As the global IT outage earlier this year reminded us, we are becoming ever more dependent on the smooth running of online systems to keep our world turning. From Aegon’s perspective, this means that providing clients with market leading digital experiences, while ensuring the integrity of our IT systems, are core to our ambition to create leading businesses in investment, protection, and retirement solutions. Here Steve Jensen, Aegon’s Global Chief Information Security Officer, outlines some of the approaches his team are taking to ensure our systems run smoothly and to protect our businesses – and their clients – from online threats.
“Having a solid security environment and a great digital experience are two sides of the same coin. I don’t differentiate between the two,” says Steve.
“Clients expect us to provide them with solid security in a nonintrusive way. That means, while clients might not be aware of it, we’re always doing a lot in the background to keep systems running efficiently and their data safe.”
Global remit
This can be a challenging task given the fact that Aegon’s various businesses are spread around the globe. Aegon has its largest business in the US, two established businesses in the UK and Spain, a global asset manager, and various partnerships around the world. All these companies are pushing hard to grow in their respective markets, and to do that they need to provide outstanding online experiences to a growing number of clients. To ensure consistent levels of performance and data security, Steve’s team takes a global approach.
“This allows us to measure security across the various business units in the same way. We have a comprehensive set of metrics that measure our performance. These include topics that cover all aspects of security controls, such as vulnerabilities at various levels: workstations, servers, infrastructure, and application layers etc. This approach provides us with an overall global score, and we can also break that down by business unit,” says Steve.
Then there is a regulatory angle, as each jurisdiction in which Aegon operates has its own rules on data and cyber security. For instance, Europe has GDPR and DORA, which both have their own scope, whereas each state in the US can have different requirements. “We work hard to comply with the letter and spirit of these rules. At the end of the day, both we and the regulators want the same thing: to protect our customers and their data,” he explained.
Similar threats, different rationale
In terms of the types of emerging cyber threat trends our businesses face, Steve says two have increased in popularity amongst bad actors: cyber extortion and denial of service.
“An extortion threat is where a bad actor, such as a hacker, has managed to access a company’s systems and compromises them with the aim of extracting a ransom payment. One way, referred to as ransomware, is to hack into a system, and then shut it off from the company, so that the hacker can then demand payment for the company to regain access. Another way is a denial-of-service threat, where the bad actor floods a company’s servers with so many requests that the system can’t cope. Then, again, they demand payment to stop the attack. The industry is seeing a big uptick in these types of attacks,” he says.
“Interestingly, these types of threats are not so different from those we faced around ten years ago. However, the profile and aims of the bad actors who target us have shifted from being, for example, a teenage hacker who wants bragging rights due to inconveniencing a major financial organization to highly sophisticated – and sometimes even state-backed – hackers seeking to extort large amounts of cash.”
AI and other emerging threats
While Steve’s team has observed this uptick in more traditional extortion threats, new threats are always emerging.
“Bad actors are constantly becoming more sophisticated. This includes their ability to use artificial intelligence to create incredibly sophisticated deep fakes, for example, which they can use to trick people into handing over sensitive data. Bad actors are also getting a lot better at hiding their identity and location, so that it is more difficult to catch them. The use of cryptocurrencies, especially Bitcoin, plays into this, because it is much harder to trace.”
What is Aegon doing?
“An important first step is to ensure that all our employees – and our customers – are vigilant and avoid doing things that can allow bad actors to gain access to our systems. For example, we conduct lots of training with staff to avoid clicking links in nefarious emails. We call this the human firewall,” says Steve.
“Looking ahead, my team and I put together a comprehensive strategy. This is driven by several factors. First, we look at the strategy of our business units. For example, Transamerica and Aegon UK have announced their plans to accelerate their growth to become market leaders, so we look at what they need to do to achieve that, what our role will be in supporting those efforts from an information security perspective, and how we can deliver that effectively. Of course, things can change rapidly, so we hold regular reviews to ensure our plan matches the company’s strategy, and constantly adjust to new threats. This involves working closely with the local tech teams at our business units. We have a great relationship with each of them, and this is really important to enable everybody to play their role in protecting the businesses.
“Then, we monitor the threat landscape. We belong to a whole slew of different threat intelligence and threat monitoring groups and capabilities. For example, we are part of the FS ISAC, a large information sharing consortium of financial institutions. This group is constantly identifying the different threats that financial institutions are observing, and then it works together to develop approaches to address the threats as quickly as possible. And, if a company is experiencing an attack in real time, they can inform the rest of us about what are they are seeing, who are the bad actors, and what are the appropriate defenses needed, for example.”
Not just hackers
Another key element the strategic plan centers on are the changes taking place in technology, in particular things like supply chain management and artificial intelligence.
“We spend a lot of time working to understand our relationships with our suppliers and partners to understand what it means for us if they fall victim to an attack or some other type of problem. This due diligence allows us to develop strong third-party risk management and business continuity capabilities.”
Working together with an eye to the future
Given the constantly evolving threats that Steve and his team need to protect Aegon against, it is really important to have good relationships with a wide range of stakeholders.
Steve said: “Since the day I walked through the door at Aegon, I have felt broad based support from our group CEO, Lard Friese, and the senior leadership team, and throughout the rest of the organization. I have really good relationships with each of the CTOs in each of the business units, and we are always working together to find the most efficient way to attack this issue. As threats continue to evolve, our ability to work together – whether that be with colleagues, clients, industry peers or suppliers and partners – will only continue to grow in importance.”