Information policy and information security

TM information policy

1. Information policy goal

The goal of TM's information policy is to ensure stakeholders' equal access to correct and reliable information about TM. This will allow the company to increase their knowledge, and as appropriate, that of others of the activities of the company.

2. Stakeholders

The main stakeholders as regards the execution of TM's information policy are:

  • Shareholders
  • Investors
  • Analytical companies
  • Rating companies
  • NASDAQ OMX in Iceland Stock Exchange
  • The media

3. Procedure for information dissemination

TM complies with all the laws and regulations that apply to the duty to provide information of companies listed on the Main List of NASDAQ OMX Iceland.

a. Announcements

Announcements of the company's statements, the results of rating companies or other information considered to have a significant impact on the operation, results and finances of the company are distributed through the news service of NASDAQ OMX in Iceland. Once the news items have been published on the news service, they are then published on the website of TM (www.tm.is).

b. Presentations

TM holds presentation meetings for stakeholders once the interim statements have been published. The plans of the company are also covered during interim statement presentation meetings.

c. Quiet period

One month prior to the end of each statement period and until the statements have been published, TM does not provide any information on issues that could have an impact on its operations, results and finances.

d. Projections

In conjunction with the publication of the annual statements, the company publishes projections for the current operating year. The projections are updated in the event of the likelihood of significant deviations from the previously published projections.

e. Communications

TM aims to maintain good relations with stakeholders. To this end, the company endeavours to provide them with assistance as regards information on the company within the framework permitted by laws and regulations.

f. Spokesperson

The President and CEO of TM is the spokesperson of the company. He may grant other employees of TM temporary authorisation to express themselves about defined aspects of the operation.

The President and CEO of the company is Sigurður Viðarsson.
E-mail: sigurdur@tm.is
Tel.: 515-2609/898-6276

The information policy of TM is approved by the Board of Directors of the company and is to be reviewed at least once a year. 

Reykjavík, 9 March 2015
The Board of Directors of Tryggingamiðstöðin hf.


Information security management system

Tryggingamiðstöðin has had a certified information security management system since 2006, in accordance with the ISO 27001 – Information security management systems standard. The purposes of information security management systems is to manage the manner in which companies and public bodies establish organised procedures as regards the treatment of important information.

TM's goal with the adoption of the information security management system is to ensure the responsible treatment of the information entrusted to the company by its customers and to protect such information, together with information relating to the operation of the company, from external parties.


TM Information Security Policy

The object of the Tryggingamiðstöðin (TM) information security policy is to ensure the security of the company's information assets as efficiently as possible so that such information is of the greatest advantage in the operation of the company.

TM's goals as regards the security policy are: 

  • That the information is correct and accessible to those who are authorised to access such information. That information secrecy and confidentiality is maintained.
  • That confidential information is inaccessible to unauthorised persons and protected against damage, destruction or disclosure to parties that do not have right of access.
  • That operating disruptions of the main systems are kept to a minimum and are, for the most part, due to preventative maintenance tasks.
  • That the information transmitted between parties is delivered to the right recipient undamaged, at the right time, and that it is not transmitted to other parties.
  • That risks owing to the processing (treatment) and preservation of information are within defined risk limits.
  • That there are reliable and secure back-up copies of all data and software systems available at all times.
  • That operations comply with all applicable legislation and rules.
  • That all agreements to which the company is a party are complied with.
  • That business continuity and response plans are prepared, and that these are maintained and tested.
  • That any deviations, violations or suspicions of weakness in information security are reported and investigated. 

Account was taken of the ISO/IEC 27001 standard in the formulation of the TM information security policy.

 

Tryggingamiðstöðin hf. follows the following information security policy:

  1. TM makes every effort to ensure the maximum security of information, that confidentiality is maintained, that its correctness is ensured and that the information is available when needed to those who have access rights.
  2. TM complies with laws and regulations and the rules of procedure defined for the management of information security.
  3. The company's policies in information security issues are binding for all employees and agents and cover all companies, public bodies and the employees of those who provide services to TM.
  4. All employees, agents and service providers are obliged to protect data and information systems from unauthorised access, use, amendments, disclosure, destruction, loss or transfer and are under obligation to notify of any security deviations and weaknesses that relate to information security.
  5. All TM employees and agents receive training and education in information security issues as well as education on their responsibilities with respect to information security. TM strives to promote security awareness among its service providers, customers and guests.
  6. TM ensures that all aspects of this policy are implemented by means of the appropriate measures.
  7. TM undertakes regular risk assessments in order to determine whether further measures are necessary and ensures that regular improvements are made to information security.
  8. The Information Security Manager issues a report each year on the manner in which this policy is upheld.
  9. Past and present employees, agents and service providers may not disclose information on the internal affairs of TM, its customers or other employees.
  10. TM reviews the policy as necessary, at least once every two years.
  11. TM will follow ISO/IEC 27001 – Information security management systems, which is the basis for organisational and maintenance measures designed to protect the privacy, accuracy and availability of data and information systems.

Scope

The information security policy and its attendant criteria apply to the employees, workstations and IT equipment used by TM in its daily operations. The policy also applies to the subsidiaries of TM Líftryggingamiðstöðin hf., Tryggingar hf., Íslenskar Endurtryggingar and TM fé.

Reykjavík, 24 November 2017

Tryggingamiðstöðin hf.

Sigurður Viðarsson
CEO

Sigurdurv-undirskrift

Treatment of personal information

Tryggingamiðstöðin complies with Act No. 77/2000 on the Protection of Personal Privacy and Processing of Personal Data.

TM focuses on maintaining customer confidentiality. Data containing personal information is not disclosed to a third party except with the clear and unequivocal permission of the person to which the information relates, if the third party has authorisation based on the provisions of law or on the receipt of a court ruling. The information that the company collects is only used to assess compensation claims or insurance requests.

TM rules on e-mails from the company

Information contained in e-mails sent from the e-mail accounts of TM are confidential information and may be subject to the provisions on confidentiality. Such information is only intended for registered recipients. Access to information contained in e-mails from TM by anyone else is unauthorised. If you are not the intended recipient, you may not disclose the content of the e-mail, copy it or distribute and you may not take any action or refrain from taking any action on the basis of the e-mail, as such conduct may be unlawful.

Disclaimer:

Information in e-mails from TM is confidential and may be legally privileged. It is intended solely for the addressee. Access to e-mail from TM by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.