Governance
Data protection and security
Protecting the information our clients and colleagues entrust to us is one of Sedgwick’s most critical responsibilities.
We have global policies and programs to ensure this protection and to proactively identify and secure against threats.
Global information security program
Our global information security program was designed to ensure that our systems are protected, and that we can quickly respond to evolving threats. It was established in accordance with, and certified to, the requirements of ISO 27001:2013 and applies to anyone who accesses information using Sedgwick’s systems.
A global chief information security officer is responsible for our information security program and provides regular program updates to our data protection forums and various other stakeholders.
Standards, procedures and policies
Our global information security program consists of standards, procedures and more than 20 policies including:
- Access control policy.
- Asset management policy.
- Information classification communications.
- Security policy (including information transfer).
- Compliance policy (including records management).
- Cryptography policy.
- Information security aspects of business continuity management policy.
- Mobile device and teleworking policy.
- IT change management policy.
- Physical security policy.
- Supplier relationship policy.
- System acquisition development and maintenance policy.
Measuring effectiveness
We measure the effectiveness of our security program through monthly reports and regular information security forum meetings comprising leaders across the organization. Our Global CISO, along with our global chief information officer, also share regular updates with our board of directors and various other leadership committees.
Multifactor authentication
One key component to our information security program is limiting access to sensitive systems and data. We require multifactor authentication to access any internet-facing networks or applications that hold confidential data.
Incident management
Our 24/7 Sedgwick-owned security operations center provides security incident detection, analysis, containment and mitigation. All systems and controls are designed to meet ISO 27001 standards and are assessed annually by an independent third party. Part of our strategy includes the use of artificial intelligence to monitor, classify, visualize and terminate cyberthreats. We also engage with other businesses and monitor industry-standard information channels to stay apprised of newly identified system vulnerabilities. If there ever is an incident, we have the support of our in-house multidisciplinary incident response team, which includes forensic specialists.
Vendor security
As part of our information security program, we have a dedicated team that evaluates all third-party vendors based on the type of data accessed and the resulting risk to confirm that they have appropriate technical and organizational measures in place to protect the personal data they process on behalf of Sedgwick.
