Summary of the Information Security Policy

The Artea Bank Group (hereinafter “Artea”) places particular emphasis on information security and the digital operational resilience. The Information Security Policy establishes the fundamental principles and requirements for organizing and ensuring the security of Artea’s information and information systems.

Scope of the Policy

The Information Security Policy applies to the Group’s management bodies, the Group‘s employees  and third parties providing information and communication technology (ICT) services who have access to the information.  It covers all information, including personal data, commercial secrets, and confidential information, regardless of its form.

Main Objectives

Artea aims to:

• ensure a high level digital operational resilience:
  • ensure the resilience, continuity and availability of information systems primarily those supporting critical or important functions;
  • ensure information security by maintaining high standards of confidentiality, integrity and availability;
  • Identify, effectively mitigate, and manage ICT risks.
• ensuring compliance of information security with legal requirements.

Information Security Management

• The implementation of the information security policy is ensured through the consistent planning, implementation, evaluation, and continuous improvement of the Information Security Management System (ISMS) in accordance with the ISO/IEC 27001 standard, which includes organizational, human, technological and physical security measures designed to achieve the information security objectives and to manage emerging information security risks
• Requirements for security measures are incorporated into Artea’s ICT Risk Management System and are described in documents implementing the Information Security Policy, which regulate ICT asset management, encryption and cryptographic controls, ICT operations security, capacity and performance management, vulnerability and patch management, change management, including security integration throughout the entire information systems development and deployment cycle (Security by Design), information and information system security, and other provisions for information security management and ensuring the digital operational resilience.
• The scope of the ISMS covers the handling of information systems and processing of the data they contain, the handling of commercial secrets and confidential information, including personal data, and the provision of financial services.

Risk Management and Oversight

Information security risks are assessed and managed using a risk-based approach. Risk assessments, compliance checks, digital resilience testing, and internal audits are conducted on a regular basis. The effectiveness of information security is periodically reported to Artea’s management and supervisory bodies.

Responsibility

The Chief Information Security Officer (CISO) is responsible for organizing information security and maintaining the ISMS.

Personal data protection issues within the Group are coordinated by Data Protection Officers (DPOs).

Risk management issues related to information security within the Group are coordinated by the“Chief Risk Officer (CRO), who is responsible for risk identification, assessment, monitoring and effective risk management. All Artea employees and ICT service providers are required to comply with information security requirements and immediately report any security incidents or potential breaches.

Compliance with Legislation

The Information Security Policy is implemented in accordance with:

• The Digital Operations Resilience Act (DORA).
• The General Data Protection Regulation (GDPR).
• The Law of the Republic of Lithuania on Cyber Security.
• other applicable laws and regulatory requirements.