The Bank makes every effort to ensure that its products do not generate the risk of the loss of funds by the Customers. This is particularly important in the case of investment products. Therefore, as part of the obligations imposed by the MiFID, the Bank informs its Customers before conducting a transaction on whether a given product is suitable for them.
customer security while using the products
Security of Customers’ funds
The activities of the Bank and other entities of the Bank’s Group related to ensuring the security of Customers’ funds concern ensuring the security of both the funds entrusted and the funds invested using the products offered. The initiatives regarding ensuring a stable and secure infrastructure made it possible to achieve very high reliability indicators for the operation of the IT infrastructure.
The main mechanism which guarantees the security of Customers’ funds is the stability of the Bank’s financial result and the results of the other entities of the Bank’s Group. An additional mechanism is the Bank’s participation in the obligatory deposit guarantee system operating under the Act on the Bank Guarantee Fund, the deposit guarantees system and special resolution.
The security of Customers’ funds is also guaranteed by the cybersecurity procedures.
Physical security of Customers
The Bank and the other entities of the Bank’s Group ensure the highest quality of direct Customer service in their locations, among other things, thanks to the security standards which meet the requirements of legal regulations and norms, implemented at the Bank. State-of-the-art systems, equipment and technical and organizational solutions adequate to the threats and risk identified are used in all facilities. They ensure physical security of Customers, employees, cash and deposits, as well as security of protected information, including bank secrecy and personal data.
Protection covers all locations and self-service equipment made available to the Customers and has the form of:
- physical safeguards (construction, mechanical and electronic, including burglary and robbery signalling systems, surveillance TV and access control);
- continuous direct physical protection of selected facilities of the Bank;
- monitoring of alarm signals by certified security firms and the arrival of the so-called intervention groups after receiving alarm signals.
Moreover, the employees of all branches and agencies of the Bank undergo training in security in the form of e-learning and directly with drills in “Counteracting robberies and dealing with security threats”. The provision of direct training has been suspended due to the pandemic, but as soon as it is over there are plans to resume successive training in all branches.
The Bank has a security policy in place, which also relates to the principles of digital security. The policy was approved by the Management Board in 2015. The Bank has a Cybersecurity Department which deals with:
• ensuring the security of the Bank’s IT system;
• development of systems and monitoring of cybersecurity parameters and critical services;
• servicing cybersecurity events and incidents, including the events and incidents in the area of electronic banking.
The function of controlling the current level of infrastructure security is performed by the Department director who also supervises the Security Operations Centre (SOC). The director of the Cybersecurity Department is responsible for implementing the cybersecurity policy and for controlling cybersecurity. The Vice-President of the Management Board responsible for IT supervises the performance of these functions. The President of the Management Board oversees the implementation of the policy. In order to improve the methods of counteracting crime at the Bank, the Cybersecurity Department prepares analyses and presents the Management Board and the Supervisory Board of the Bank with conclusions and recommendations concerning the implementation or modification of specific solutions.
The monitoring of and responding to incidents are performed by the specialist CERT unit of the Bank.
In order to ensure IT security of the Bank’s services, incident response operates on a 24/7/365 basis. CERT PKO Bank Polski S.A. is a member of an international forum of responders (FIRST) and belongs to the task force of European response teams (TERENA TF-CSIRT) and the related Trusted Introducer organization.
In 2021, the Bank completed the project CyberSecurity Operations Center as part of which the processes of the Cybersecurity Department were streamlined and a strategy was drawn up for providing services to the Group companies. Moreover, as part of the project a SOAR class system was implemented, which allows the servicing of security incidents to be automated.
The Bank educates its employees regularly in ICT environment security and the security of information processed in that environment. The Bank’s employees are offered training in threats related to:
- using mobile devices;
- using personal IT equipment for professional purposes and using the Bank’s equipment for private purposes;
- publication of information concerning the Bank by employees in the Internet (especially in the social media);
- social engineering attacks.
This is a package of training courses which are obligatory for every newly hired employee. The Bank provides the training in accordance with an agreed schedule, and all employees must participate. The provision of training is monitored by the Bank on an ongoing and periodic basis as part of independent monitoring of controls.
In accordance with the Bank’s policy, the principles of cybersecurity must be complied with not only by the employees but also by third parties (contractors). The Bank sets security requirements for the providers of IT services with respect to the protection of the Bank’s information, access to the Bank’s buildings and rooms, and the protection of the Bank’s information systems.
The Bank identifies threats to cybersecurity on an ongoing basis. It monitors the sources of information, implements safeguards against potential threats, develops incident response plans, and simulates potential attacks (RedTeam) in a controlled manner to identify weaknesses even before they are exploited. The Bank has a formalized process in place for verifying the security and sensitivity of new or modified systems and applications before the launch of their production. The said process is performed in two dimensions: in connection with the process of software implementation and modification at the Bank and in connection with the project process. Every new project which changes a key system from the perspective of the business processes is subject to an IT security audit.
An internal audit of the IT processes is performed at least once every 3 years. The selection of IT processes to be audited in a given year depends, among other things, on the following factors: the results of the internal audits preformed, changes in the ICT environment, risks associated with identified internal and external frauds, and changes in internal and external regulations affecting the Bank’s functioning and operating activities. Internal audits of IT processes are performed by the IT and Security Audit Team of the Bank in accordance with a predefined schedule. External cybersecurity audits are outsourced to the audit firms with which the Bank has signed framework agreements.
The most important threat to the security of Customers identified by the Bank and PKO Towarzystwo Funduszy Inwestycyjnych S.A. is associated with potential criminal activities of third parties targeted at Customers using electronic channels of access to banking and investment services.
Firstly, the Bank uses the latest ICT security solutions, which guarantee secure access to funds held by Customers. The Bank is constantly improving the quality of its IT systems security, in particular with regard to the applications used by the Bank’s Customers. This concerns, among other things, combating actively phishing websites pretending to be the Bank’s websites, identifying criminals intentions and ability, taking into account tactics, techniques and procedures (standardization and structuring of information about threats within a single data model), tracking the development of malware attacking the Bank’s Customers, developing mechanisms of detecting infected Customers’ computers, as well as improving the rules and extending the scope of monitoring of electronic transactions.
Secondly, the Bank attaches a great deal of importance to informing and raising Customers’ awareness of the safe use of electronic banking services and payment cards. This is because security in this respect depends to a large extent on the users’ actions. The Bank’s educational activities include, in particular:
- mass educational campaigns, e.g. initiating texts on the safe use of electronic banking (the educational portal);
- responding to Customers’ enquiries on an ongoing basis (e-mail, social media);
- ongoing communication of the Bank’s views on various issues and provision of educational materials on cybercrime and the principles of security to the media;
- responding to other signals regarding threats on an ongoing basis;
- provision of information on cybersecurity to Customers through the Bank’s websites, the transactional service and by e-mail.
In 2021, the Bank was improving its systems for detecting incidents, anomalies and advanced types of malware, and a large number of actions relating to incident handling was automated. It ensured the technological validity of the solutions used for computer forensics purposes in accordance with the current requirements profile.
Representatives of the Bank also engage in the work of the Banking Cybersecurity Centre (BCC) operating at the Polish Bank Association. The purpose of BCC is to take comprehensive and long-term measures which are aimed at improving the safety of mobile and electronic banking and preparing tools (structures, procedures, information exchange mechanisms) enabling crisis management (e.g. in the event of a massive attack).
The Bank does not have an ISO 27001 certificate; however, its cybersecurity processes and regulations are developed on the basis of the requirements of this standard. The high organizational maturity in the area of handling cybersecurity incidents is particularly important in the light of the PFSA’s decision issued in 2018 on recognizing PKO Bank Polski S.A. as a key service operator as defined in the Act on the national cybersecurity system.
PKO Bank Polski S.A. follows the generally applicable regulations, including:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
- the Personal Data Protection Act of 10 May 2018,
and its own internal personal data protection regulations.
These internal regulations apply to the principles of personal data processing at the Bank, in particular the method of processing it and the technical and organizational measures ensuring the security of the process.
Additionally, the Bank applies internal regulations regarding, in particular:
- security of protected information;
- IT system security;
- protection of people and property;
- management of security incidents where the method of management of personal data protection violations has been defined;
- conducting investigations;
- designing and implementing security mechanisms.
The Security Standards for the Bank’s Group address the following issues: personal data protection, business continuity management, ICT security, counteracting money laundering, security incident management, outsourcing principles and security reporting principles.
The Bank processes personal data in keeping with the requirements of the generally applicable laws, including the principle of legality and data transparency, the principle of purpose limitation, the principle of data minimization, and the principle of maintaining the accuracy and integrity of processed data. In order to achieve these objectives, the Bank applies both procedural regulations and technological solutions which are designed to observe the personal data processing principles defined in the General Data Protection Regulation (GDPR).
The Bank has appointed a Data Protection Officer (IOD) whose tasks comprise supervision over the correctness of personal data processing. Customers may contact the IOD by sending letters to the Bank’s address or by e-mail: firstname.lastname@example.org.
As required by the GDPR, the Bank has prepared Information on personal data processing and provides it to its Customers. They are informed about the applicable principles of personal data processing, the purpose of its processing and their rights, including the right to access, rectify and erase data.
If data is processed on the basis of the consent of the data subject, the data subject is informed about the right to withdraw consent.
The Bank has also defined the principles for informing Customers about a breach of their data security. Those principles are in compliance with the generally applicable laws.
Moreover, a dedicated website of the Bank presents information on personal data processing, including information on the appointed IOD, on the manner of personal data processing, the legal basis for the processing, and the rights of the data subjects.
The Bank’s Customers also have access to complaint paths for expressing doubts concerning data security. Internal regulations concerning the management of personal data breaches have also been developed. These regulations govern the principles for informing Customers about a breach of security of their data.
Ongoing exchange of information and improvement of security on the basis of the best practices are the permanent features of the cooperation and the Agreements in place in the Bank’s Group. Any irregularities are addressed in compliance with the law, which includes informing the competent authorities about breaches, as required by the internal regulations and the law.
The risk of unauthorized access to Customer information is managed in accordance with the “Security Policy of PKO Bank Polski S.A.”. At the same time, the “Principles of security of protected information at PKO Bank Polski S.A.” regulate the issues of confidentiality of information and the maintenance of bank secrecy, as well as personal data security, including the liability of the Bank’s employees regarding personal data protection. Every employee is obliged to complete appropriate training in personal data protection in accordance with formal procedures. Such training courses are also organized regularly. Measures aimed at ensuring data security are taken with the participation of the Management Board. For this purpose, the best policies and system security solutions are implemented. Such solutions (in terms of both systems and policies) are constantly evaluated, audited and improved in accordance with the best market practices. The Security Department supervises the performance of duties associated with the protection of information at the Bank and prepares information on the state of security for the Bank’s Management Board and Supervisory Board in the form of semi-annual reports. The activities of the Security Department also include carrying out internal security inspections in the Bank’s organizational units, which also cover information security, and giving opinions on new solutions and projects implemented at the Bank in the area of the protection of information.
In accordance with these principles:
• access to protected information at the Bank is only given to employees within the scope of their corporate tasks and duties;
• the employees undergo training in security of protected information before starting to process protected information;
• if materials containing protected information are provided to external entities, a non-disclosure agreement is concluded by and between the parties, whereas in the case of entrusting the processing of personal data, an agreement is concluded on entrusting the processing of personal data. Such agreement includes, among other things, the obligations of the entities cooperating with the Bank to protect the entrusted data, use it exclusively for the purposes of performing the agreement and inform about any security breaches. The Bank defines the requirements concerning the protection of the processed data in accordance with the generally applicable laws. The Bank may also control the security of the processed data at the cooperating entities.
The Bank is obliged to maintain banking secrecy as defined in the “Banking Law”.
Any information constituting bank secrecy, including the personal data of the Bank’s Customers, may only be made available in compliance with the obligations arising from the generally applicable laws. Enquiries from entities authorized to demand access to the information constituting bank secrecy (e.g. government institutions) are considered by the Bank in accordance with the law. The information subject to bank secrecy is provided only in the situations specified in the aforementioned Act, once the conditions giving the Bank the right to provide such information have been satisfied.
The information on the legal basis for giving access to data can also be found on Bank’s website.
Each of the other entities in the Bank’s Group which processes personal data has such regulations in place and applies them in practice. The companies have signed and implemented the Security Standards, including standards relating to personal data protection, which form part of the “Security Standard Guidelines for the PKO Bank Polski S.A. Group”. They are in line with the generally applicable regulations and the standards applied at the Bank and, to the necessary extent, they contain specific regulations which are adequate to the specific nature of the particular entity’s business.
In the event of a violation of personal data protection, the Bank takes measures in accordance with the adopted Principles for security incident management at PKO Bank Polski SA and the GDPR. If a violation is identified, immediate action is taken to analyse it and to mitigate its adverse effects, if any. Any violations of personal data protection resulting in a risk to the personal rights or freedoms of natural persons are immediately reported to the President of the Personal Data Protection Office (UODO). Moreover, if a violation of personal data protection could result in a high level of risk to the personal rights or freedoms of natural persons, the data subject is immediately notified of such violation.