Cybersecurity and Data Privacy

Integrated Information Technologies Risk Management Structure

In Ziraat Bank, information security is under the responsibility of the Internal Systems Group Directorate in the organizational structure, and the relevant Group Presidency carries out its activities under the Board of Directors. The ultimate responsibility for ensuring information security within the Bank lies with the Board of Directors.
‍
An Information Security Committee (ISC) has been established to coordinate the work on information security within the framework of the Banking Law, the Articles of Association, and other relevant legislation, as well as the policies and strategies determined by the Board of Directors. The duties and powers of this Committee are determined by the Board of Directors. The Committee is responsible for creating, approving and periodically updating information security policies and determining the duties and responsibilities in the area of information security. The committee also carries out reviews in the event of extraordinary situations, such as large-scale security incidents, the emergence of new vulnerabilities or critical infrastructure changes. All stakeholders within the organization carry out the implementation of strategic decisions taken by the Information Security Committee, in accordance with their areas of responsibility.
‍
The Bank has established an integrated IT Risk Management structure in line with the information security strategies and policies implemented. IT Risk is deemed to be a major corporate risk component of the Bank and an integral aspect of the banking operations. In order to ensure business continuity and data integrity, the Bank attaches tremendous importance to activities on mitigating operational risks and manages IT-related operational risks in an integrated structure with its technology company. The Bank classifies its information assets based on their security values, determines appropriate security controls according to the criticality of the classified assets, implements tests in connection with the determined security controls, and tries to bring the risks identified as a result of the tests to levels below the threshold value by applying continuous improvement activities.
‍
Within the scope of IT Risk Management, the Information Technologies risks are managed effectively by taking account the Information and Communication Security Guide of the Presidential Digital Transformation Office, the Banking Regulation and Supervision Agency’s Regulation on Banks’ Information Systems and Electronic Banking Services, and other legal regulations and good practices. Establishing a framework compatible with the Bank’s strategies for IT Risk Management, determining strategies and plans, and regularly reviewing the related activities are carried out under the guidance of the Information Security Committee.
‍
Within the Ziraat Finance Group, policies are developed, processes defined and an integrated risk management infrastructure project developed to establish a standard risk culture in all overseas subsidiaries and branches and to ensure compliance in the risk management process.
‍
Risk measurement parameters and parabola risk indicators have been established within the Bank in accordance with international standards. System improvements and front-ends have been designed to enable continuous monitoring of risks with values above the threshold, enabling root cause analyses of risks, control activities implemented for risks, consolidated reports to enable monitoring of risks, and monitoring of actions taken.
‍
Within the scope of the policies determined and the IT Risk Management framework established, risks related to the security of employees are identified and evaluated carefully before they occur. All employees within the Ziraat Finance Group have responsibilities related to information security in all situations of starting, leaving, and changing duties.
‍
With the systems automated with the Identity Management Application, access authorizations are determined and an Identity Management Policy is in place by taking into account the principle of least authority and separation of duties.

Information Security Awareness Program

A comprehensive Information Security Awareness Program is offered to all employees in the Ziraat Finance Group. Bulletins are prepared every month, and surveys are prepared to assess the information security risk perception among employees. On the other hand, internal drills are conducted throughout the year to raise awareness of avoiding phishing attacks using social engineering methods. The results of the exercise are reviewed with necessary training assignments put in place accordingly, with the aim of raising employee awareness in this area. Face-to-face in-class information security training sessions are organized during the orientation of employees when they start working, and all employees receive updated information security training assignments throughout the year.
‍
In 2024, Information Security e-training was assigned to all employees. Within the Bank, 25,000 employees received 45-minute distance training and 1,273 employees received face-to-face Information Security training.

Sustainable security technologies supporting business strategies

The Bank keeps its employees updated with the most modern practices and information regarding information security and data protection methods, which change with the widespread use of digital service channels and technological developments. In addition to the awareness initiatives organized for Ziraat Bank employees, endeavors are underway to mitigate human factor-related information risks for its customers, suppliers providing external and support services, business partners, and third parties. The Bank provides key information to customers regarding methods such as phishing, identity theft, malware, and social engineering, which are frequently used by cyber attackers, as well as information on what customers can do to protect themselves against such attacks.
‍
All assets that are of value to the Bank and used for the processing, storage, transmission, protection, and continuity of the generated information are considered information assets. In line with the Regulation on Banks’ Information Systems and Electronic Banking Services published in 2020, all information assets are classified, and an Information Asset Inventory is established; the confidentiality, integrity, and accessibility values of the asset are identified. The identifying characteristics of each information asset, such as owner, custodian, and location, are recorded, and appropriate protection methods are applied. Rule sets for the use of information assets are established, and procedures are carried out for their physical transfer and destruction.
‍
A Cyber Security Center structure has been established within the Ziraat Finance Group, examining bank systems and alarm mechanisms seven days a week and without interruption, scanning for weaknesses or vulnerabilities, collecting intelligence, and responding to cyber threats.
‍
Network and client security products and devices (DDOS, IPS, EDR/EPP systems, Network Access Control (NAC), Web Application Firewalls (WAF) systems, Firewalls, and Email Security Solutions), Data Loss Prevention (DLP) systems, and Web/DNS security measures are in place to prevent data leaks. The center also utilizes Security Information and Event Management (SIEM) systems to monitor security logs and generate alerts, along with software code review, penetration testing, and vulnerability management systems to ensure the security of all applications in use and these measures are currently operational and functioning seamlessly. Additionally, the traffic density of network devices is constantly monitored, and access rule sets are established according to user profiles by using Proxy for internet access. Role-based authorizations are structured in line with the principle of separation of duties, and log records created on the systems are transferred to the SIEM system. An alarm is generated in transactions violating the predetermined authorization scheme, and rapid actions can be taken with the help of advanced systems.
‍
Ziraat Bank is improving its capabilities to identify anomalies and detect vulnerabilities through the use of Artificial Intelligence and machine learning, able to learn user behavior.

Legislative compliance in establishing an information security infrastructure

Within the scope of compliance with national/international laws, regulations, regulatory board decisions, and instructions affecting information security, for each risk identified on information assets, an underlying legal infrastructure requirement structure has been established in accordance with international standards. Procedure for intellectual property rights is being established. Some of the nationally and globally recognized standards and models utilized in the creation of the Bank’s regulatory compliance library are listed below.

• Banking Law No. 5411,

• The Regulation on Information Systems and Electronic Banking Services of Banks and various regulations published by the Banking Regulation and Supervision Agency,

• ISO 27001 Information Security Management System-Requirements Standard,

• ISO 27005 Information Security Risk Management Standard

• The Republic of Türkiye Presidential Digital Transformation Office Information and Communication Security Guide

• PDPL (Personal Data Protection Law)

• NIST (US National Institute of Standards and Technology) Standards

While creating the information security policy of the Bank and all its subsidiaries and the legal documents supporting this policy, compliance with the regulations of regulatory and supervisory authorities is ensured. In addition, these regulations are being reviewed in parallel with digital transformation, technological progress and developments in business processes.
‍
The Bank takes all necessary technical and administrative measures to securely store personal data, prevent unlawful processing, and destroy such data in accordance with the law. In line with the obligation of disclosure, which is a mandatory provision in the Personal Data Protection Implementation Principles and Procedures legislation, the Bank places attention on obtaining the necessary explicit consents, while providing necessary information through all channels. In addition, both in-class and distance learning is provided in order to raise awareness of the protection of personal data, and all personnel are required to complete the training.
‍
Within the scope of the BRSA’s Circular on Penetration Tests Regarding Information Systems, independent companies which do not have executive duties are subjected to a penetration test at least once a year within the body of Ziraat Finance Group. These tests aim to detect and correct any security vulnerabilities in the Bank’s information systems that can leave the Bank vulnerable to unauthorized access or access to sensitive information before such weaknesses are exploited. The findings of the penetration test are presented to the Board of Directors, and necessary action plans are undertaken.
‍
Network Security Control Systems are established throughout the Ziraat Finance Group to protect against threats that can arise from both its own corporate network and external networks. Within the framework of the Bank policies regarding the use of network resources, rules are determined regarding the use of USBs, and the sharing of files outside the Bank, database and application access and for non-standard application uploading, with rules determined for employees of third-party companies who will work at the Bank locations, consultants, employees of independent auditors and external auditors. Standards for computers to be provided to individuals and their access are also determined. The use of network resources is monitored with Data Leakage Prevention (DLP) Systems, preventing data leaks and creating trace records of transactions.

Security policies in line with international standards

Ziraat Bank’s information security is carried out within the framework of policies at international standards for access. Users are only authorized to access the network and network services for which they are authorized, and are removed when the business requirement is over. Access authorizations are checked regularly. A password policy is established and private channels are used to share confidential/sensitive information. Additional restrictions are applied in data processing by using techniques such as masking, blocking, tracking, encryption.
‍
Outsourcing of services such as information systems, which have the potential to compromise the confidentiality, integrity and accessibility of banking data and the continuity of banking services and which have access to or share banking data are defined as external services. Ziraat Bank includes information security requirements in the specifications and contracts for service procurement in order to minimize supplier risks. Supplier companies are evaluated, confidentiality agreements are signed with the companies, and the obligations under the terms of the agreement are periodically checked.

Robust cyber security structure

Within the framework of managing information security breach incidents, a Cyber Incident Response Team (CERT) is in place to respond to cyber incidents swiftly, effectively, and regularly. Information security events and vulnerabilities related to information systems at the Bank are monitored and recorded through central monitoring mechanisms. Information security incident action planning is managed in accordance with the rules determined within the framework of the Information Security Incident Management Plan with the aim of reducing security risks.

This process involves the assigning of responsibilities for security incidents, taking measures in the fastest way and informing the units related to the incident, depending on the criticality and type of incident.
‍
The periodic review of information security checks and practices at the Bank is carried out by separate directorates within the framework of internal control and inspection activities for information systems at the Internal Systems Group Presidency, which reports to the Board of Directors, in addition to external audit activities determined by legal regulations. In this context, information security checks are carried out on a regular basis with reported findings shared with the business units, actions are taken and are followed up until their resolution.
‍
In 2024, it has been determined that the Bank’s systems received an average of 460,000 spam/malicious emails and 256,000 IPS attacks per month, as well as many Denial of Service (DoS) attacks or unauthorized access to systems. All of these attacks were successfully blocked by attack prevention systems operating 24/7. This ensured that there were no data leakage incidents at the Bank in 2024.
‍
As part of data breach incident and management, the Bank has established a robust cyber security structure operating in compliance with local legislation and international standards in order to respond to cyber incidents in a fast, effective, and organized manner. This structure is regularly audited every year within the framework of the BRSA Regulation on Banks’ Information Systems and Electronic Banking Services.
‍
The data of the Bank’s customers is processed and recorded in compliance with the PDPL and other legal regulations. The Bank records and publishes the data it processes as a data controller in VERBIS within the scope of the Regulation on Data Controllers Registry. The detailed explanation and explicit consent text of the Bank’s Data Processing Policy is available on the corporate website.