Cybersecurity (and data security)
The projects undertaken by the CBB as part of cybersecurity and data security efforts are aligned with the ICT Security Strategy at Bank Pekao S.A. Their primary objectives include enhancing information security levels and strengthening the ICT environment (e.g., by investing in security solutions and running educational campaigns targeted at both employees and customers). These initiatives are implemented through:
- The cyberPEKAO educational programme, which includes training sessions for employees and webinars for customers;
- Cybersecurity-related events, such as: the #StayCYBERAware campaign or CRM campaigns;
- Participation in the Polish Bank Association’s (Związek Banków Polskich) cybersecurity awareness campaign: Do Not Help Thieves;
- Internal communication efforts (including: Security portal updates; news bulletins; email alerts sent to employees);
- External communication efforts (including: CRM, the Bank’s official website; social media posts; mobile app notifications; radio broadcasts).
Additionally, we organise and co-host cybersecurity events and collaborate with CyberDefence24, a specialised portal covering cybersecurity topics, which features a dedicated Bank Pekao section. The Bank also participates in cybersecurity awareness and educational campaigns organised by the Polish Bank Association. The funding for these initiatives is covered through both Capex and Opex budgets.
To implement the ICT Security Strategy at Bank Pekao S.A., the CBB initiates and oversees projects:
- Vulnerability scanner replacement
- Security of the Bank’s data and applications in the cloud
- Protection of Databases
- Implementation of advanced testing tools.
The aforementioned solutions were preceded by an analysis of changing risks, risk analysis and market analysis. These projects carried out the tasks arising from the aforementioned Strategy and were monitored periodically to determine the degree of goals achievement. The implementation of advanced test tools was implemented in mid-2022, and the remaining tools were implemented in various quarters of 2023. All solutions were implemented before the end of 2024, which is the assumed time of completion of the Strategy.
By implementing of the above solutions, newly emerging risks have been mitigated and remain under constant monitoring.
As part of its responsibilities, the CBB conducts regular reviews of information security documents, which form an integral part of the Information Security Policy. Additionally, the CBB submits periodic security reports on the Bank’s ICT environment, which are included in the Bank’s management information system. These reports – quarterly and annual – are presented to: the Bank’s Management Board, the Risk Committee of the Bank’s Supervisory Board, and the Bank’s Supervisory Board. To ensure compliance, the Bank also undergoes cybersecurity maturity assessments as part of audits conducted in line with the Act of 5 July 2018 on the National Cybersecurity System. Furthermore, the CBB carries out internal security controls within the Bank’s internal control system, which helps enhance the effectiveness and quality of cybersecurity measures, thereby strengthening data protection.