program is being implemented, which promotes knowledge about cybersecurity through training, webinars and workshops for various social groups. The Bank organizes industry events, such as Cybersecurity Days at Bank branches and the cyberPEKAO Academy, a conference for clients and employees. Another important element is cooperation with the CyberDefence24 portal, which addresses cybersecurity issues, where a dedicated zone of the Bank is maintained. In addition, a comic book about cybersecurity for children was published in cooperation with the portal’s editorial team. A nationwide educational campaign, “cyberPEKAO – a sign that protects”, was also launched.

In 2025, Alior Group had tools in place to estimate cybersecurity risks, along with procedures to ensure early detection and proper management of threats. The company also developed IT incident response plans in a way that minimizes the impact of cyberattacks on critical/key services and prevents identity theft. All critical and key IT systems that process client data and are involved in the execution of financial transactions undergo in-depth security testing. Alior Group also conducts automated tests of vulnerability to cyberattacks. Their results provide comprehensive information on the state of the security of the IT environment and allow for systematic risk mitigation. In addition, a team of specialists conducts round-the-clock security monitoring of the banking infrastructure and the security of client transactions. All the bank’s employees regularly participate in mandatory IT security awareness training. Training courses ending with a knowledge test are also mandatory for anyone starting work in the organization. The bank is also committed to raising client awareness of IT security. Materials pertaining to threats are regularly published on the bank’s website, social media, in newsletters and a mobile app. Alior Group also launched a dedicated “Phishing-Stop” cybersecurity page.

The PZU Group invests in the development and modernization of its IT security systems. Regular audits and vulnerability tests allow the PZU Group to detect and eliminate threats early. Cybersecurity is continuously treated by the PZU Group as a key element of its strategy, encompassing both central structures and individual subsidiaries.

In 2025, PZU implemented the DORA Regulation. It is an EU regulation aimed at strengthening the operational resilience of financial institutions to digital threats and cyberattacks by introducing uniform IT security standards across the European Union. PZU implemented appropriate procedures and made elearning training available to all employees.