2020 Sustainability Report | PT Bank Central Asia Tbk Inspiration for

75

Responsible Banking Inspiration for Sustainability Culture Inspiration for Social Value Creation

Customer Data Privacy and Security Protection

Data, transactions Security, and customer Data confidentiality

[418-1] [FN-CB-230a.2]

BCA has ISO 27001 certification covering the information security management system standards for its network and data center systems. In addition, BCA was one of the first private banks to receive the prestigious certification, PCI DSS 3.2.1, for all entities managing cardholder transactions and data, including the data centers.

With the rapid development of information technology, customer interactions with BCA digitally have also increased. However, this can also lead to a risk of technology crime, so BCA continues to improve its IT security system. BCA’s IT security system has been developed to protect data security and ensure the IT system’s availability to serve customer transactions, including preventing and anticipating cyber-crime and potential fraud.

For Data Loss Prevention (DLP), BCA’s ongoing data security strategy is to increase the security of important electronic information, and to prevent information theft and access by unauthorized parties. To ensure security in BCA’s internet-based internal applications, BCA has implemented a Two Factor Authentication security to ensure access to the database is carried out only by authorized personnel.

BCA ensures that all company data is classified according to the level of data confidentiality. BCA uses a Database Activity Monitoring solution to ensure that the database is accessed only by authorized people and applications.

This solution is equipped with machine learning and artificial intelligence features to ensure no anomalies occur. To further protect the security of confidential data in the database, BCA has implemented Database Masking technology to protect confidential data from being exposed to unauthorized parties.

BCA is one of the private banks that the first bank to received certification on Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 that intended for all entities that manage transactions and cardholder data, including Data Centers. In addition, BCA also obtained ISO 20000-1:2018 certification in order to improve the service management system (SMS).

To ensure service security for all customers, the Director of Information Technology also oversees through regular reports submitted by the Strategic IT Group Division. During 2020, BCA held training related to e-learning social engineering awareness for all BCA employees. BCA did not encounter any significant cases related to violations or misuse of customer data and privacy. In 2020, no customer data was lost. Therefore, there were no sanctions/fines imposed on BCA or its employees. [418-1][FN-CB-230a.1]

BCA provides banking solutions supported by a

reliable data security system.

2020 Sustainability Report | PT Bank Central Asia Tbk

78

Sustainability Governance Together through

Pandemic Challenges Sustainability Aspects Highlight

Preventing Financial crime and technology crime

Money laundering and financing terrorism practices are considered financial crimes. BCA has implemented Anti Money Laundering and Prevention of Terrorism Funding (AML and PTF) policies for all transactions in the branches. AML and PTF Guidelines are contained in the Board of Directors’ Decree No. 145/SK/DIR/2019 dated September 20, 2019.

As technology advances, the risk of crime in digital financial services will increase. To mitigate this risk, BCA provides banking safety education for all customers and has increased security at all digital banking outlets and e-channels, one way by installing CCTV at ATM locations or digital banking outlets.

information technology System Security

BCA’s main priority is ensuring the security of its BCA e-channel application so as to increase customer confidence and convenience in making transactions.

BCA has improved the security in its digital channels transaction platforms by utilizing machine learning technology and artificial intelligence to detect malware on customers’ computers early. BCA regularly conducts application vulnerability testing in collaboration with IT security consultants.

For mobile device security, BCA has implemented Secure E-mail on its mobile devices to protect stored e-mails, as well as Anti Virus to ensure mobile devices are free from malware. In addition to e-mail security, e-mail sandboxing has been added to ensure that incoming e-mails to BCA are free from malware, as well as using additional e-mail tagging to provide additional information if the e-mail comes from outside BCA.

BCA has also implemented a container protection solution to ensure the security of its platforms and applications. On the network side, as the banking transactions traffic lane, BCA has also improved its security, and has started to implement the Next- Generation Intrusion Prevention System with its advanced detection and protection capabilities to prevent vulnerability exploits and malware, and by so doing increase the Bank’s network security.

BCA’s server security improvements involve ensuring the anti-virus is always up to date, as well as improving the patch management process, and equipping the servers with virtual patching solutions. In addition, BCA has also enhanced its Security Log Management to correlate logs that detect any potential frauds that may occur. BCA’s Security Monitoring Center team oversees all internal and external threats and attacks on the information technology system.

HR competencies are continuously being strengthened through IT system security knowledge-sharing and training so as to anticipate the latest cyber attacks. To increase security awareness, BCA maintains a continuous dialogue within the company, and externally through the company website, and cyber security socialization activities. To increase employee awareness, BCA also conducts e-mail phishing tests on an ongoing basis, and all employees are required to follow Social Engineering Awareness e-learning. During 2020, no customer data was lost. [FN-CB-230A1]