Significant ESG topics
Security of customers and their funds

Security of customers and their funds

GRI:

2-23

Customer security while using the products

GRI:
2-23

One of the Bank’s priorities is to set the highest security standards. Customer security in the process of using the products of the Bank and the Bank’s Group primarily includes the security of Customers’ funds and the physical security of the Customers at the Bank’s facilities. The question of security is governed in the Bank’s internal regulations, including the Security Policy at PKO Bank Polski S.A. and, in detail, the regulations regarding specific areas of security:

protection of people and property
IT System security
managing security incidents
security of protected information

The activities of the Bank and other entities of the Bank’s Group related to ensuring the security of customers’ funds concern ensuring the security of both the funds entrusted and the funds invested using the products offered. The initiatives regarding ensuring a stable and secure infrastructure made it possible to achieve very high reliability indicators for the operation of the IT infrastructure.

Security of the invested funds: The Bank makes every effort to ensure that its products do not generate the risk of the loss of funds by the customers. This is particularly important in the case of investment products. Therefore, as part of the obligations imposed by the MiFID, the Bank informs its customers before conducting a transaction on whether a given product is suitable for them.

Security of entrusted deposits: The main mechanism which guarantees the security of customers’ funds is the stability of the Bank’s financial result and the results of the other entities of the Bank’s Group. An additional mechanism is the Bank’s participation in the obligatory deposit guarantee system operating under the Act on the Bank Guarantee Fund, the deposit guarantees system and special resolution.

The security of customers’ funds is also guaranteed by the cybersecurity procedures.

The Bank and the other entities of the Bank’s Group ensure the highest quality of direct customer service in their locations, among other things, thanks to the security standards which meet the requirements of legal regulations and norms, implemented at the Bank. State-of-the-art systems, equipment and technical and organizational solutions adequate to the threats and risk identified are used in all facilities. They ensure physical security of customers, employees, cash and deposits, as well as security of protected information, including bank secrecy and personal data.

Protection covers all locations and self-service equipment made available to the customers and has the form of:

physical safeguards (construction, mechanical and electronic, including burglary and robbery signalling systems, surveillance TV and access control),
continuous direct physical protection of selected facilities of the Bank,
monitoring of alarm signals by certified security firms and the arrival of the so-called intervention groups after receiving alarm signals.

Moreover, the employees of all branches and agencies of the Bank undergo training in security in the form of elearning and training delivered directly in the branches, with drills in “Counteracting robberies and dealing with security threats”. This training prepares Bank and agency employees to deal with various situations that threaten the safety of the Bank’s employees and customers.

Cybersecurity

Management structure

The Bank has a security policy in place, which also relates to the principles of digital security. The policy was approved by the Management Board in 2015. The Bank has a Cybersecurity Department which deals with:

ensuring the security of the Bank’s IT system,
development of systems and monitoring of cybersecurity parameters and critical services,
servicing cybersecurity events and incidents, including the events and incidents in the area of electronic banking.

The current level of infrastructure security is the responsibility of the department director, who also supervise the Security Operations Centre (SOC). The director of the Cybersecurity Department is responsible for implementing the cybersecurity policy and for controlling cybersecurity. The Vice-President of the Management Board responsible for the Technology Area supervises the performance of these functions. The President of the Management Board oversees the implementation of the policy. In order to improve the methods of counteracting crime at the Bank, the Cybersecurity Department prepares analyses and presents the Management Board and the Supervisory Board of the Bank with conclusions and recommendations concerning the implementation and/or modification of specific solutions.

The monitoring of and responding to incidents are performed by the specialist CERT unit of the Bank. In order to ensure IT security of the Bank’s services, incident response operates on a 24/7/365 basis.

Since 2021, a CyberSecurity Operations Centre has been in operation at the Bank, which also includes monitoring and incident response for the Bank’s Group companies. The 24/7 SOC operates on the basis of a SOAR-class system allowing automation in monitoring, response as well as handling security incidents. In 2023, the PKO BP CERT team notified and blocked, in cooperation with CSIRT PFSA, CERT Polska and CERT Orange, more than 1,930 fake pages. The frauds mainly targeted electronic services and customers of the Bank, but 20% of the cases concerned frauds of a different type, which shows the contribution of the PKO BP CERT team to the overall level of ICT security in the Polish cyberspace. The bank uses advanced protection mechanisms against DDoS attacks, which allows CERT PKO BP to quickly and efficiently respond to and remove the effects of volumetric attacks targeting e-banking services

CERT PKO BP is a member of an international forum of cybersecurity incident responders FIRST and belongs to the task force of European response teams (TERENA TF-CSIRT) and the related Trusted Introducer organization. It is also a leading member of the Banking Cybersecurity Centre, operating under the patronage of the Polish Bank Association.

The Bank educates its employees regularly in ICT environment security and the security of information processed in that environment. It provides employees with e-learning courses on cyber-security (10 modules) to help users gain knowledge of potential threats. This training is mandatory for new employees. The Bank performs training in accordance with the agreed schedule of training and monitors their performance by employees on an ongoing basis as part of independent monitoring of control mechanisms.

In accordance with the Bank’s policy, the principles of cybersecurity must be complied with also by third parties (contractors). The Bank sets security requirements for the providers of IT services with respect to the protection of the Bank’s information, access to the Bank’s buildings and rooms, and the protection of the Bank’s information systems.

The awareness-raising of employees also engages a program of simulated phishing attacks. The messages are sent to all persons employed in the Bank and imitate the actual risks to which users are exposed on a daily basis. Since 2022, Security Awareness training has been carried out periodically and extended to all employees and the Bank’s Management Board.

The Bank operates an internal unit (RedTeam), which simulates potential attacks in a controlled manner, in order to identify weaknesses before their use by criminals. Activities to simulate attacks have been automated through, among other things, the implementation of a BAS (Breach and Attack Simulation) tool. In 2023, the Purple Team unit became active with the development of a dedicated platform for offensive and defensive teams to work together.

In response to trends related to attacks on corporate environments, in terms of the technologies currently implemented in the Bank at various levels, particular attention was paid to security of:

the use of 'open source’ software in application release processes (CI/CD),
implementation of tools based on generative artificial intelligence (genAI) to support business processes (e.g. customer communication, holistic analytics),
tools based on Blockchain technology and cloud environments.

In 2023, information within the scope of ThreatIntelligence was widely analysed in the scope of activities carried out in cyberspace related to the conflict of Russia/Ukraine, with the simultaneous inclusion of threats which may materialise at the Bank. At the same time, a system to identify trends in attacks on customers based on customer reports has been implemented in view of the constantly high threat posed by false investments and phishing attacks. The system is designed to monitor changes in customer attack scenarios.

Audit

The bank responds to cyber security threats on an ongoing basis. It monitors information sources, creates potential threat scenarios, analyses risks, implements safeguards and responds to incidents in a structured manner. The Bank has a formalized process in place for verifying the security and sensitivity of new or modified systems and applications before the launch of their production. Every project change that involves a system that is critical to business processes is analysed and undergoes an IT security audit.

An internal audit of the IT processes is performed at least once every 3 years. The selection of IT processes to be audited in a given year depends, among other things, on the following factors: the results of the internal audits preformed, changes in the ICT environment, risks associated with identified internal and external frauds, and changes in internal and external regulations affecting the Bank’s functioning and operating activities. Internal audits of IT processes are performed by the IT and Security Audit Team of the Bank in accordance with a predefined schedule. External cybersecurity audits are outsourced to the audit firms with which the Bank has signed framework agreements.

Managing the risk of unauthorized access to customers’ funds through electronic banking

The most important threat to the security of customers identified by the Bank and PKO Towarzystwo Funduszy Inwestycyjnych S.A. is associated with potential criminal activities of third parties targeted at customers using electronic channels of access to banking and investment services.

Firstly, the Bank uses the latest ICT security solutions which guarantee secure access to funds held by customers. The Bank is constantly improving the quality of its IT systems security, in particular with regard to the applications used by the Bank’s customers. This concerns, among other things, combating actively phishing websites pretending to be the Bank’s websites, identifying criminals intentions and ability, taking into account tactics, techniques and procedures (standardization and structuring of information about threats within a single data model), tracking the development of malware attacking the Bank’s customers, developing mechanisms of detecting infected customers’ computers, as well as improving the rules and extending the scope of monitoring of electronic transactions.

Secondly, the Bank attaches a great deal of importance to informing and raising customers’ awareness of the safe use of electronic banking services and payment cards. This is because security in this respect depends to a large extent on the users’ actions. The Bank’s educational activities include, in particular:

regular educational campaigns conducted on social media and other channels for contact with customers, e.g. the educational portal www.bankomania.pkobp.pl,
videos with examples of real attacks published on YouTube,
educational articles in electronic media and press,
webinars and trainings with the most common attacks,
responding to customers’ enquiries on an ongoing basis (e-mail, social media),
onsite meetings for customers and banking stakeholders on the most common scams (aimed at seniors, entrepreneurs and students),
ongoing communication of the Bank’s views on various issues and provision of educational materials on cybercrime and the principles of security to the media,
on-going campaigns and spreading awareness through external information channels (cooperation with radio is currently underway through participation in programmes on cyber security),
responding to other signals regarding threats on an ongoing basis,
provision of information on cybersecurity to customers through the Bank’s websites, the transactional platform and by e-mail.

In 2023, mechanisms were implemented to detect and prevent vishing attacks, which consist of attempts to impersonate the Bank’s call centre and thereby persuade the Bank’s customers to execute fraud scenarios.

In 2023, the Bank was improving systems for incident, anomaly and advanced malware detection and a large number of actions relating to incident handling was automated. The technology stack of solutions used for computer forensics purposes was replaced. It ensured the technological validity of the solutions used for computer forensics purposes in accordance with the current requirements profile.

Representatives of the Bank also engage in the work of the Banking Cybersecurity Centre (BCC) operating at the Polish Bank Association. The purpose of BCC is to take comprehensive and long-term measures which are aimed at improving the safety of mobile and electronic banking and preparing tools (structures, procedures, information exchange mechanisms) enabling crisis management (e.g. in the event of a massive attack).

The Bank does not have an ISO 27001 certificate, however, its cybersecurity processes and regulations are developed on the basis of the requirements of this standard. The high organizational maturity in the area of handling cybersecurity incidents is particularly important in the light of the PFSA’s decision issued in 2018 on recognizing PKO Bank Polski S.A. as a key service operator as defined in the Act on the national cybersecurity system.

Privacy risk

PKO Bank Polski S.A. follows the generally applicable regulations, including:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR),
the Personal Data Protection Act of 10 May 2018,

and its own internal regulations on the security of protected information taking into account personal data protection issues.

These internal regulations apply to the principles of personal data processing at the Bank, in particular the method of processing it and the technical and organizational measures ensuring the security of the process.

The Bank’s internal regulations with regard to security concern in particular:

security of protected information,
IT system security,
protection of people and property,
management of security incidents where, among others, the method of management of personal data protection violations has been defined,
conducting investigations.

Privacy and data security

The Security Standards for the Bank’s Group address the following issues: security of protected information including personal data protection, business continuity management, ICT security, counteracting money laundering, security incident management, outsourcing principles and security reporting principles.

The Bank processes personal data in keeping with the requirements of the generally applicable laws, including the principle of legality and data transparency, the principle of purpose limitation, the principle of data minimization, and the principle of maintaining the accuracy, integrity, and confidentiality of processed data. In order to achieve these objectives, the Bank applies both procedural regulations and technological solutions. They are designed to observe the personal data processing principles defined in the GDPR.

The Bank appointed a Data Protection Officer (DPO). Their tasks comprise supervision over the correctness of personal data processing. Customers may contact the DPO by sending letters to the Bank’s address and/or by email: iod@pkobp.pl.

As required by the GDPR, the Bank has prepared Information on personal data processing and provides it to its customers. They are informed about the applicable principles of personal data processing, the purpose of its processing and their rights, including the right to access, rectify and erase data.

Moreover, a dedicated website of the Bank https://www.pkobp.pl/pkobppl-en/gdpr/ presents information on personal data processing, including information on the appointed DPO, on the manner of personal data processing, the legal basis for the processing, and the rights of the data subjects.

If data is processed on the basis of the consent of the data subject, the data subject is informed about the right to withdraw consent.

The Bank’s Customers also have access to complaint paths for expressing doubts concerning data security, as well as requesting the exercise of rights under the GDPR. Internal regulations concerning the management of personal data breaches have also been developed. The Bank has defined the principles for informing customers about a breach of their data security. Those principles are in compliance with the generally applicable laws. This also applies to the provision of information competent authorities of breaches, which also results from internal regulations and legal provisions.

Ongoing exchange of information and improvement of security on the basis of the best practices are the permanent features of the cooperation and the Agreements in place in the Bank’s Group.

Risk management of the risk of unauthorized access to customer information

The Bank manages the risk of unauthorised access to information about customers in accordance with the “Security Policy of PKO Bank Polski S.A.”. The “Principles of security of protected information at PKO Bank Polski S.A.”, which are an element of the Security Policy, regulate the issues of confidentiality of information and the maintenance of bank secrecy, as well as personal data security, including the liability of the Bank’s employees regarding security of protected information. Every employee is obliged to complete appropriate training in personal data protection in accordance with formal procedures. Such training courses are also organized regularly. Measures aimed at ensuring data security are taken with the participation of the Management Board. For this purpose, the best policies and system security solutions are implemented. Such solutions (in terms of both systems and policies) are constantly evaluated, audited and improved in accordance with the best market practices. The Security Department oversees the Bank’s security responsibilities and reports in this respect to the Bank’s Management Board on a quarterly, semiannual and annual basis and to the Supervisory Board on a semi-annual and annual basis. The activities of the Security Department also include carrying out internal security inspections in the Bank’s organizational units, which also cover information security, and giving opinions on new solutions and projects implemented at the Bank in the area of the protection of information.

In accordance with these principles:

employees have access to protected information at the Bank in accordance with their assigned job description and responsibilities,
before starting the processing of protected information, employees provide training in the security of protected information,
if materials containing protected information are provided to external entities, a non-disclosure agreement is concluded by and between the parties, whereas in the case of entrusting the processing of personal data, an agreement is concluded on entrusting the processing of personal data. Such agreement includes, among other things, the obligations of the entities cooperating with the Bank to protect the entrusted data, use it exclusively for the purposes of performing the agreement and inform about any security breaches. The Bank defines the requirements concerning the protection of the processed data in accordance with the generally applicable laws. The Bank may also control the security of the processed data at the cooperating entities.

The Bank is obliged to maintain banking secrecy as defined in the Banking Law.

Any information constituting bank secrecy, including the personal data of the Bank’s customers, may only be made available in compliance with the obligations arising from the generally applicable laws in accordance with the provisions of the Banking Law. Enquiries from entities authorized to demand access to the information constituting bank secrecy are considered by the Bank in accordance with the law. The information subject to bank secrecy is provided only in the situations specified in the aforementioned Act, once the conditions giving the Bank the right to provide such information have been satisfied.

In the event of a violation of personal data protection, the Bank takes measures in accordance with the adopted Principles for security incident management at PKO Bank Polski SA and the GDPR. If a violation is identified, immediate action is taken to analyse it and to mitigate its adverse effects, if any. Any violations of personal data protection resulting in a risk to the personal rights and/or freedoms of natural persons are immediately reported to the President of the Personal Data Protection Office (UODO). Moreover, if a violation of personal data protection could result in a high level of risk to the personal rights and/or freedoms of natural persons, the data subject is immediately notified of such violation.

Each of the other entities of the Bank’s Group, which processes personal data, has separate internal regulations and performs obligations related to the protection of personal data as a separate administrator. The companies have implemented the Security Standards, including standards relating to personal data protection, which form part of the “Security Standard Guidelines for the PKO Bank Polski S.A. Group”. They are in line with the generally applicable regulations and the standards applied at the Bank and, to the necessary extent, they contain specific regulations which are adequate to the specific nature of the particular entity’s business.