Cybersecurity and technology risks

Similar to other major corporations with global operations, the AXA Group’s exposure to cyber risk remains high, reflecting the broader challenges notably faced by the financial sector as digital transformation accelerates. In response, AXA continues to strengthen its security capabilities and governance to effectively manage and mitigate these evolving threats.

The increasing frequency and sophistication of ransomware and other disruptive forms of cyber-attacks directed at major financial institutions and other corporations recently has made clear the significance of these cyber risks and the operational, financial, and reputational damage that they can potentially inflict. This has led to an increased regulatory focus on risks of security breaches stemming from the growing reliance of the financial sector on information and communication technology.

The AXA Board of Directors monitors internal control and risk management processes, including cyber and technology risks

The AXA Board of Directors ensures that an effective risk management and internal control system is in place across the Group. In this context, it may conduct any reviews and verifications it deems appropriate. Given the heightened cyber and technological threat landscape over the past years, the Board of Directors has paid close attention to these matters, including risk management and control topics related to cyber and technological incidents, as well as risk reduction initiatives reported by the Group’s risk, control, compliance, and audit governance bodies.

Based on benchmarking conducted by Control Risks, AXA has ranked among the top 25% of the most secure companies in the financial sector over the past six years. With this in mind, AXA is placing a strong focus on building resilience capabilities and becoming better prepared to face the current threat landscape. To help AXA achieve its security ambitions, the AXA Board’s Audit Committee has set six strategic objectives towards the end of 2026:

• Strengthening our foundations
• Reinforcing digital trust
• Being resilient by design
• Protecting people first
• Playing a leading role in society
• Reshaping our operating model and governance

The AXA Board of Directors also receive dedicated training on risks related to ICT, including cybersecurity, and the Board’s Audit Committee is updated on the Group’s cyber risk profile and emerging risks on a quarterly basis.

Security is at the core of AXA

AXA manages security holistically through three core security pillars: Information Security, Physical Security and Operational Resilience. Security requirements are formalized through two types of documentation:

• A Group Security Standard, representing the highest level of requirement at AXA
• More than 25 Security Instructions issued to all entities detailing the security requirements per domain

Entity Chief Executive Officers are responsible for ensuring compliance in their entity with the Group Security Standards, notably by:

• Appointing a Chief Security Officer (CSO) who is responsible for the whole security practice within that entity
• Providing their CSO with adequate funding, covering both security activities and continuous investments to deliver against the Group security strategic objectives
• Ensuring their entity complies with the Security Instructions and provides the Group with visibility on the effectiveness of their security activities and controls

The Security Instructions formalize operational and technical requirements to support the achievement of the objectives below (non-exhaustive list):

• Integrity and protection of customers’ and business data
• Monitoring of the threat landscape (internal and external)
• Data leakage prevention and data encryption
• Authentication, access control, and privileged user management
• Patching, vulnerability management, incident response and rapid isolation
• Third party and vendor security management
• Resilience, business continuity and disaster recovery planning
• Employee security awareness

Each employee has a role to play

All AXA employees play an essential role in ensuring that AXA, its customers, and its partners are adequately protected against growing cyber and technological risks. To support this, AXA has committed to providing annual security and data privacy training to all salaried employees. The training has been designed to help AXA employees to adopt secure behaviors and strengthen their ability to identify and react quickly to immediate threats and abnormal situations (such as phishing attempts, impersonation, social engineering, etc.). In 2024, as has been the case every year since 2019, 100% of eligible AXA employees who participated in the annual security and data privacy training successfully passed.

2025 also marks the 10th anniversary of Care, Protect, Alert, the internal campaign that Security teams use to promote positive security behaviors. The success of this campaign led to enhancements in the content and delivery of security and data privacy training, along with the addition of other behavioral topics such as responsible use of artificial intelligence, whistleblowing, ethics and anti-corruption.

A permanent and layered control environment, enabling better detection and remediation

AXA's commitment to security is demonstrated by a structured and multi-layered control environment, designed to manage and mitigate cyber and technological risks. At the core of this framework are the local security teams, Group security teams, and the Internal Audit function, each playing a pivotal role.

Local security teams manage and oversee the security environment within their entities, implementing protocols, monitoring threats, and responding swiftly to incidents. Group security teams work to facilitate compliance with AXA's Security Instructions across all entities by developing standardized policies, conducting assessments, and providing support to local teams.

Internal Audit performs independent, regular assessments of AXA's security posture to evaluate the effectiveness of controls, identify vulnerabilities, and provide objective insights. These reviews help prioritize actions and accelerate remediation efforts, reducing risk exposure. Recent assessments included areas such as Security Governance across the three pillars (Information Security, Physical Security and Operational Resilience), the security of AXA’s technologies (e.g., Cloud environments, administration tools, penetration testing management) and AXA’s capacity to react and respond to incidents (Security Operations Centre, Ransomware response, etc.).

By leveraging insights from these layers, AXA strives to address identified risks promptly and effectively, continuously refining its strategies to protect customers, partners, and stakeholders from growing cyber and technological threats. This multi-faceted approach fosters a culture of vigilance and proactive risk management across the organization.

24/7 monitoring of the IT ecosystem

AXA operates a Security Operations Center (SOC) 24/7 that monitors hundreds of billion events each week. The SOC is dedicated to reacting swiftly to any threats or incidents to help safeguard AXA's operations. This team anticipates, detects, and reacts to security events and incidents, and works tirelessly to identify potential threats before they become critical issues, taking a proactive stance in the ever-evolving landscape of cyber threats. This is supported by the Computer Emergency Response Team (CERT) which leverages its ISO 27001 certified IT environment to efficiently address these threats.

Moreover, the SOC plays a crucial role in supporting efforts to protect the AXA brand from illegitimate use or scam attempts. This includes combating phishing websites, fake social media accounts, and impersonation attempts, all of which could harm AXA's reputation and customer trust.

AXA employees, as well as external sources, can reach out to the SOC at any moment if they discover a vulnerability, an incident, or any suspicious activities.

Our societal role

Furthermore, in alignment with our societal commitments as outlined under the third pillar of our Unlock the Future strategic plan announced on February 22, 2024, to make a positive impact, AXA actively supports initiatives that aim to raise awareness of cyber risks and implement new efforts to mitigate them. These include raising cyber awareness among youths (CyberVengers), contributing to the strengthening of the cybersecurity ecosystem (e.g., Campus Cyber in France) and supporting academic research to reduce the societal impact of cyber risk (e.g., AXA Research Fund on cyber resilience).