The case for CSR/ Sustainability Reporting Done Responsibly


IDENTIFY - MEASURE - MANAGE - CHANGE

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How MKB promotes information security

Case study: How MKB promotes information security

MKB is one of the largest private banks in Russia, offering a full package of financial services through a regional network that includes more than 130 offices in 19 regions. Adhering to the principles of socially responsible business conduct, MKB complies with both Russian and international laws on personal data processing and protection.  Tweet This!

This case study is based on the 2019 Sustainability Report by MKB published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

The design of MKB’s current and future processes and products assumes obtaining consents from customers, counterparties, and the bank’s employees for the processing of their personal data, for the minimum use of their data when in interaction between the employees and the bank’s systems, and for the provision of the “security by design” and “security by default” concepts. In order to promote information security MKB took action to:

  • combat fraud
  • promote cybersecurity
  • identify and eliminate vulnerabilities
  • respond to information security incidents in a timely manner

What are the material issues the company has identified?

In its 2019 Sustainability Report MKB identified a range of material issues, such as customer satisfaction, increasing the accessibility of services, economic efficiency, professional development and training of employees. Among these, promoting information security stands out as a key material issue for MKB.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups MKB engages with:

Stakeholder Group                Method of engagement
Customers

 

 

·      Customer service, including development of the network of branch offices

·      Receiving queries

·      Remote banking service (mobile banking, contact centre, internet banking)

·      Information about bank products, reporting, availability of branch offices of the Bank, environmental plans and actions, and other important information as published on the MKB website (Russian or English version)

·      Analysis of customer satisfaction

Employees

 

 

·      Advanced training

·      Benefits package

·      Support and assistance in developing internal corporate sports clubs and events for the company employees

·      Participation in sports events, charitable, and other public and environmental events

·      Corporate portal

·      The hotline that allows sending complaints and queries to the members of the Audit and Risk Committee under the MKB Supervisory Board

Society ·      Participation in social and environmental projects of the Russian Government, other governmental bodies, and development of its own projects

·      Development of financial products for different categories of people

·      Support of small and medium business entities

·      Development of a regional network of offices and creation of additional jobs in the regions

·      Interaction with higher educational institutions, probation programmes, training

Shareholders and investors

 

 

 

·      Meetings of shareholders

·      Communication using different channels (including conference calls, meetings, correspondence via email, webcasts)

·      Disclosure of information important for shareholders and investors on the electronic page for investors (in Russian and English)

·      Publication of financial and nonfinancial reports

Counterparties and partners ·      A transparent competitive procurement system

 

Governmental bodies and regulators

 

 

 

 

·      Information disclosure and compliance with all legislative requirements in the field of banking activities

·      Participation in projects and work meetings on the improvement of laws in different areas (expert councils, work groups, round-table discussions, and other forms of communications)

·      Contribution to the development of regions with the extension of the regional network of presence

Mass media

 

 

 

·      Regular communications with the key media, prompt response to incoming questions

·      A high level of content mobility on the MKB website, in social networks, and other sources of communication

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics MKB engaged with its stakeholders through an interactive survey tool.

What actions were taken by MKB to promote information security?

In its 2019 Sustainability Report MKB reports that it took the following actions for promoting information security:

  • Combating fraud
  • MKB pursues a zero-tolerance policy toward illegal actions against its customers. For this purpose, MKB:
    • has implemented and maintains fraud monitoring processes for remote banking;
    • investigates any attempts of stealing funds from the bank’s customers;
    • interacts with the Bank of Russia and other credit institutions, communication service providers, and law enforcement agencies for the exchange of information about the actions of fraudsters and for the timely prevention of fraudulent activities;
    • implements the programme for enhanced protection of systems and data, which is reviewed annually and updated completely every three years.
  • The above activities resulted in dozens of prevented attempts of stealing funds from legal entities and individuals, which saved them dozens of million rubles. The only loss by a legal entity because of the fraudster’s actions in the remote business education system (RBES) in 2019 amounted to RUB 3,000; the transaction was marked as suspicious but was additionally confirmed by the customer itself.
  • Promoting cybersecurity
  • MKB pays much attention to information security and resistance to cyber threats. The following biggest threats for MKB were identified within the frames of its information security strategy:
    • External attacks as a result of actions of hacker groups, which are aimed at stealing data or money via payment systems
    • Attacks aimed at customers and stealing customers’ funds via remote banking services
    • Fraudulent actions of the bank’s employees or counterparties, which may cause data leaks or thefts using authorised access to MKB’s information systems
    • Logical attacks at ATMs (use of special software for money disbursement without using cards and for debiting accounts) and payment terminals (use of special software to reload cards without cash)
  • The following projects were initiated and successfully finished for the implementation of measures to prevent the materialisation of threats:
    • Implementation of the next generation firewall as a basic element of protection against external attacks
    • Implementation of a solution to counter targeted attacks made using malicious emails or malicious websites, which use 0-day vulnerabilities and are not detected by standard means of protection, for example, antivirus software (as a result of system operation, over 650 targeted attacked were repelled)
    • Implementation and development of the personnel training system simulating sending of malicious attachments and fishing links by hackers and appointing testing automatically if an employee opens such attachments or types a password to their account on the websites available at the fishing links
    • Development and implementation of an antifraud system to identify abnormal and illegal payments sent to the Bank of Russia or to the international data transfer and payment system SWIFT
  • Identifying and eliminating vulnerabilities
  • To minimise the probability of merely technical vulnerabilities typical of information systems and logical vulnerabilities affecting customer service processes and products, MKB started supporting the following processes in 2019:
    • External scanning of vulnerabilities; full coverage was reached for all 179 publications of MKB’s services on the web and external networks, scanning results are recognised by auditors as performed by the Approved Scanning Vendor as part of the PCI DSS (Payment Card Industry Data Security Standard) standard conformity audits.
    • A red team was set up—that is, a group of specialists with qualifications similar to hackers, whose main task is to conduct penetration tests and identify vulnerabilities through the eyes of hackers for the purpose of thorough identification of vulnerabilities that cannot be identified instrumentally.
    • The Information Security Department participates in, and controls, all tasks of IT development, including the following:
      • Analysis of business requirements
      • Analysis of technical assignments
      • Formation of a set of requirements for the implementation of security-by-design and security-by-default concepts for all services and products developed by MKB
      • Verification of the fulfilment of requirements before bringing the implemented tasks in action
      • Participation of red team specialists for the purpose of vulnerability analysis in any services published on the web and in any payment applications
    • External penetration tests organised by the internal audit are performed by specialised companies with highly proficient specialists.
  • Responding to information security incidents in a timely manner
  • To monitor and provide timely response to information security incidents, MKB has a security incidents response team. In 2019, the work of this team, operating as part of the Information Security Department, resulted in the creation of the monitoring system architecture, implementation of the subsystem of collection and primary analysis of incidents, implementation of the incident response platform, and automation of the formation of any incidents as tasks for the team members in the implemented platform. The ongoing processes are built so that the time from the attack to the analysis of the processes within the attack and to the termination of the attack usually does not exceed 4 hours.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

 

80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.



FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP

 

References:

1) This case study is based on published information by MKB, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to MKB: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.