Information Security Policy

Information Security Policy

Share on:

1. INTRODUCTION

1.2. Kevin EU, UAB (the Company) - duly established and existing under the laws of the Republic of Lithuania, is a licensed payment institution operating under the Payment Institution License issued by the Bank of Lithuania and providing payment services such as payment initiation service (PIS), account information service (AIS), acquiring of payments and money remittance. In accordance to Article 28 of the Second Payment Services Directive (PSD2). The Company exercises its freedom to provide services under passporting rules within the European Economic Area. The Company, with its headquarters in Vilnius, Lithuania, is a pioneering technology company on a mission to free partners from the problems of legacy technology by making transactions more efficient, secure, and convenient — for digital and, uniquely, physical sales.

1.3. The Company considers information security in its holistic sense and treats Information Security as the preservation of confidentiality, integrity, and availability of information, implicitly including cyber defence and personal data protection.

1.4. The Information Security Policy (the Policy) is aligned to, and the Company follows the applicable legal acts, such as European Banking Authority Guidelines EBA/CP/2018/15 on ICT and security risk management and Resolution No. 03-174 of the Board of the Bank of Lithuania of 26 November 2020 "On the Approval of the Description of Information and Communication Technology and Security Risk Management Requirements", GDPR - General Data Protection Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and the requirements deriving from International Organisation for Standardisation standard ISO/IEC 27001:2022 “Information security, cybersecurity and privacy protection — Information security management systems — Requirements”.
1.5. The Policy has been established considering the Company’s general business strategy and its ability to take information security risks.

1.6. The Policy is the public version of the Company’s broader Information and Cyber Security Policy that sets the information and cyber security management principles and requirements within the Company. The Company’s Information and Cyber Security Policy is an overarching document. It is supported by various subject-matter-related narrowed but more detailed internal information and cyber security policies. Below is the list of key information and security documents and policies that the Company has adopted:

  • Risk Management Strategy,
  • Information and Cyber Security Policy,
  • Information Access Control Policy,
  • ICT Security Incident Management Policy,
  • ICT and Security Risk Management Policy,
  • Vulnerability Assessment and Management Policy,
  • Information Classification, Marking and Labelling Policy,
  • Outsourcing Security Policy,
  • Detailed List of Confidential Information,
  • User Account Management Policy,
  • Data Retention Policy,
  • Business Continuity Plan,
  • Business Continuity Assuring Measures Plan,
  • Document, Computer Data and Media Disposal Policy,
  • Personal data processing rules,
  • Change Management and Control Policy,
  • Remote Work Policy,
  • Secure System Architecture and Engineering Policy,
  • Application Security Policy,
  • Compliance Policy,
  • Learning and Development Policy,
  • ICT Asset Management Policy, and others.

2. INFORMATION SECURITY MANAGEMENT SYSTEM

THE CONTEXT

2.2. The Company’s Information Security Management System (ISMS) is built considering the context and environment in which the Company operates. In addition to the legislative and governmental supervision environments mentioned in Chapter 1 of this Policy, the Company considers other key influential factors to maximise the efficiency and dynamic adaptability of ISMS to the current trends. Such factors are market trends, customer culture and requirements change, technological shifts and innovations, and emerging threats and risks. The Company monitors key indicators’ changes within the mentioned areas to timely react, adapt and adjust the business instruments and utilise technologies accordingly, so the services the Company provides to its customers always stay at a high-quality level, are technologically advanced and secure.

2.3. The Company’s strategic goal is to provide only high-standard, secure, and reliable services to its customers; therefore, the Company will stay with only technologies and solutions that are security-certified, trustful, high-availability, robust and resistant to various threats, including cyber-attacks. The core platform for the Company’s services is the Amazon Web Services (AWS) cloud solutions. The Company also utilises Google Cloud services. The Company’s ICT infrastructure in the cloud is protected by various security management, control and monitoring mechanisms and technologies by utilising the “defence-in-depth” principle, such as robust encryption of data in transit and at rest, protection from denial-of-service attacks, web application firewalls, intrusion detection systems, vulnerability and security events monitoring solutions, strong authentication techniques, secure coding and code assurance mechanisms, etc. The data in a cloud resides in European data centres.

2.4. The Company utilises multifactor authentication technologies and strict granular and cascaded access control to access internal systems in office, production, test and development environments, including code repositories, manages vulnerabilities across ICT infrastructure and keeps systems hardened according to hardening guides and benchmarks provided by vendors and widely recognised bodies such as Centre of Internet Security (CIS). For data encryption in transit, the Company uses the digital certificates obtained from the EU-trusted certification authorities. The Company follows the policy principle that cryptographical mechanisms in use (including cryptographic keys production and management) must meet international cryptographic security standards applicable to the financial sector and be approved for use in the EU or USA.

THE SCOPE OF ISMS

2.5. The Company’s ISMS covers the Company’s processes and activities for the “Provision of payment services (payment initiation, account information, acquiring, money remittance, payment instrument issuing) and platforms for financial service providers and customers”.

SECURITY OBJECTIVES AND COMMITMENTS

2.6. The Company has established information security objectives:

  • reduce the likelihood and minimise the impact of security events,
  • implement security controls in a centralised and systematic way to reduce complexity,
  • ensure assets are effectively protected,
  • eliminate possibilities of misuse of sensitive information,
  • adopt information security standards and adhere to best practices.
  • strengthen security awareness programm to increase staff resistance to cyber-attacks.

2.7. To achieve information security objectives, the Company has implemented security controls in the following areas:

  • Organisational controls (such as segregation of duties, identity management, access rights management, and incident management);
  • People controls (such as screening, awareness training, secure remote working);
  • Physical controls (such as secure disposal of data and equipment);
  • Technological controls (such as multifactor authentication, configuration management, data leakage prevention, data encryption in transit and at rest by robust cryptographic means, secure code by design);

2.8. The Company commits to complying with information security requirements set in this and other Company's policies and to continue improving the Company’s Information Security Management System.

2.9. Information assets are strategically important values of the Company and its activities. The leak of information, unauthorised alteration, disruption, destruction or other security breaches may disrupt the Company’s operations and cause damage to the Company, partners and customers. The Policy, therefore, forms an essential part of the Company’s operations and is embedded in all aspects of the Company’s operations.

2.10. The implementation and management of the Policy in the Company will be ensured and managed through consistent planning, implementation, evaluation and improvement of Information and Communications Technology (ICT) systems security management.

2.11. The planning of implementation of the Policy is based on the Company’s intentions, targets, ICT security strengthening development vectors, international standards and widely accepted best practices that the Company aims to follow.

2.12. The Policy is supported by various subject-matter-related narrowed but more detailed the Company’s information and cyber security policies. International and industry standards, such as those released by the International Organization for Standardization (ISO), should be consulted for specific technical engineering questions related to information and cyber security. The Company also established and maintains contact with special interest groups and other specialist security forums and professional associations such as ISACA and PCI-DSS consultancy bodies and keeps contacts with information security experts across the financial sector, money laundering and terrorist financing prevention control institutions, and the National Cyber Security Centre.

ROLES AND RESPONSIBILITIES

2.13. The Company sets responsibilities across groups and individuals to ensure proper information and cyber security and implement required security measures. The primary goal of setting up the system of responsibilities is to create a security management hierarchy and define (spread and assign) security tasks across different business layers, from the governance level down to the execution and control. The major roles and responsibilities are set as follows:

  • The Management Board of the Company sets the information and cyber security strengthening and management vectors by approving respective security policies and ISMS;
  • The Managing Director is responsible for ensuring that the approved policies and ISMS are adhered to, and based on an assessment of current risks, proper information and cyber security controls are established.
  • Chief Information Security Officer (CISO) is responsible for information and cyber security governance, ensures that the operations are running within an acceptable level of defined risk, and promotes and oversees the implementation of risk-reducing measures (policies, procedures, audits, training, and technical solutions).
  • Information Security Officer (ISO) is responsible, among other duties, for ensuring the Company’s ISMS conformance to ISO/IEC 27001 standard requirements.
  • Internal Auditor validates the implementation and compliance with the information security specifications and measures established by this Policy and by the standards, procedures and practices derived from ISO/IEC 27001 standard and conducts internal audits of the ISMS.
  • Chief Product and Technology Officer (CPTO) is responsible for implementing technical and procedural information and cyber security requirements and controls, as defined in the Company’s information and cyber security policies, and this Policy, within the processes of software and solutions development and maintenance across ICT infrastructure, networks, platforms, services and endpoints, on-premises or in the cloud.
  • Directors of every business area are responsible for properly managing information and cyber security risks (same as the rest of operational risks) affecting activities of own departments, branches and teams within the business area.
  • Every employee is responsible for adhering to this Policy, other information and cyber security policies, guidelines, and instructions.

2.14. The Company has established a body to manage compliance and risk at the Company level. The members of the body are the Chief Compliance Officer, Risk Management Officer, Data Protection Officer, Chief Information Security Officer, Money Laundering Reporting Officer and permanent invitees such as Internal Auditor.

TRANSPARENCY AND COOPERATION

2.15. To be transparent, timely react to security threats and be as close as possible to our customers, security experts across the “white-hat” security researchers’ community and other interested parties, the Company has established the Bug Bounty program, based on responsible disclosure principle, that allow for everyone to report system vulnerabilities and security concerns.