SUSTAINABILITY REPORT 2024 Turning the Dream of Home into a Goal
Download report in PDF

Cybersecurity

Ensuring the security of information assets and protecting their confidentiality remain important tasks within the Bank’s operations. The relevance of these tasks is underlined by the need to comply with Resolution No. 832 dated 20 December 2016 of the Government of the Republic of Kazakhstan “Approval of Uniform Requirements in the Field of Information and Communication Technologies and Information Security”, Resolution No. 48 dated 27 March 2018 of the Board of the National Bank of the Republic of Kazakhstan “Approval of Requirements for Information Security of Banks, Branches of Non-Resident Banks of the Republic of Kazakhstan and Organizations Performing Certain Types of Banking Operations, Rules and Terms for Providing Information on Information Security Incidents, Including Information on Violations, Failures in Information Systems”, as well as the need to comply with the requirements of other laws and regulations of the Republic of Kazakhstan and internal regulatory documents of the Sole Shareholder of the Bank.

The main conceptual directions for strengthening information security are:

  • keeping the base of internal regulatory documents on information security up to date;
  • raising the information security awareness of the Bank’s IT infrastructure users;
  • ensuring compliance with the compliance of the external Regulator;
  • technical support and development of software and hardware measures to ensure information security of the Bank, including the following directions:
    1. Monitoring information security events;
    2. Recording and resolving information security incidents and building a knowledge base on them;
    3. Controlling the circulation of sensitive information (personal data and banking secrecy);
    4. Managing access controls within the Bank’s application systems;
    5. Vulnerability management within the Bank’s IT infrastructure;
    6. Database information protection;
    7. Monitoring privileged access;
    8. Protecting email systems and users while interacting with the Internet;
    9. Safeguarding the Bank’s web and mobile applications;
    10. Multi-layer antivirus protection of the Bank’s IT infrastructure;
    11. Change control on the Bank’s critical hosts and application monitoring.
  • Conducting penetration tests, social engineering and analyzing the source code of the Bank’s critical applications to obtain an outsider’s view of the actual security of the Bank’s assets;
  • Continuously detecting potential threats through automated anomaly detection tools and analyzing suspicious activity for possible incidents;
  • Performing ongoing vulnerability assessments of the Bank’s digital assets using CVE2 and CVE3 standards and in-house specialized systems;
  • Conducting proactive threat hunting and analysis of data to identify risks not covered by current security tools;
  • Implementing information security threat prevention and localization measures;
  • Assigning tasks to relevant Bank’s departments to localize and prevent threats;
  • Analyzing alerts about emerging threats to determine their initial impact and severity.

To maintain cybersecurity, the Bank utilizes data loss prevention (DLP) systems, anti-cyberattack mechanisms, antivirus protections, unauthorized access monitoring tools, copying and modification controls, and more.

In the reporting year, there were zero cases of data leakage and zero fines paid in connection with information security violations.

Security Practices

The role of the Security Department in achieving the Bank’s goals is fulfilled by ensuring the safe functioning of the Bank, preventing internal and external threats to its security, protecting the legitimate interests of the Bank, its shareholders, management and staff from unlawful encroachments, as well as enhancing the Bank’s image and increasing profits by ensuring the quality of services and customer security.

95 % of the Department’s employees have extensive experience in operational and investigative units of law enforcement agencies of the Republic of Kazakhstan, as well as financial organizations (second-tier banks), which speaks in favor of the qualitative composition of the Department.

Most of the employees of the Department have sufficient professional training in the field of economic, physical and information security.

The staff of the division has knowledge and skills acquired in the course of training in economic (enterprise and business security), personnel and information security (IT auditor, information security management system, hacking, etc.), procurement, fire safety, as well as ensuring the physical security of protected facilities, including in emergency situations (banks, warehouses of inventory, archives, life support facilities (heat and water supply) and transport (air and railway facilities), special facilities of special importance (warehouses of fuel and lubricants, ammunition, etc.).

The Bank also imposes similar requirements for ensuring physical security of guarded facilities on its security service providers, Kuzet Motors LLP, whose employees regularly attend relevant courses at the premises of their security company.

The Security Department also actively counters fraud by analyzing trends, identifying increasing or decreasing fraud risks, and implementing measures to prevent both internal and external fraudulent activity.

Fraud cases in 2024 were primarily detected through verbal and written reports from individuals and customers via the fraud and corruption hotline, as well as internal audit, risk management, and security investigations.

A total of 22 fraud cases were registered, including 6 internal and 16 external cases involving customers or third parties.

Compared to 2023, a significant decrease in fraud cases, especially external ones, was recorded.

In 2024, the Bank successfully prevented 100 % of attempted customer deposit thefts by internet fraudsters. No internal investigations into digital channel fraud were conducted by the Security Department.

Earlier, in 2022, the Bank established a new Anti-Fraud Unit, currently operating within the Information Security Department. Its primary objective is to protect the Bank and its customers from fraud events during the use of the Bank’s digital products (Internet banking, remote account management, etc.), and to prevent operational risks associated with fraud in these systems.

Thanks to the Anti-Fraud Concept, the Bank is currently working to strengthen anti-fraud measures by acquiring and introducing a special information system for fraud monitoring of transactions in Internet banking (anti-fraud system) to protect against external attacks.

The Security Department continues to investigate misuse related to the government housing program involving pension savings withdrawals. As the authorized operator for managing special accounts for lump‑sum pension withdrawals from the Unified Accumulative Pension Fund JSC (UAPF) for housing or medical purposes, the Bank monitors for illegal actions by customers or healthcare providers who misuse or cash out pension funds.

In fall 2024, the Security Department uncovered several illegal schemes for obtaining mortgage loans without initial down payments.

For instance, in October 2024, a regional Security Sector completed an investigation revealing that customers had used forged birth certificates to unlawfully transfer deposits, take out housing loans, and withdraw collateralized funds following notary execution orders. Six such incidents were identified.

The investigation found that a real estate agency director, working with agency staff, notaries, and private bailiffs, orchestrated a fraudulent scheme for personal gain.

Similarly, another regional Security Sector identified 18 military personnel who received housing payments and worked with the agency to obtain mortgages illegally.

Since early 2024, the Bank recorded 207 cases in which funds from collateral deposits were withdrawn due to fraudulent schemes involving real estate agencies. These schemes allowed customers to bypass the required 50 % down payment by having the Bank transfer collateral funds to private bailiffs after notary instructions, effectively issuing mortgages without any upfront payment.

Internal investigations were conducted, and the Bank submitted reports to law enforcement authorities of the Republic of Kazakhstan to prosecute the individuals involved.

The Security Department continues to take all necessary measures to ensure safe functioning of the Bank, prevent internal and external threats to its security, protect the legitimate interests of the Bank and its customers from unlawful encroachments and enhance the security of the Bank’s personnel and property.