Security

The Bank has a security policy in place, which also relates to the principles of digital security. The policy was approved by the Management Board in 2015. The Bank has a Cybersecurity Department which deals with:

• ensuring the security of the Bank’s IT system,
• development of systems and monitoring of cybersecurity parameters and critical services,
• servicing cybersecurity events and incidents, including the events and incidents in the area of electronic banking.

The current level of infrastructure security is the responsibility of the department director, who also supervise the Security Operations Centre (SOC). The director of the Cybersecurity Department is responsible for implementing the cybersecurity policy and for controlling cybersecurity. The Vice-President of the Management Board responsible for IT supervises the performance of these functions. The President of the Management Board oversees the implementation of the policy. In order to improve the methods of counteracting crime at the Bank, the Cybersecurity Department prepares analyses and presents the Management Board and the Supervisory Board of the Bank with conclusions and recommendations concerning the implementation and/or modification of specific solutions.

The monitoring of and responding to incidents are performed by the specialist CERT unit of the Bank. In order to ensure IT security of the Bank’s services, incident response operates on a 24/7/365 basis.

In 2021, the Bank implemented the project CyberSecurity Operations Centre as part of which the processes of the Cybersecurity Department were streamlined and a strategy was drawn up for providing services to the Group companies. Moreover, as part of the project a SOAR class system was implemented, which allows the servicing of security incidents to be automated. The implemented changes translated into significant improvements in the handling of alerts and incidents, which allowed to shorten the response process and influenced the mitigation of threats (in some cases even 95% – phishing service). In 2022, the PKO BP CERT team notified and blocked, in cooperation with CERT Polska and CERT Orange, more than 2,700 fake pages. Frauds were directed mainly to the electronic services and customers of the Bank, but 25% of the cases concerned frauds of a different type, which shows the contribution of the PKO BP CERT team to the overall level of ICT security in the Polish cyberspace.

CERT PKO BP is a member of an international forum of cybersecurity incident responders FIRST and belongs to the task force of European response teams (TERENA TF-CSIRT) and the related Trusted Introducer organization. It is also a leading member of the Bank Cybersecurity Centre, operating under the patronage of the Polish Bank Association.

The Bank educates its employees regularly in ICT environment security and the security of information processed in that environment. In 2022, it provided employees with new e-learning trainings, thanks to which users gained knowledge about threats related to:

• using mobile devices,
• using personal IT equipment for professional purposes and using the Bank’s equipment for private purposes,
• publication of information concerning the Bank by employees in the Internet (especially in the social media),
• social engineering attacks.

The training also provides a package of mandatory trainings for each new employee. The Bank performs training in accordance with the agreed schedule of training and monitors their performance by employees on an ongoing basis as part of independent monitoring of control mechanisms.

The awareness-raising of employees also engages a program of simulated phishing attacks launched in October 2022. The messages are sent to all persons employed in the Bank and imitate the actual risks to which users are exposed on a daily basis.

In accordance with the Bank’s policy, the principles of cybersecurity must be complied with not only by the employees but also by third parties (contractors). The Bank sets security requirements for the providers of IT services with respect to the protection of the Bank’s information, access to the Bank’s buildings and rooms, and the protection of the Bank’s information systems.

In 2022, the Security Awareness training (simulation of a phishing attack) covered all employees of the Bank (over 20,000), and a dedicated training has been conducted for the Bank’s Management Board. The Bank also operates an internal unit (RedTeam), which simulates potential attacks in a controlled manner, in order to identify weaknesses before their use by criminals.

In 2022, information within the scope of ThreatIntelligence was widely analysed in the scope of activities carried out in cyberspace related to the conflict of Russia/Ukraine, with the simultaneous imposition of threats which may materialise at the Bank. Great emphasis was placed on removing vulnerabilities, which resulted in the lowest number of vulnerabilities in the Bank’s history.

The Bank identifies threats to cybersecurity on an ongoing basis. It monitors the sources of information, implements protection against potential threats and develops incident response plans. The Bank has a formalized process in place for verifying the security and sensitivity of new or modified systems and applications before the launch of their production. The said process is performed in two dimensions: in connection with the process of software implementation and modification at the Bank and in connection with the project process. Every new project which changes a key system from the perspective of the business processes is subject to an IT security audit.

An internal audit of the IT processes is performed at least once every 3 years. The selection of IT processes to be audited in a given year depends, among other things, on the following factors: the results of the internal audits preformed, changes in the ICT environment, risks associated with identified internal and external frauds, and changes in internal and external regulations affecting the Bank’s functioning and operating activities. Internal audits of IT processes are performed by the IT and Security Audit Team of the Bank in accordance with a predefined schedule. External cybersecurity audits are outsourced to the audit firms with which the Bank has signed framework agreements.

The most important threat to the security of customers identified by the Bank and PKO Towarzystwo Funduszy Inwestycyjnych S.A. is associated with potential criminal activities of third parties targeted at customers using electronic channels of access to banking and investment services.

Firstly, the Bank uses the latest ICT security solutions which guarantee secure access to funds held by customers. The Bank is constantly improving the quality of its IT systems security, in particular with regard to the applications used by the Bank’s customers. This concerns, among other things, combating actively phishing websites pretending to be the Bank’s websites, identifying criminals intentions and ability, taking into account tactics, techniques and procedures (standardization and structuring of information about threats within a single data model), tracking the development of malware attacking the Bank’s customers, developing mechanisms of detecting infected customers’ computers, as well as improving the rules and extending the scope of monitoring of electronic transactions.

Secondly, the Bank attaches a great deal of importance to informing and raising customers’ awareness of the safe use of electronic banking services and payment cards. This is because security in this respect depends to a large extent on the users’ actions. The Bank’s educational activities include, in particular:

• regular educational campaigns conducted on social media and other channels for contact with customers, e.g. the educational portal www.bankomania.pkobp.pl,
• videos with examples of real attacks published on YouTube,
• educational articles in electronic media and press,
• webinars and trainings with the most common attacks,
• responding to customers’ enquiries on an ongoing basis (e-mail, social media),
• ongoing communication of the Bank’s views on various issues and provision of educational materials on cybercrime and the principles of security to the media,
• responding to other signals regarding threats on an ongoing basis,
• provision of information on cybersecurity to customers through the Bank’s websites, the transactional service and by e-mail.

In 2022, the effectiveness of malware detection (especially mobile software) among the Bank’s customers reached close to 100%. In total, more than 40 thousand infections and/or anomalies were detected and reported to anti-fraud systems for iPKO mobile banking customers. In addition, proof of concept tests were carried out for the service mitigating attacks against customers through impersonation of Bank’s hotline and the project campaigns were started to further improve the security of customers using biometrics.

In 2022, the Bank was improving systems for incident, anomaly and advanced malware detection and a large number of actions relating to incident handling was automated. It ensured the technological validity of the solutions used for computer forensics purposes in accordance with the current requirements profile.

Representatives of the Bank also engage in the work of the Banking Cybersecurity Centre (BCC) operating at the Polish Bank Association. The purpose of BCC is to take comprehensive and long-term measures which are aimed at improving the safety of mobile and electronic banking and preparing tools (structures, procedures, information exchange mechanisms) enabling crisis management (e.g. in the event of a massive attack).

The Bank does not have an ISO 27001 certificate, however, its cybersecurity processes and regulations are developed on the basis of the requirements of this standard. The high organizational maturity in the area of handling cybersecurity incidents is particularly important in the light of the PFSA’s decision issued in 2018 on recognizing PKO Bank Polski S.A. as a key service operator as defined in the Act on the national cybersecurity system.

The Security Standards for the Bank’s Group address the following issues: personal data protection, business continuity management, ICT security, counteracting money laundering, security incident management, outsourcing principles and security reporting principles.

The Bank processes personal data in keeping with the requirements of the generally applicable laws, including the principle of legality and data transparency, the principle of purpose limitation, the principle of data minimization, and the principle of maintaining the accuracy, integrity, and confidentiality of processed data. In order to achieve these objectives, the Bank applies both procedural regulations and technological solutions. They are designed to observe the personal data processing principles defined in the GDPR.

The Bank appointed a Data Protection Officer (DPO). Their tasks comprise supervision over the correctness of personal data processing. Customers may contact the DPO by sending letters to the Bank’s address and/or by email: iod@pkobp.pl.

As required by the GDPR, the Bank has prepared Information on personal data processing and provides it to its customers. They are informed about the applicable principles of personal data processing, the purpose of its processing and their rights, including the right to access, rectify and erase data.

Moreover, a dedicated website of the Bank presents information on personal data processing, including information on the appointed DPO, on the manner of personal data processing, the legal basis for the processing, and the rights of the data subjects.

If data is processed on the basis of the consent of the data subject, the data subject is informed about the right to withdraw consent.

The Bank’s Customers also have access to complaint paths for expressing doubts concerning data security, as well as requesting the exercise of rights under the GDPR. Internal regulations concerning the management of personal data breaches have also been developed. The Bank has defined the principles for informing customers about a breach of their data security. Those principles are in compliance with the generally applicable laws.

Ongoing exchange of information and improvement of security on the basis of the best practices are the permanent features of the cooperation and the Agreements in place in the Bank’s Group. Any irregularities are addressed in compliance with the law, which includes informing the competent authorities about breaches, as required by the internal regulations and the law.

The Bank manages the risk of unauthorised access to information about customers in accordance with the “Security Policy of PKO Bank Polski S.A.”. The “Principles of security of protected information at PKO Bank Polski S.A.” regulate the issues of confidentiality of information and the maintenance of bank secrecy, as well as personal data security, including the liability of the Bank’s employees regarding personal data protection. Every employee is obliged to complete appropriate training in personal data protection in accordance with formal procedures. Such training courses are also organized regularly. Measures aimed at ensuring data security are taken with the participation of the Management Board. For this purpose, the best policies and system security solutions are implemented. Such solutions (in terms of both systems and policies) are constantly evaluated, audited and improved in accordance with the best market practices. The Security Department supervises the performance of duties associated with the protection of information at the Bank and prepares information on the state of security for the Bank’s Management Board and Supervisory Board in the form of semi-annual reports. The activities of the Security Department also include carrying out internal security inspections in the Bank’s organizational units, which also cover information security, and giving opinions on new solutions and projects implemented at the Bank in the area of the protection of information.

In accordance with these principles:

• access to protected information at the Bank is only given to employees within the scope of their corporate tasks and duties,
• before starting the processing of protected information, employees provide training in the security of protected information.
• if materials containing protected information are provided to external entities, a non-disclosure agreement is concluded by and between the parties, whereas in the case of entrusting the processing of personal data, an agreement is concluded on entrusting the processing of personal data. Such agreement includes, among other things, the obligations of the entities cooperating with the Bank to protect the entrusted data, use it exclusively for the purposes of performing the agreement and inform about any security breaches. The Bank defines the requirements concerning the protection of the processed data in accordance with the generally applicable laws. The Bank may also control the security of the processed data at the cooperating entities.

The Bank is obliged to maintain banking secrecy as defined in the “Banking Law”.

Any information constituting bank secrecy, including the personal data of the Bank’s customers, may only be made available in compliance with the obligations arising from the generally applicable laws. Enquiries from entities authorized to demand access to the information constituting bank secrecy (e.g. government institutions) are considered by the Bank in accordance with the law. The information subject to bank secrecy is provided only in the situations specified in the aforementioned Act, once the conditions giving the Bank the right to provide such information have been satisfied.

In the event of a violation of personal data protection, the Bank takes measures in accordance with the adopted Principles for security incident management at PKO Bank Polski SA and the GDPR. If a violation is identified, immediate action is taken to analyse it and to mitigate its adverse effects, if any. Any violations of personal data protection resulting in a risk to the personal rights and/or freedoms of natural persons are immediately reported to the President of the Personal Data Protection Office (UODO). Moreover, if a violation of personal data protection could result in a high level of risk to the personal rights and/or freedoms of natural persons, the data subject is immediately notified of such violation.

Each of the other entities of the Bank’s Group, which processes personal data, has separate internal regulations and performs obligations related to the protection of personal data as a separate administrator. The companies have implemented the Security Standards, including standards relating to personal data protection, which form part of the “Security Standard Guidelines for the PKO Bank Polski S.A. Group”. They are in line with the generally applicable regulations and the standards applied at the Bank and, to the necessary extent, they contain specific regulations which are adequate to the specific nature of the particular entity’s business.