Akbank acts with the awareness and responsibility of protecting the information entrusted to it by its customers and stakeholders and conducting its activities in accordance with relevant laws and regulations.
Akbank's senior management considers information security to be one of its top priorities and acts in full compliance with its information security policy. Senior management leads the bank by allocating the necessary resources, integrating information security into the bank's strategic planning, and establishing an information security management system that will bring security measures related to information systems to an appropriate level.
The Information Security Committee operates to effectively ensure risk management related to information security, coordinate, manage, and monitor risk management activities within the organization, oversee the proper implementation of the information security strategy, and assess significant information security risks.
The management of the information security and cybersecurity program, as well as the implementation of related controls across the bank, is carried out under the responsibility of the chief information risk officer (CIRO), who is responsible for information risk management.
Akbank manages information security risks with a “Three-Tier Security” model that adheres to the principle of separation of duties. The first line of defense establishes and operates the necessary controls within its processes in accordance with the information security policy and related control objectives; the second line of defense carries out risk management, oversight, and assurance activities in terms of compliance with information security policy and related control objectives; the third line of defense carries out assurance activities to ensure that the activities carried out by the first and second lines of defense are effective and adequate. Each business unit is ultimately responsible for managing information security risks in its own area and promoting a culture of shared responsibility. This distribution of responsibility also applies to individuals.
Akbank establishes an effective information security control environment within the framework of national and international legislation, standards, and best practices in order to manage the risks posed by potential threats that could compromise the confidentiality, integrity, and continuity of its information assets and data. In this context, the Bank operates a systematic risk management process, identifies and classifies information assets, continuously assesses threats that may affect these assets and the risks they pose, and minimizes residual risk by establishing appropriate measures.
The bank monitors cyber attack attempts in real time; quickly assesses the threats it detects as part of its cyber security incident response process and takes the necessary measures. The bank incorporates the lessons learned from this process into its information security strategy, thereby maintaining a high level of resilience.
Akbank adopts a layered and multi-stage protection approach known as defense in depth to protect its information assets and data. The bank develops its control environment to cover all important areas of information security, and regularly reviews its effectiveness and adequacy.
Akbank has established an effective information security program with the aim of creating a strong awareness of information security, ensuring that all employees are aware of information security threats and risks, and adopting security policies and best practices. The bank promotes a culture that encourages employees to maintain a high level of vigilance and immediately report suspicious activities or potential security vulnerabilities.
Akbank addresses third-party information security risks as part of its corporate information security risk management process. The bank establishes contractual relationships with third-party service providers in a manner that ensures the security and confidentiality of shared data and compliance with the bank's security policy and requirements, conducts third-party security assessments prior to purchasing services, and carry out continuous oversight activities.
The bank demonstrates a determined approach to regularly improving its information security management processes. Monitors the effectiveness of information security controls and processes using metrics, reviews them periodically, and audits them. The bank closely monitors the changing threat environment. As a result of these efforts, the bank carries out the necessary improvement activities