Information Security

As information becomes one of the most important assets of the 21st century, efforts to keep it secure are gaining parallel significance. Information security is defined as a series of practices aiming to keep data secure against unauthorized access or modification, both when being stored and while being transferred from one machine or physical location to another.

Yapı Kredi manages data security in line with the defined policies and processes. Data is categorized according to levels of confidentiality, integrity, and accessibility. Yapı Kredi ensures the integrity and confidentiality of data through security measures. Also, controls to identify and prevent data leaks are designed and implemented.

The information security management system practices are performed under the supervision of the Information Security Committee. The Committee develops, revises, and implements the Bank’s information security policies on behalf of the Board of Directors. The Committee reviews the relevant policies, procedures, and processes at least once a year, and reports annually to the Board of Directors on cyber security issues. See here for more information about the Information Security Committee.

When it is necessary to share data with third-party companies, Yapı Kredi ensures that the contracts with said parties include provisions for data security in accordance with Yapı Kredi policies and standards as well as the Banking Regulation and Supervision Agency’s (BRSA) data safety requirements which are expected from banks and concern the procurement of support services, as specified in the "Regulation on Information Systems and Electronic Banking."

In order to raise awareness, all employees receive information security awareness training, which covers data security and confidentiality. In addition to information security, awareness is raised through the training provided to employees on Personal Data Protection Law.

Security audits

Remote working and remote working security have become top priorities for the Bank's Information Systems Security Management. Yapı Kredi took swift decisions to install the necessary infrastructure for remote working fully and securely, enabling the staff to provide fast and uninterrupted remote services to customers. Based on the principles of high-quality, responsible, and compliant banking, Yapı Kredi has adopted compliance with the banking laws and regulations as a particular priority. Yapı Kredi pays close attention to developments in IT, new business models, solutions, attacks, and threats related to cyber security, and the security regulations.

The Bank continues to review and improve its cyber security measures in compliance with the national and international standards for protecting customer data.

Yapı Kredi makes annual updates to the periodic training on social engineering attacks and other known fraud methods which is given to all the customer representatives and team leaders who are assigned to provide phone banking services to customers. The Bank also carries out awareness-raising activities for its employees. In addition, Yapı Kredi provides periodic remote "Information Security" training to all its employees.

The Bank employs 24/7 monitoring and detection to identify and prevent cyber-attacks. Security trace logs from all products are correlated to detect and prevent potential cyber-attacks.

Yapı Kredi is subject to the regulations of the BRSA, which regulates the banking sector in Turkey. The BRSA has issued regulations on Information Systems and Electronic Banking Systems, which require the establishment of an information security management system equivalent to the ISO 27001 Information Security Management System. Yapı Kredi is audited annually by the BRSA, both for compliance with the regulations, as well as for the Control Objectives for Information and Related Technology (COBIT) framework. These audits are conducted by independent third-party audit firms.

Yapı Kredi also conducts regular internal audits on data security. Yapı Kredi implements practices in addition to those obligated by the Banking Law and other relevant legislation, such as in-house policies like Ethical Rules and the Code of Conduct, and the Corporate Policy on Personal Data Protection and Processing.