One of the Bank’s priorities is to set the highest security standards. Customer security in the process of using the Bank’s and the Bank Group’s products primarily includes security of the funds of Customers, as well as physical security of Customers in the Bank’s facilities. The matter of security is regulated by the internal regulations, including the Security Policy at PKO Bank Polski SA and – in detail – the provisions regarding specific areas of security, i.e.:
(i) protection of people and property; (ii) IT System security; (iii) managing safety incidents.
Security of Customer funds
The activities of the Bank and other entities of the Bank’s Group related to ensuring the security of Customer funds apply to both the assurance of security of the funds entrusted, as well as the funds invested with the use of the products offered. The initiatives implemented regarding the assurance of a stable and secure ICT infrastructure enabled the achievement of very high reliability indicators for the operation of the IT infrastructure applications in 2018.
Security of funds invested:The Bank makes every effort to ensure that the products offered to Customers do not generate the risk of a loss of funds. This is particularly important for investment products. Therefore, within the framework of the obligations imposed by the MiFID Directive, the Bank informs Customers before conducting a transaction on financial instruments as to whether the given product is suitable for them.
Security of entrusted deposits:With respect to deposit products, the main mechanism guaranteeing security of funds entrusted by Customers is the stability of the Bank’s financial result and the result of the other entities belonging to the Bank’s Group. An additional mechanism is the Bank’s involvement in the obligatory deposit guarantee system, operating under the Act on the Bank Guarantee Fund, the term deposit guarantee system and forced restructuring.
The security of Customer funds is also guaranteed at the Bank by such procedural solutions which ensure the correct identification of the Customer in every case of performance of his instructions.
The risk of unauthorized access to Customer funds through electronic banking
The most important threat identified by the Bank and PKO Towarzystwo Funduszy Inwestycyjnych SA to the security of Customers benefiting from the Bank Group’s products are potential criminal activities of third parties targeted at Customers using electronic channels of access to banking and investment services.
First, the Bank uses the latest ICT security solutions guaranteeing secure access to funds held by Customers, while the Bank is constantly improving the quality of IT systems security, in particular, regarding the applications used by the Bank’s customers. This applies, among others to actively combating phishing websites pretending to be Bank’s websites, tracking the development of malware attacking the Bank’s Customers, developing mechanisms of detecting infected Customer computers, improving the rules and extending the scope of monitoring of electronic transactions.
Second, the Bank attaches a great deal of importance to informing and raising Customer awareness of the safe use of electronic banking services, as well as payment cards, as security in this respect depends to a large extent on the user’s actions. These activities include, in particular:
- mass educational campaigns, e.g. by initiating texts on the safe use of electronic banking (Bankomania magazine distributed in a paper version in over 1200 branches (i.e. in almost 2/3) and the educational portal bankomania.pkobp.pl),
- ongoing provision of responses and explanations to Customer enquiries (e-mail, social media);
- ongoing provision by the mass media of the Bank’s position regarding false e-mails containing educational elements;
- ongoing response to other signals regarding threats;
- publication of information on the Bank’s website, in the transaction website and distributed to Customers by e-mail on securely logging in and the principles of using electronic banking.
In 2018, the Bank began works on creating the platform supporting the SIEM class system (Security Information and Event Management). This will enable better detection of incidents and anomalies, and automation of many activities related to incident handling. The process of implementing the solution monitoring threats on the Bank’s workstations was completed. This enabled, among other things detection of advanced types of malware.
After integrating the solution with the Bank’s SIEM system, it will be possible to immediately respond to the incidents detected.
The specialist CERT unit operating within the Bank’s structures executes a strategy of ensuring IT security of the services provided. CERT PKO Bank Polski is a member of an international forum of responders – FIRST, and belongs to the task force of European responding teams – TERENA TF-CSIRT and the related Trusted Introducer organization. In 2018, the Bank initiated the CERT certification process for compliance with the requirements of SIM3 methodology: Security Incident Management Maturity Model. As a result of these actions, the Bank will be the first organization in the financial sector in Poland to hold the CERT certificate.
Joining the international organizations enables the Bank’s CERT team to respond faster and more effectively to cybersecurity threats by operational collaboration and exchange of experience and knowledge with similar entities throughout the world. The membership is also a confirmation of a high level of the services rendered and acknowledgement of the professionalism and skills in the area of ensuring IT security at the Bank.
In 2018, the Bank’s Cybersecurity Centre appointed the CERT team operating as part of ZBP – FinCERT.pl. As a result of the support granted by PKO Bank Polski SA, the team joined the Trusted Introducer.
The high organizational maturity in the area of handling cybersecurity incidents is particularly important in the light of the decision of the PFSA of 2018 concerning acknowledging PKO Bank Polski SA as an operator of a key service as defined by the Act on the national cybersecurity system.
Physical security of Customers
The Bank and the remaining entities from the Bank’s Group fulfil the condition of ensuring the highest quality of direct services to the Customers, among other things, by ensuring proper standards of comfort and safety.
The sites of the Group’s entities conducting retail operations, including the Bank, use state-of-the-art technical solutions in the area of physical security of customers and their funds, including physical protection and monitoring.
The Bank holds training for the employees of its branches and agencies named “Counteracting robberies and dealing with security threats.”
Being concerned about the safety of Customers and employees, an obligatory first aid course was introduced at the Bank in 2010, as part of the health and safety training. In 2018 alone, 5477 of the Bank’s employees were trained (as part of obligatory periodic trainings) and additionally 39 persons were trained in first aid as part of individual presentations organized on approval by the Director of the Health and Safety at Work Office.Since starting the programme, more than 25 thousand persons were trained.