Cybersecurity and Data Privaсy

Materal topic:

Data privacy

GRI: 3-3; 418-1; SV-PS-230a.1; SV-PS-230a.2

Cybersecurity

Expert RA has an information security (IS) system designed to establish and enable an ongoing control of the IS risk, which should not go beyond the limits set in the Agency’s Information Security Enforcement Provision. Expert RA sets out the following basic principles of IS.

Timely detection of IS-related problems, predictability of their development and assessment of their impact on the Agency’s business goals

Key documents governing the Agency’s approach to cybersecurity and data privaсy:

Expert RA’s Information Security Enforcement Provision
Expert RA’s Data Privacy Enforcement and Confidential Data Handling Provision
Expert RA Pass Control and Intersite Communication Regime Regulation
Personal Data Policy
Personal Data Processing and Protection Provision
Expert RA’s Insider Information and Its Confidentiality Protection Provision

The Agency constantly monitors and audits the IS system, using the results of this work to analyse the effectiveness of taken measures with due account of changes in the IT environment, new threats, and IS incidents and issues. We also develop and introduce additional protection measures. This enables a continuous implementation of the principles of safe operation.

We conduct staff trainings to increase IS awareness; the training programme is adjusted to account for current threats. Employees can contact the Asset Protection Service (APS) any time to get advice on IS issues. Where necessary, APS informs the employees about the current threats through information letters.

Personal Data

The main purpose of protecting personal data (PD) is to minimise the physical, material, financial or moral damage, both direct and indirect, arising from the possible materialisation of threats to the PD security.

The Agency responsibly handles PD and confidential information received from its employees and customers, as well as its suppliers and contractors.

Measures taken by Expert RA to enhance information security:

The Agency has been entered in the register of PD operators (Reg. No. 77-23-153368)
PD are processed in accordance with applicable laws
Documents related to PD processing are adopted and continuously updated
Measures are taken to improve data security
A compliance audit for data processed by a third-party company has been conducted
Agency staff are regularly informed about PD handling rules

The Asset Protection Service controls the security of handling PD. This work is supervised by the Security Director, who is a member of the Management Board in charge of arranging PD processing in the Agency. When handling PD and insider information, employees are guided by the Agency by-laws, including a model of threats to PD in processing formation systems.

The Agency has approved a list of PD-containing documents and PD processing systems, as well as a limited list of employees with access PD processing.

Each and every employee is familiar with current law and regulations concerning PD protection. The Agency systematically tests employees engaged in PD processing for knowledge of PD protection regulatory documents and compliance therewith. Measures are taken to ensure the security of PD processing in accordance with the Agency’s Internal Control Plan to Ensure Compliance with PD Laws and Local Regulations.

Customer Insider Information

The Agency registers and controls confidential information coming from customers (insider information) strictly in accordance with the current laws of the Russian Federation. Measures are taken to prevent, identify and suppress the misuse of insider information and market manipulation in accordance with the Internal Control Rules for the Prevention, Detection and Suppression of the Misuse of Insider Information and/or Market Manipulation of Expert RA.