When an insurer takes on big risks—whether it’s covering homes, cars, or health care—it often turns to reinsurers like Munich Re Group to help absorb the cost of catastrophic losses caused by disasters.
As one of the largest reinsurance companies in the world, Munich Re Group operates through three brands. Munich Re handles the reinsurance side of the business, ERGO sells direct insurance to businesses and individuals, and MEAG manages the investment assets of both Munich RE and ERGO. Together, they form a global powerhouse in risk management.
Over time, however, that global scale came with a challenge: the company’s cybersecurity services weren’t keeping pace with Munich’s size and complexity. The business units within each brand had their own IT and security departments, operating on their own networks. Many of these units had come through acquisitions, so they were set up differently from the start.
This patchwork structure made it difficult to manage security effectively across the organization. Security teams, though highly skilled, were dispersed around the globe and working in silos with different tools, processes, and maturity levels.
By 2023, the company realized its global cybersecurity posture needed an upgrade to fully protect Munich’s growing brands.
The solution came in the form of the Cybersecurity Incident Response Team Integration project, launched in April 2024. This initiative merged Munich Re Group’s separate incident response, threat intelligence, and threat hunting teams into a unified, 24/7 global operation.
One security team, one mission
The goal was clear for Munich’s IT and security organization: deliver industry-leading incident response, threat intelligence, and threat hunting across the business without ballooning costs.
“We needed to combine security teams so we could provide services jointly to all our brands,” says Markus Engelke, Head of Global CSIRT at Munich Re Group.
According to Engelke, the project’s main objectives were to:
Consolidate functions into one incident response team, one threat intelligence team, and one threat-hunting team serving all Munich brands around the clock.
Improve team capabilities by blending the strongest skills of each team into more mature, well-rounded functions.
Reduce redundancies in responsibilities, tools, and processes to cut costs.
To reach these goals, Munich deployed various tactics, including:
Combining best practices from cyber threat intelligence, threat hunting, and cybersecurity incident response teams to create new and improved services.
Establishing a consistent sharing model between teams and smoother integration with IT and business functions.
Moving to cloud-based security tools—such as SIEM, EDR, and CTI platforms—to allow access across environments.
Implementing a follow-the-sun coverage model for 24/7 operations without exhausting staff.
Hosting global working groups and daily handovers to encourage team solidarity.
Running lessons-learned sessions with open participation from detection, protection, and response teams.
Tapping into global labor markets to recruit people with niche skills.
Developing skills internally that had normally been outsourced.
Emphasizing quality-driven metrics over raw ticket volume.
The big challenge: Merging security teams across borders
The main obstacle in bringing security teams together was that many business units across brands were not being managed directly by Munich’s security organization. Without full visibility into those environments, the integrated team couldn’t get a complete picture of the risks or provide the protection those units needed.
To bridge that gap, Engelke and his team took several deliberate steps:
Roll out the necessary security tools for each team and train employees.
Create integration playbooks to speed up future onboarding.
Plan for full incorporation of all business units within two years, with the first wave of integrations already underway.
But technical separation posed another obstacle. Munich’s business units had been operating on separate networks and domains, which meant no direct system access between them.
The solution for this was twofold, according to Engelke. First, the team shifted to cloud-based tools that could be accessed from any environment; secondly, they implemented temporary cross-company accounts for short-term access until a unified network was in place.
Taken together, these were key steps that allowed security teams to start collaborating earlier than expected.
The impact: Efficiency gains with no layoffs
Perhaps the most notable achievement during the team integration was that no layoffs were required—a rare outcome in large reorganizations. Every employee from the security teams remained in place, with cost savings coming from consolidating tools and outsourced services.
And those savings will be substantial. By merging SOC operations, SIEM platforms, threat intelligence tools, threat hunting capabilities, and EDR systems, the company expects to save $4 million annually once fully implemented.
The benefits didn’t stop at cost cuts. The integration also improved overall team expertise.
“Before the project, one team excelled in digital forensics, another in threat intelligence, and another in proactive threat hunting,” says Engelke. “Now, the combined team functions at a high level in all three disciplines.”
From the start, IT leadership knew that culture would make or break the project. It was a top priority that all IT and security employees felt valued in their new global roles and had opportunities to share ideas and contribute to the success of the overall team.
“The integration is flourishing now with team members proactively collaborating and learning from each other,” says Engelke
For its cybersecurity team integration project, Munich Re earned a 2025 CSO Award. The award honors security projects that demonstrate outstanding thought leadership and business value.
Start where you can win fast, emphasize culture
For security leaders considering a similar consolidation, Munich Re Group offers the following tips:
Prioritize early wins: Full IT and security integration may take years, so start with functions that can merge quickly to build momentum.
Invest in cloud-based tools that allow cross-network collaboration early on.
Make culture central: Integration is as much about people as it is about systems.
Create documented playbooks so each new integration follows a proven process.
Celebrate successes along the way to keep teams motivated.
“Don’t wait for the perfect environment to start integrating,” says Engelke. “Begin with areas that have fewer prerequisites, like threat intelligence, and let that success carry you through the more complex steps.”
A blueprint for global security team integration
Munich’s Cybersecurity Incident Response Team Integration project is proof that large organizations can consolidate security operations without sacrificing employee morale or breaking the budget.
By merging security teams, tools, and expertise, Munich Re Group not only saved money but also built a more cohesive defense against cyber threats.
Inspired by Munich Re’s award-winning approach to cybersecurity? Join your peers at the CSO Conference & Awards to discover the strategies, tools, and insights that are shaping the future of security leadership. Register now.
No Responses