C _ Group Management Report Cybersecurity As part of our Privacy Risk Management, we consider the identification and management of privacy risks as an integral part of This section describes the impact of cybersecurity on our business our operational processes. Privacy risks are also included in our activities and relationships as well as the impact of the Allianz Group´s Integrated Risk and Control System (IRCS). For so-called high- activities and relationships with regard to IT topics as a whole. In exposure processes that use personal data, we carry out Privacy addition, we describe the concepts and achievements related to the Impact Assessments (PIAs) to allow early identification of high-risk management of these impacts with a focus on information security, areas and ensure they are appropriately managed over the project data privacy and data ethics. lifecycle. Privacy champions have been appointed across Allianz Group companies and are now dedicating a portion of their time to Information security deal with privacy related topics. In 2021, we developed a global Information security is assessed and tracked as one of the top risks privacy risk and controls “blueprint” to support local compliance faced by Allianz, and is closely managed along eight key risk indicators efforts with the APS across the entire Allianz Group. The blueprint across the Allianz Group. Performance against these indicators is provides a tool for identifying data privacy risks in local business reported quarterly to the Board of Management and Supervisory processes and addressing those risks by mapping them to standard Board. controls. The Allianz Information Security governance framework is robust We monitor privacy governance activities and processes across and comprises multiple layers of corporate rules and processes. An our operating entities through a robust process, which includes site overall policy establishes core principles, roles and responsibilities as visits, reviews of program documents, interviews and expert challenge well as the organizational framework for information security within calls. During the pandemic, site visits were replaced with virtual the Allianz Group. Measures to prevent cyber incidents are prioritized meetings without any loss in efficacy. along the threat landscape. They are implemented at a global level For more information on our commitment to data privacy, please and supplemented locally where required, together with the local see section 03.2.1 of our Group Sustainability Report 2021 Information Security Officers (ISOs) that exist in all Allianz operating www.allianz.com/sustainability. entities. Specific measures to improve security controls are continuously evaluated and developed with priorities assigned on a Data ethics global, regulatory and risk-based basis. Allianz values data as a key asset and strives to position itself as a Measures focus on five key risk areas: reducing the likelihood of leading player in leveraging data in the most compliant and ethical incidents; increasing detection likelihood; reducing damage from way, both as an insurer and an investor. We set up the Allianz Data incidents; streamlining compliance; and training/educating the Ethics Project in response to the increasing regulatory initiatives and organization to further improve security awareness. All employees are public debate on data ethics and AI worldwide, to strengthen the required to participate in at least quarterly cyber-awareness training. internal governance framework for AI, and to position Allianz in the Allianz also participates in governmental, industry and regulatory field. global/regional initiatives to support the security of the overall digital In 2021, we established a Data Advisory Board (DAB) which ecosystem. covers data ethics and selected data-related topics on a more permanent basis. The DAB consists of representatives from operating Data privacy entities and functions, including Data Analytics, Data Architecture, Protecting our customers’ data and maintaining trust in our processes Privacy and Regulatory Affairs. Its objectives include elevating data are top priorities. Our customers, employees and other stakeholders ethics-related topics in governance and decision-making processes, expect us to treat their data with the utmost care and we take this and positioning Allianz as a leading insurer and investor in the Ethical responsibility extremely seriously. We are committed to protecting and Effective usage of Data and Artificial Intelligence/Analytics. customer privacy and we cooperate closely with other stakeholders In addition, newly developed Allianz Practical Guidance for AI involved in the update and modernization of European privacy was rolled out in various operating entities, accompanied by a legislation, including industry associations, members of parliament dedicated communication and training program for relevant and authorities. Our group-wide privacy program ensures compliance employees. with all relevant data privacy laws and regulations. All data privacy Privacy & Ethics Impact Assessments were introduced to identify matters are overseen by Group Data Privacy. and address AI-specific risks. They were updated in 2021 and have The Allianz Privacy Framework (APS) is our global standard for been applied since 2022. With these measures, data scientists, data privacy. It defines rules and principles for collecting and business and control functions dealing with AI solutions are supported processing personal data, and includes a global standard for data to embed “Ethics by Design” in our organization, and oversee privacy, a privacy impact assessment and risk management process, challenges and risks in the area of AI. integration with information security standards and practices, and dedicated training programs for employees. Digital privacy guidelines provide guidance on privacy-related topics that affect digital projects, both for privacy by design as part of new-product and service design processes, and for privacy by default - this means that wherever individuals are given choices on the use and sharing of their personal data, default settings restrict the disclosure. 66 Annual Report 2021 − Allianz Group