Strategic Report Strategic Report Strategic Report Financial Additional Overview Strategy Performance Governance Statements Information Operational risk, cyber-security, information systems and financial crime PRINCIPAL RISK/ We are at risk of experiencing cyber-security breaches, unauthorised access to our systems UNCERTAINTY and financial crime, or failures in our banking activity processes or systems or human error, which could disrupt our customer services, result in financial loss, have legal or regulatory implications and/or affect our reputation. We are highly dependent on the proper functioning of our risk management, internal controls and systems, and internal processes including those related to data protection, IT and information security in order to manage these threats. KEY DRIVERS/ Cyber-security threats have continued to increase y-o-y and during 2018, we saw a number TRENDS of major international organisations subject to cyber-attacks, although fortunately, our operations were not materially affected. The external threat profile is continuously changing and we expect threats to continue to increase. Over the past few years, as our operations have expanded, we have seen an increase in electronic crimes, including fraud, although losses have not been significant. Money laundering, which the Bank has measures in place to guard against, has also increased globally in recent years. MITIGATION We have an integrated control framework encompassing operational risk management, IT systems, corporate and other data security, each of which is managed by a separate department. We also have an Anti-Money Laundering (AML) officer and controls in place. We identify and assess operational risk categories within our risk management framework, identify critical risk areas or groups of operations with an increased risk level and develop policies and security procedures to mitigate these risks. We have security controls in place including policies, procedures and security technologies. We also regularly carry out IT and information security checks internally and with the assistance of external consultants. We have sophisticated anti-virus protection and firewalls to help protect against potentally alicious software. We have increased our internal and external penetration testing and have back-up disaster recovery and business continuity plans in place across the Group. We improved access control and password protections through the implementation of “Privileged Access Monitoring” for employees with the highest privileged access to confidential and customer data. We continue to invest in technology to enhance our ability to prevent, detect and respond to increasing and evolving threats. Our Internal Audit function provides assurance on the adequacy and effectiveness of our risk management, internal controls and systems in place. These types of operational risk are on the Audit Committee’s regular agenda and are also frequently discussed at Board level. Annual Report 2018Bank of Georgia Group PLC 67