Get Started Log in

Data Breach Policy

TROPIC GATEWAY SOLUTION S.A

11.07.2024

1. Purpose and Scope

1.1. Purpose

This Data Breach Policy (hereinafter referred to as the “Policy”) establishes a set of measures for identifying, preventing, and responding to incidents related to data security (hereinafter referred to as “Incidents” or “Breaches”). The purpose of this document is to minimize the risk of financial and reputational losses, ensure compliance with applicable legislation (including, but not limited to, GDPR and local regulatory acts in the field of financial services), and strengthen user trust in the infrastructure of the website www.finassets.io.

The main objectives pursued by this Policy are:

  • To ensure business continuity through prompt response to data breaches.
  • To strengthen the protection of personal and financial data of clients, counterparties, and partners.
  • To ensure compliance with legislation and mandatory industry standards (GDPR, KYC/AML, and other requirements).
  • To establish clear roles and responsibilities within the company in the event of a detected or suspected data breach.

1.2. Scope

1.2.1. Organizational boundaries:

The Policy applies to all structural units, branches, subsidiaries, and other entities within the business structure of TROPIC GATEWAY SOLUTION S.A., as well as all data processing activities associated with them.

1.2.2. Data categories:

  • Personal Data of clients, users, employees, and counterparties (including surname, first name, contact information, credit card data, etc.).
  • Financial and payment information (transactions, account numbers, credit card data, payment details).
  • Trade secrets and confidential information (strategic plans, internal reports, supplier database, sales reports, etc.).
  • Any other types of data protected by applicable law and internal company policies.

1.2.3. Technological boundaries:

This Policy governs all processes of data storage, processing, and transmission within corporate networks, cloud services, employee workstations, mobile devices, as well as all external systems with which the company interacts under outsourcing contracts or other agreements.

1.2.4. Subjects: This Policy applies to:

  • Company employees (both full-time and temporary staff) who have access to TROPIC GATEWAY SOLUTION S.A. information systems.
  • Contractors, subcontractors, and partners who work with or have access to data as part of their duties and contractual relationships with the company.
  • Other third parties involved in data processing, transmission, and storage (e.g., cloud service providers, external auditors, consultants).

1.2.5. Exceptions:

The Policy may not cover issues related to the physical security of office premises (e.g., access control), if regulated by separate internal documents. However, any aspects that may affect the integrity, confidentiality, or availability of digital data are considered within the scope of this Policy.

1.2.6. Relation to other internal policies:

This Policy is an integral part of the company’s information security management system and complements the provisions of other internal documents, including the Privacy Policy, Information Security Policy, and other regulations related to data protection.

2. Definitions

For the purposes of this Policy, the following terms and definitions are used as described below:

“Data Breach”

Any confirmed or potential incident resulting in unauthorized disclosure, loss, alteration, copying, or destruction of data (personal, confidential, financial, or other), or unauthorized access to such data.

“Security Incident”

Any event or series of events that may lead to a violation of the availability, integrity, and/or confidentiality of data and systems within the company's infrastructure, including suspected unlawful actions by third parties or company employees.

2.3. “Personal Data / PII”

Any information that directly or indirectly relates to an identified or identifiable natural person (data subject), enabling the identification of that person (e.g., full name, contact details, location information, payment details, etc.).

2.4. “Confidential Information”

Information constituting trade secrets or otherwise classified by the company as restricted access data, such as financial reports, internal strategic documents, and data about clients and partners.

2.5. “Data Subject”

A natural person to whom the personal data processed by the company relates (e.g., clients, website users, employees, contractors).

2.6. “Data Controller”

A legal or natural person who determines the purposes, content, and means of processing personal data. Within the context of this Policy – TROPIC GATEWAY SOLUTION S.A. or the relevant business unit.

2.7. “Data Processor”

Any legal or natural person who processes data on behalf of the Data Controller (e.g., an outsourced IT company, cloud provider, call center).

2.8. “GDPR” (General Data Protection Regulation)

The European Union’s General Data Protection Regulation, which sets out principles and requirements for storing, processing, and protecting the personal data of EU residents, including breach notification procedures within 72 hours of detection.

2.9. “KYC/AML” (Know Your Customer / Anti-Money Laundering)

A set of mandatory procedures and measures aimed at identifying clients and preventing transactions related to money laundering and the financing of illegal activities.

2.10. “Authentication”

The process of verifying the authenticity of a user, system, service, or device, typically using passwords, multi-factor authentication, cryptographic keys, or other identification methods.

2.11. “Authorization”

The assignment and control of user or system access rights to resources, applications, or data. A mechanism that determines what actions can or cannot be performed.

2.12. “Availability”

The property of information and information systems being accessible and ready for use when needed by authorized users.

2.13. “Confidentiality”

The property of information being inaccessible to unauthorized users and parties.

2.14. “Integrity”

The property of information to remain complete and unaltered from the moment of creation or last modification by an authorized person.

2.15. “Security Monitoring”

A set of processes and technologies aimed at the continuous monitoring of events within the information infrastructure to detect and prevent incidents in a timely manner.

2.16. “Digital Forensics”

Methods and tools used in the investigation of incidents that help identify sources, methods, and the extent of damage, as well as collect legally admissible evidence.

3. Policy Statement

3.1. Comprehensive Approach to Data Protection

TROPIC GATEWAY SOLUTION S.A. (hereinafter referred to as the “Company”) recognizes the critical importance of protecting personal data, financial and commercial information, as well as complying with regulatory requirements and industry standards (GDPR, KYC/AML, etc.). This Data Breach Policy (hereinafter referred to as the “Policy”) sets forth the Company’s commitments to preventive cybersecurity measures and prompt response to any events that threaten the availability, integrity, and confidentiality of data.

3.2. Principles and Values

Transparency: The Company strives to ensure timely, accurate, and comprehensive communication with affected parties and regulators upon detection of incidents, in order to safeguard the interests of clients, partners, and employees.

Accountability: Every employee or partner with access to the Company’s infrastructure and processed data is obliged to act in accordance with this Policy. Non-compliance may result in administrative or other liability.

Continuous Improvement: The Policy and related procedures are regularly reviewed and updated to keep pace with the evolving cybersecurity threat landscape and legal requirements.

3.3. Company Commitments

  • Preventive Measures: Implementation of modern technologies, process solutions, and employee training to reduce the likelihood of breaches and incidents.
  • Strict Access Standards: Establishment and maintenance of clear authentication and authorization rules for all systems, services, and applications.
  • Timely Detection: Use of monitoring systems, penetration testing, and other tools to promptly detect attempts or facts of unauthorized access to data.
  • Timely Notification: In the event of a confirmed Data Breach, notifying competent authorities and data subjects within the prescribed timeframe (e.g., within 72 hours as per GDPR) and in accordance with local regulations, as well as informing relevant internal stakeholders.
  • Post-Incident Analysis: Conducting a detailed investigation of the causes and consequences of the incident, documenting the findings, and implementing corrective measures to prevent recurrence.

3.4. Policy Application Areas

This Policy is integrated into the overall information security management system and applies to all processes related to data storage and processing within the Company's activities, including but not limited to:

  • Interaction with clients and partners,
  • Product development and testing,
  • Corporate document management and financial operations,
  • Management of infrastructure components (servers, databases, cloud services, mobile devices).

3.5. Relationship to Other Regulatory Documents

Issues not covered by this Policy are governed by the provisions of the internal Privacy Policy, Information Security Policy, and other regulations in force within the Company. In case of conflicts, priority is given to the provisions that most strictly regulate data protection and comply with applicable legal requirements.

4. Roles & Responsibilities

4.1. Top Management

Security Strategy and Policy Approval: Ensures that the Data Breach Policy (hereinafter referred to as the “Policy”) aligns with the overall strategic direction of the Company and is adequately supported with necessary resources.

Policy Oversight: Periodically assesses the effectiveness of the Policy and takes corrective actions in case of any deficiencies.

Resource Allocation: Allocates financial, technical, and human resources needed to implement information security measures.

4.2. Security Department / CISO Office

Finassets provides information security and compliance functions, including AML/CFT matters, by engaging external specialized companies and experts under outsourcing agreements. The company does not employ in-house specialists in these areas.

4.2.1. External IT Security Provider

The Company engages a specialized external service provider for information security, which performs the following functions:

  • Continuous Monitoring and Incident Response:
    • 24/7 monitoring of the Company’s information infrastructure.
    • Prompt identification and classification of data security threats and incidents.
  • Incident Investigation and Digital Forensics:
    • Technical investigation of security incidents.
    • Preparation of reports with recommendations for remediation.
  • Security Testing and Audits:
    • Penetration testing and regular infrastructure audits.
    • Providing recommendations to enhance protection and eliminate vulnerabilities.
  • Compliance Consulting:
    • Supporting the Company in meeting international standards (e.g., GDPR, PCI DSS, ISO 27001).

4.2.2. External Compliance Officer / MLRO

Compliance Officer and Money Laundering Reporting Officer (MLRO) functions are also provided by an external expert (or company) under an outsourcing agreement. Main responsibilities include:

  • AML/CFT Compliance:
    • Monitoring transactions and detecting suspicious activity in line with anti-money laundering and counter-terrorism financing laws.
    • Prompt communication with regulators and supervisory authorities.
  • Regulatory Reporting and Communication:
    • Preparing and submitting regulatory reports in a timely manner.
    • Managing communications with regulators on compliance matters.
  • Training and Consulting:
    • Conducting regular briefings and training on AML/CFT issues.
    • Advising Company leadership on compliance and regulatory changes.
  • General Compliance Monitoring:
    • Verifying adherence to internal corporate policies and procedures.
    • Providing regular compliance consulting to the Company.

4.2.3. Internal Oversight and Coordination with External Providers

The Company appoints a responsible person (e.g., director or department head) to coordinate work with external service providers:

  • Maintains communication with external companies and specialists.
  • Monitors contract performance and service quality.
  • Regularly updates Company leadership on the current state of information security and compliance.
  • Coordinates incident response actions between the Company and external providers.

4.2.4. Legal Support and General Oversight

The Company ensures regular oversight and monitoring of external contractors' compliance with contractual obligations through its legal department (or outsourced legal support), including ensuring regulatory compliance.

  • Interaction and Coordination with the Provider:
    • A designated employee is assigned to coordinate the activities of the external provider.
    • This person handles communication on all information security issues and coordinates response efforts.
  • Contract Compliance Oversight:
    • The Company reserves the right to regularly assess service effectiveness and quality and revise contract terms as needed.

4.3. IT Services (Outsourced)

  • Technical Support:
    • A third-party company maintains IT infrastructure, installs and updates protective systems, including antivirus software, firewalls, and data encryption solutions.
  • Vulnerability Audits and Testing:
    • The contractor conducts regular vulnerability scans, penetration testing, and updates software to minimize risks.
  • Backup and Recovery:
    • Performs regular data backups, maintains an up-to-date Disaster Recovery Plan, and ensures timely system recovery in case of incidents.

4.4. Legal Support (Outsourced)

  • Regulatory and Legal Support:
    • An external legal partner ensures data processing and protection activities comply with local and international laws (GDPR, financial regulations, KYC/AML standards, etc.).
  • Notification of Regulators and Data Subjects:
    • In case of a confirmed breach, the legal partner advises the Security Department and Top Management on timely notification of regulators and affected data subjects, and supports legal proceedings if necessary.
  • Contractual Obligations Review:
    • Reviews third-party contracts (outsourcing companies, suppliers, partners) to ensure security compliance and include clauses on breach liability.

4.5. Compliance Function (Outsourced)

  • Regulatory Compliance Oversight:
    • The external compliance partner ensures internal procedures and policies fully comply with current regulatory requirements (central banks, EU oversight bodies, and other relevant regulators).
  • Internal Audits and Reviews:
    • Conducts regular internal audits, identifies non-compliance, and issues remediation recommendations.

4.6. All Staff

  • Policy Compliance:
    • All employees must follow this Policy and other data protection documents (including password security and other procedures defined by Company policies and regulations).
  • Incident Reporting:
    • Upon detecting suspicious activity or a potential breach, employees must immediately report it to their direct supervisor or the Security Department.
  • Responsible Resource Use:
    • When working with corporate systems, documents, and information, employees are personally responsible for preventing unauthorized access to data.

4.7. Contractors & Third Parties

  • Contractual Compliance:
    • All external contractors and partners with access to the Company's information systems and data must comply with contractual obligations and this Policy.
  • Information Sharing:
    • In the event of a detected or suspected data breach, contractors and third parties must notify the Company promptly as per the established procedure.
  • Security Obligations:
    • Where necessary, use cryptographic, organizational, and technical means specified by the Company to protect data processed or transmitted on the contractor's side.

5. Detection & Incident Classification

5.1. Objectives and Detection Principles

TROPIC GATEWAY SOLUTION S.A. (hereinafter referred to as the "Company") implements a set of preventive and monitoring measures aimed at the timely detection of any incidents related to data security. The main principles are:

  • Proactive Monitoring: Use of specialized tools (IDS/IPS, SIEM systems, log analysis systems, proactive traffic filtering mechanisms) for continuous monitoring of events in the corporate infrastructure.
  • Regular Testing: Scheduled vulnerability assessments, penetration testing, and system scans for malicious software.
  • Baseline Establishment: Defining normal (reference) parameters of network and system activity to quickly detect anomalies.

5.2. Indicators and Signs of a Possible Breach

  • Network Traffic Anomalies: Unusually high data transfer volumes, atypical time or direction of traffic, attempts to access closed ports.
  • Unauthorized Operations in Logs: Failed login attempts (Brute Force), large-scale data downloads, unidentified data edits or deletions.
  • System Failures and Vulnerabilities: Uncontrolled reboots, service freezes, or user behavior incompatible with policy (e.g., unauthorized software installation).
  • User Reports: Complaints or alerts from clients, employees, or partners indicating a breach, unusual activity in user accounts, or suspicious transactions.

5.3. Initial Response Algorithm for a Potential Breach

  • Alert Registration: A monitoring system or authorized employee generates a corresponding alert in the corporate ticket or incident management system.
  • Preliminary Analysis: The on-duty administrator evaluates the anomaly, cross-checks logs, baseline parameters, and access policies.
  • Incident Status Assignment: If signs of data compromise are present, an official incident notification is created and the classification procedure is initiated.

5.4. Incident Classification Criteria

To determine the severity and response priority, a classification scale is used, considering the following factors:

  • Data Volume Affected: Number of records, confidentiality level (personal data, payment info, trade secrets).
  • Business Impact Level: Potential disruption of key business processes, solvency risks, regulatory sanctions.
  • Propagation Risk: Possibility of attack escalation, involvement of additional systems or users.
  • Reputational Risks: Likelihood of negative media coverage, serious claims from clients or partners.

5.5. Incident Types by Criticality

  • Low Priority:
    • Minimal impact, limited data involved (e.g., anomalous activity without confirmed data compromise).
    • No immediate threat to the Company's financial stability or reputation.
  • Medium Priority:
    • Potential involvement of confidential data, with risks of financial or reputational damage.
    • Requires prompt analysis, possibly involving multiple departments (IT, security).
  • High Priority:
    • Breach confirmed; signs of significant impact on business processes or a large volume of leaked data.
    • Requires immediate escalation to top management, activation of the emergency response plan, and regulatory notification within defined timeframes (e.g., 72 hours per GDPR).

5.6. Decision-Making on Response Scale

After classifying the incident and assessing the risks, a decision is made regarding the scope and depth of further investigation. Top management and/or the security committee may decide to:

  • Use Internal Resources: Engage outsourced security and IT specialists to resolve the incident.
  • Engage External Experts: Involve external professionals (digital forensics, legal counsel, PR agencies for managing reputational risks).

5.7. Role of Employees and Users

The Company encourages all employees, contractors, and users to immediately report any suspicious activity or signs of a data breach to the appropriate Company authority. A zero-tolerance policy for intentional concealment of incidents is enshrined in internal regulations.

6. Risk Assessment

6.1. Objectives and Goals of Risk Assessment

Risk Assessment is a key component of incident management, providing insight into the potential negative consequences for the Company and its stakeholders (clients, partners, employees). The main objectives of this process are:

  • To qualitatively and quantitatively determine potential losses under various incident development scenarios.
  • To prioritize response resources based on the criticality level of identified risks.
  • To develop effective threat mitigation measures and prepare corrective actions in case of escalation.

6.2. Risk Assessment Methodology

To ensure consistency and objectivity in analysis, the Company follows recognized international information security risk management standards (e.g., ISO/IEC 27005, NIST SP 800-30) along with internal protocols. The risk assessment methodology may include:

  • Asset Identification: Identifying systems, services, databases, and infrastructure components that may be affected by a data breach.
  • Vulnerability Analysis: Identifying technological and organizational weaknesses (software, access management processes, behavioral factors).
  • Threat Identification: Analyzing potential threats (external cyberattacks, insider actions, technical failures, administrative errors).
  • Likelihood Estimation: Assessing the probability of incident occurrence considering existing safeguards and response plans.
  • Impact Analysis: Evaluating consequences (reputational, financial, legal, operational) across different incident scenarios.
  • Final Risk Level Definition: Determining the risk level (low, medium, high) by comparing likelihood and potential consequences.

6.3. Risk Level Determination Criteria

In the context of data breaches, the following aspects are considered during risk assessment:

  • Volume and Value of Compromised Data:
    • Number of affected records.
    • Data categories (personal, financial, trade secrets).
  • Legal and Regulatory Consequences:
    • Potential fines and sanctions by regulators (GDPR, financial regulations).
    • Possible legal claims from clients or partners.
  • Financial Impact:
    • Direct financial losses (compensations, penalties, fines).
    • Indirect losses (decrease in shareholder value, lost profit due to reputational damage).
  • Reputational Risks:
    • Extent of negative media and social media coverage.
    • Loss of trust from existing clients, partners, and potential investors.
  • Operational Impacts:
    • Disruption of key business processes (e.g., payment operations, customer service).
    • Increased load on IT infrastructure and the Security Department.

6.4. Risk Review Procedure

  • Regular Audits: The Company's risk profile is assessed at least annually or after major incidents to update the risk matrix and protection priorities.
  • Dynamic Review: An unscheduled reassessment is conducted when critical vulnerabilities are discovered or business processes change (e.g., new product launches, mergers, acquisitions).
  • Control Measures: Risk assessment results are documented and integrated into the corporate security management system, forming the basis for action plans and resource allocation.

6.5. Role of Risk Assessment in Response Policy

  • Escalation: If risk assessment results indicate a high potential impact, the incident is immediately escalated to Top Management.
  • Security Measure Optimization: Based on the risk assessment, the Company updates security policies, technical protection tools, and access control procedures.
  • Prioritization Justification: When there is a high probability of critical losses, the Company focuses its resources (financial, technical, human) on the most vulnerable areas, improving the effectiveness of data breach response.

7. Incident Response Procedure

7.1. Objectives and Purpose of the Procedure

The Incident Response Procedure (IRP) defines a clear sequence of actions required to promptly contain and minimize the consequences of a data breach. The primary objectives of this procedure are to:

  • Promptly localize and eliminate the threat.
  • Minimize the impact on business operations and clients.
  • Fulfill notification obligations to regulators and users.
  • Create a documentary basis for further analysis and reporting.

7.2. Incident Response Phases

The Company's response procedure is divided into several sequential phases:

Phase 1. Incident Identification and Confirmation
  • Receiving an alert from monitoring systems or a report from an employee/partner.
  • Initial assessment by an information security specialist.
  • Official registration of the incident in the Incident Management System with a unique Incident ID.

Max response time: 30 minutes (High Priority), 1 hour (Medium Priority)

Phase 2. Containment
  • Immediate technical isolation of affected systems and network segments:
    • Blocking user accounts and access.
    • Disconnecting compromised servers or applications.
    • Network segmentation to prevent further spread.
    • Temporary suspension of critical processes (e.g., transactions).
  • Responsible: IT Department
  • Execution time: Immediately, no later than 60 minutes after incident confirmation.
Phase 3. Investigation & Eradication
  • Digital Forensics Investigation:
    • Collecting and analyzing event logs.
    • Identifying the breach source and methods of unauthorized access.
    • Pinpointing vulnerable systems and components.
  • Root Cause Elimination:
    • Removing malicious software or code.
    • Applying patches and updates.
    • Changing credentials and strengthening access controls.
    • Implementing additional safeguards to prevent recurrence.

Execution time: Depends on incident complexity, but no more than 24 hours after containment.

Phase 4. Recovery
  • Full system and service restoration using clean backups.
  • Testing functionality and security of restored systems:
    • Re-scanning for vulnerabilities and threats.
    • Validating data integrity (checksum comparison, database verification).
  • Approval of the recovery plan for client service resumption and return to normal operations.

Execution time: 24–48 hours after completion of investigation.

Phase 5. Notification of Regulators and Users
  • Regulatory obligations assessment.
  • Notification of affected data subjects with detailed information:
    • Nature and scope of the breach.
    • Potential consequences and recommendations.
    • Measures taken by the Company to prevent recurrence.

Execution time: Regulators — within 72 hours; users — as soon as possible without undue delay.

Phase 6. Documentation & Reporting
  • Preparation of a comprehensive Incident Report including:
    • Incident timeline.
    • Root causes and consequences.
    • Remediation actions and corrective measures.
    • Future security improvement plan.
  • Submission to top management and regulators, if required.

Execution time: Preliminary report within 48 hours; final report within 10 business days.

Phase 7. Post-Incident Analysis and Corrective Actions
  • Holding a Lessons Learned Workshop with all involved departments.
  • Analyzing root causes, response effectiveness, and generating improvement recommendations.
  • Drafting a Corrective Action Plan with deadlines and responsible parties.

Execution time: Within 10 business days after recovery completion.

7.3. Coordination and Communication

  • The Incident Response Team (IRT) establishes a centralized communication channel for information exchange during incident response.
  • External communications (e.g., with media) are conducted only with prior approval from management.

7.4. Employee Rights and Responsibilities

  • All Company employees must promptly report any suspicious events.
  • Employees are required to fully cooperate with the Incident Response Team at all stages of investigation and response.

8. Notification Process

Finassets adheres to strict standards of transparency and legal accountability, ensuring timely and comprehensive notification of competent regulators and affected data subjects in the event of a data breach incident.

8.1. General Notification Requirements

When a confirmed incident poses a risk to the rights and freedoms of data subjects, the Company must:

  • Notify supervisory authorities within the timeframes specified by applicable law (e.g., under GDPR – no later than 72 hours after confirming the incident).
  • Notify affected users (data subjects) without undue delay, once the incident has been assessed and the breach scope determined, if there is a high risk to their rights and freedoms.

8.2. Notification to Regulators

Upon detecting a data breach, the Company performs the following actions:

8.2.1. Competent Authorities

Notifications are sent to the relevant supervisory and regulatory bodies.

8.2.2. Notification Timeline

The Company notifies the supervisory authority within 72 hours of detecting the incident.

If it is not possible to provide all the details immediately, a preliminary notification is submitted, followed by updates as more information becomes available.

8.2.3. Content of Regulator Notification

The notification to the regulator must include:

  • Description of the breach (categories and volume of data affected).
  • Estimated number of affected data subjects and records.
  • Brief description of the causes and consequences of the incident.
  • Contact information of the responsible person or department handling security and communications.
  • Measures taken to eliminate and mitigate the incident's impact.
  • Plan of further actions to prevent recurrence.

8.3. Notification to Data Subjects (Users)

The Company takes the following steps to notify affected data subjects:

8.3.1. Notification Conditions

Users are notified without undue delay if the data breach may pose a high risk to their personal rights and freedoms (e.g., risk of financial loss, fraud, identity theft, etc.).

8.3.2. Notification Methods

  • Email.
  • Push notifications or messages in the user's personal account on the website.
  • Other communication channels defined in contracts and the Company's internal standards.

8.3.3. Content of User Notification

Notifications to data subjects must include:

  • Clear description of the nature of the breach (types of data affected).
  • Recommendations on actions users should take to protect their data and reduce risks (e.g., password changes, enhanced security practices, transaction checks).
  • Contact information for user inquiries (e.g., dedicated email or support phone line).
  • Clear explanation of the steps taken by the Company to mitigate the breach and prevent similar incidents in the future.

8.4. Exceptions to User Notification Requirements

The Company may decide not to notify data subjects if:

  • Effective technical and organizational measures have been implemented to render the data unreadable or inaccessible to third parties (e.g., strong encryption).
  • Follow-up measures have been taken that eliminate the likelihood of a high risk to data subjects.
  • Notification would involve disproportionate effort; in such cases, a public announcement or similar measure will be made to effectively inform data subjects.

Any decision not to notify must be made in consultation with and approved by the Legal Department and Compliance Officer.

8.5. Internal Approval of Notifications

All notifications must be reviewed and approved by senior management prior to being sent.

8.6. Notification Documentation

All sent notifications (to regulators and users) are documented and archived in the corporate incident management system.

The archive must be available for audit and serve as evidence of regulatory compliance.

8.7. Follow-Up and Monitoring

Following notification, the Company monitors the responses of users and regulators.

The Compliance Department tracks potential inquiries from regulators and promptly provides additional information.

The Customer Support team is prepared to assist users with any questions related to the breach.

9. Documentation & Reporting

Finassets ensures detailed documentation and reporting for every detected data breach incident. This process is an integral part of the incident response procedure and aims to ensure transparency, control, and thorough post-incident analysis.

9.1. Objectives of Documentation and Reporting

The key goals of documentation and reporting are to:

  • Provide a legal evidence base in the event of regulatory investigations or legal proceedings.
  • Build a knowledge base for analyzing and preventing similar incidents in the future.
  • Support internal and external information security audits.
  • Demonstrate compliance with legal and regulatory requirements (e.g., GDPR, financial regulations).

9.2. Mandatory Incident Documentation and Reports

The Company prepares and stores the following required documents for each incident:

9.2.1. Incident Report

Prepared immediately after the initial investigation, the report includes:

  • Unique incident identifier.
  • Date and time of incident detection and confirmation.
  • Summary of the incident (nature, scale, affected data and systems).
  • List of involved departments and employees.
  • Measures taken for containment and mitigation.
  • Preliminary assessment of causes and consequences.
  • Recommendations for immediate security actions and controls.

Preparation deadline: within 48 hours of incident confirmation.

9.2.2. Regulatory Notification Report

If the incident requires regulator notification, this report includes:

  • Detailed description of the incident and types of leaked data.
  • Number of affected data subjects.
  • In-depth explanation of causes and context.
  • Actions taken to resolve the breach and prevent future occurrences.
  • Contact information of the person responsible for regulatory communication.

Preparation deadline: within 72 hours of incident confirmation.

9.2.3. User Notification Template

A standard notification template is prepared for affected data subjects, containing:

  • Clear and accessible incident summary.
  • Recommendations to minimize risks (e.g., change passwords, check transactions).
  • Company contact details for user inquiries.

Preparation deadline: within 24 hours after confirming the need for user notification.

9.2.4. Technical Post-Mortem Report

Prepared after completing the full investigation, including:

  • Detailed technical timeline of the incident.
  • Digital forensics findings: log analysis, technical evidence.
  • Identified vulnerabilities and root technical causes.
  • Specific recommendations to address identified vulnerabilities.
  • Action plan to prevent recurrence.

Preparation deadline: within 10 business days after incident resolution.

9.3. Document Storage and Access

All incident-related reports are stored in the Company's document management system with safeguards for confidentiality and integrity.

Access is strictly controlled and limited to authorized personnel only.

Documents are retained for at least five years or in accordance with local legal and regulatory requirements.

9.4. Regular Internal Reporting

The Company regularly prepares the following internal reports:

  • Monthly information security reports: brief summaries of incidents and actions taken.
  • Quarterly reports for top management: trend analysis, policy and procedure recommendations.
  • Annual reports: comprehensive incident review, effectiveness evaluation, and strategic recommendations.

9.5. External Reporting and Audit

Incident reports may be shared with external auditors, partners, and regulators when necessary.

The Company is committed to cooperating with external oversight bodies by providing complete and accurate incident-related information.

9.6. Accountability for Timeliness and Accuracy

Heads of relevant departments are personally responsible for the timely preparation, accuracy, and completeness of reports.

The Compliance and Legal departments regularly review documentation for alignment with internal policies and regulatory requirements.

9.7. Use of Reports for Continuous Improvement

All reports are used in regular Lessons Learned Workshops to review causes and response effectiveness.

Resulting security improvements are documented and tracked until fully implemented.

10. Post-Incident Review & Corrective Actions

Finassets considers it essential to conduct a thorough post-incident review following every confirmed data breach. This analysis is aimed at identifying root causes, improving response effectiveness, and implementing corrective actions to prevent similar incidents in the future.

10.1. Objectives of Post-Incident Analysis

The key goals of this phase are to:

  • Determine the actual causes and contributing factors of the incident.
  • Evaluate the effectiveness of the containment and mitigation measures taken.
  • Develop specific recommendations to enhance the Company's resilience and security.
  • Strengthen internal controls and improve existing information security and data protection processes.

10.2. Organization and Execution of the Review

The post-incident review is carried out by a dedicated Post-Incident Review Team, which includes representatives from:

  • Information Security Department (process coordination)
  • IT Department (technical analysis and evaluation of response measures)
  • Legal Department and Compliance Officer (assessment of legal and regulatory risks)
  • Public Relations Department (reputation impact analysis)
  • Senior Management (strategic evaluation of the incident's impact on the Company)

10.3. Phases of Post-Incident Analysis

The analysis process following incident response includes the following steps:

Phase 1. Data Collection and Consolidation
  • Collect all information gathered during the response (logs, technical reports, employee statements, response records)
  • Document the incident event timeline
Phase 2. Root Cause Analysis (RCA)
  • Identify root causes and contributing factors (technical vulnerabilities, human error, process gaps)
  • Analyze deficiencies in existing protection and monitoring systems
Phase 3. Response Effectiveness Evaluation
  • Assess timeliness and adequacy of actions taken at each response stage
  • Analyze compliance with SLA and KPI targets; identify deviations and root causes
Phase 4. Recommendations and Corrective Actions
  • Develop recommendations for improving technical safeguards and updating policies and procedures
  • Formulate a corrective action plan with assigned responsibilities and implementation deadlines

10.4. Post-Incident Review Report Content

The final report includes the following sections:

  • Description of the incident (nature, scope, consequences)
  • RCA results (root causes, vulnerabilities, and weaknesses)
  • Response effectiveness assessment (strengths and weaknesses)
  • List of recommendations and corrective actions
  • Implementation plan with specific deadlines and responsible parties

Preparation deadline: no later than 10 business days after response completion

10.5. Implementation of Corrective Actions

Corrective actions developed from the analysis are mandatory and may include:

  • Technical improvements to the security infrastructure (patch deployment, hardening of configurations, implementation of additional monitoring and protection tools)
  • Organizational changes (review of access procedures, improved control over employee activities, new security policies)
  • Training and awareness (regular information security training, targeted instruction for personnel involved in incident response)

10.6. Control and Effectiveness Monitoring

Corrective actions are tracked through the Company's task and project management system.

The effectiveness of implemented measures is evaluated at 30 and 90 days after implementation, with results documented.

10.7. Documentation and Reporting

All materials and reports related to the post-incident review are stored in the corporate document management system for no less than five years.

The final report is submitted to the Company's Board of Directors and senior management for strategic decision-making and audit purposes.

10.8. Interaction with External Auditors and Regulators

Post-incident review reports may be shared with external auditors and regulators upon request.

The Company ensures full cooperation during audits, providing comprehensive information and documentation.

10.9. Continuous Improvement

Regular Lessons Learned Workshops are held to discuss identified weaknesses and develop proposals for improving corporate information security processes and policies.

Recommendations from these workshops are integrated into the Company's continuous improvement program.

11. Training & Awareness

Finassets recognizes that regular employee training and awareness of data protection risks and incident response procedures are essential components of an effective information security management system.

11.1. Objectives of Training Programs

The main goals of the Company's training and awareness programs are to:

  • Ensure a unified understanding among employees of the Company's information security requirements and standards.
  • Develop skills for threat detection and incident response, including data breaches.
  • Promote a culture of security and reduce the impact of human error on incident likelihood.

11.2. Employee Categories Subject to Training

Training and awareness initiatives are mandatory for the following categories:

  • All full-time and temporary staff (general information security training).
  • Employees with access to personal and financial data (advanced specialized training).
  • Department heads and top management (additional training on risk management and incident response).
  • IT and Information Security personnel (regular training and certifications in specialized areas, including Incident Response and Digital Forensics).

11.3. Training Formats and Methods

To ensure effective learning, the Company uses various training formats:

  • Onboarding Training: Mandatory for new hires within their first week, covering basic information security, privacy policies, and incident response procedures.
  • Annual Training: Mandatory yearly training for all employees, including knowledge and skill assessments.
  • Specialized Training: Courses and workshops for staff handling sensitive data and systems.
  • Online Training and Webinars: Corporate e-learning platform offering flexible access to courses.
  • Simulation Exercises: Tabletop exercises and cyberattack simulations to test employee readiness and response speed.

11.4. Training Program Content

All training programs include the following required topics:

  • Fundamentals of information security and data privacy.
  • Company policies and procedures related to data protection and incident response (including the Data Breach Policy).
  • Threat identification and prevention (e.g., phishing, social engineering, unauthorized access).
  • Incident reporting procedures and escalation paths.
  • Best practices for secure use of corporate systems and networks.
  • Legal and regulatory obligations regarding personal data protection (e.g., GDPR).

11.5. Training Frequency and Timing

  • Onboarding Training: Conducted during the first work week of a new employee.
  • Annual Training: Held at least once a year for all employees.
  • Specialized Training & Seminars: Conducted at least twice a year for relevant departments (IT, Security, Legal).

11.6. Training Effectiveness Evaluation

The Company regularly assesses the effectiveness of training programs through:

  • Post-course testing and employee surveys.
  • Analysis of employee behavior during simulations and training incidents.
  • Ongoing monitoring of compliance with corporate information security policies and procedures.

Evaluation results are used to refine and improve training content, methods, and delivery formats.

11.7. Responsibility and Coordination

The Information Security Department, in close cooperation with HR and department heads, is responsible for developing, organizing, and overseeing training. Key responsibilities include:

  • Creating and regularly updating training programs and materials.
  • Organizing training sessions, tracking attendance, and ensuring timely completion.
  • Monitoring and reporting on training outcomes and employee progress.

11.8. Ongoing Awareness Efforts

The Company promotes continuous awareness by:

  • Issuing regular information bulletins, tips, and alerts about current threats and prevention methods.
  • Maintaining internal resources (intranet, security portal) with up-to-date materials and opportunities for knowledge sharing.

12. Monitoring, Audit & Control

Finassets implements a comprehensive and systematic approach to monitoring, auditing, and controlling data protection and information security processes. Regular monitoring and audit procedures enable timely threat detection, evaluation of protection measures, and compliance with internal policies and external regulatory requirements.

12.1. Objectives of Monitoring, Audit, and Control

The main objectives are to:

  • Timely identify and prevent threats and vulnerabilities in the information infrastructure.
  • Verify that Company processes comply with applicable legal and regulatory requirements.
  • Evaluate the effectiveness of technical and organizational information security measures.
  • Maintain a high level of transparency and accountability in data protection and information security.

12.2. Information Security Monitoring and Control

The Company performs continuous, systematic monitoring of its information infrastructure, including:

  • SIEM Systems (Security Information and Event Management): Continuous collection, analysis, and correlation of security events and logs.
  • Intrusion Detection and Prevention Systems (IDS/IPS): Monitoring of network traffic and detection of suspicious activity.
  • Regular Log Monitoring: Detailed analysis of user actions, system and network status for anomaly and breach detection.
  • Vulnerability Scanning: Monthly assessments of systems and applications for known and emerging vulnerabilities.

Frequency: Continuous, with daily result reviews.

12.3. Internal Information Security Audit

The Company conducts regular internal audits to assess the effectiveness and compliance of information security policies and procedures:

  • Verifying alignment of current practices with internal policies and international standards (ISO/IEC 27001, GDPR, etc.).
  • Evaluating the adequacy and effectiveness of data and infrastructure protection measures.
  • Checking employee compliance with established security protocols.
  • Producing reports and improvement recommendations.

Responsible: Compliance Department in cooperation with the Information Security Department

Frequency: At least quarterly.

12.4. Vulnerability Management and Remediation Tracking

All identified vulnerabilities and deficiencies are recorded in the corporate incident management system and tracked until fully resolved.

A corrective action plan is developed for each issue, with designated responsible persons and deadlines.

The Information Security Department monitors the timeliness and completeness of remediation efforts.

12.5. Regular Reporting on Monitoring and Audit

The Company generates regular information security monitoring and audit reports, including:

  • Monthly Reports: Current security status and detected vulnerabilities.
  • Quarterly Reports: Internal audit results and improvement recommendations.
  • Annual Reports: External audit results, trend analysis, and strategic recommendations.

Reports are submitted to Company management and the Board of Directors for review and decision-making on further data security improvements.

12.6. Documentation and Access to Monitoring and Audit Materials

All monitoring and audit documentation is stored in the corporate document management system.

Access is strictly controlled and available only to authorized employees and departments.

12.7. Continuous Improvement of Monitoring and Audit Procedures

The Company regularly reviews and enhances its monitoring and auditing procedures by implementing new technologies, methodologies, and best practices.

Findings from monitoring and audits are used to continuously improve internal policies, procedures, and the overall information security management system.

13. Enforcement & Sanctions

Finassets establishes clear requirements and standards for information security and data protection. Violations of these standards and requirements result in disciplinary actions and sanctions in accordance with internal regulations, corporate policies, and applicable law.

13.1. General Provisions

All employees, contractors, partners, and other individuals with access to the Company's information systems and data are personally responsible for complying with the Data Breach Policy and other applicable policies and procedures.

Non-compliance may lead to data security threats, information leaks, and other adverse consequences, forming the basis for enforcement actions.

13.2. Types of Violations Subject to Sanctions

Sanctions apply in the case of the following violations:

  • Unauthorized access or attempted access to information systems or data.
  • Intentional or unintentional disclosure of confidential or personal data to third parties without proper authorization.
  • Violation of identification and authentication procedures (e.g., sharing login credentials).
  • Breach of data storage, processing, and transmission requirements.
  • Failure to timely report identified threats or incidents.
  • Avoidance or improper execution of incident response duties.

13.3. Disciplinary Actions and Sanctions for Employees

Depending on the severity and impact of the violation, the following measures may be applied:

  • Warning or Reprimand: A written notice requiring immediate corrective action.
  • Revocation of Bonuses or Incentives: Financial penalties for breaching corporate standards and policies.
  • Temporary Suspension or Access Restrictions: Applied in cases of serious violations requiring immediate containment.
  • Reassignment or Role Adjustment: In cases of repeated or major violations.
  • Termination of Employment: For severe breaches causing significant damage to the Company or clients.

13.4. Sanctions for Contractors and Partners

If contractors, vendors, or partners violate information security standards, the Company may apply the following:

  • Official Warning: Written demand to correct violations within a specified timeframe.
  • Financial Penalties: Imposed in accordance with contract terms.
  • Access Restriction or Suspension: Temporary or permanent limitation of access to systems and data.
  • Contract Termination: Unilateral cancellation of the agreement in case of serious or repeated violations.

13.5. Violation Detection and Investigation Procedure

The Company maintains a transparent, systematic process for identifying and investigating violations:

  • All suspected or confirmed violations are logged in the corporate incident management system.
  • The Information Security and Legal Departments conduct a thorough investigation.
  • A report is prepared detailing the violation, its consequences, and recommended enforcement measures.
  • The final decision on sanctions is made by Company management based on the investigation findings.

13.6. Documentation and Reporting of Sanctions

All enforcement actions are documented, including the reason, circumstances, and measures taken.

Documentation is stored in the HR system and made available for audits in accordance with internal and regulatory requirements.

13.7. Regular Employee Communication

The Company regularly informs employees about current information security requirements, potential liabilities, and applicable sanctions through training and awareness campaigns.

New employees are informed of enforcement policies during onboarding.

13.8. Appeals Procedure

Employees and partners have the right to appeal enforcement decisions in accordance with the Company's internal procedures and applicable law.

Appeals are reviewed by the Legal Department and relevant Company management within defined timelines.

13.9. Continuous Improvement of the Enforcement Policy

The Company regularly reviews and updates its enforcement and sanctions policy based on legal changes, internal practices, and external developments.

All policy updates are promptly communicated to employees and partners.

14. Related Policies & Regulations

This Data Breach Policy is integrated into Finassets' overall Information Security Management System and functions in conjunction with a number of internal policies, procedures, and international standards that govern the Company's activities in the areas of data protection and information security.

14.1. Internal Corporate Policies

This Data Breach Policy is directly linked to and complements the provisions of the following internal corporate documents and policies:

  • Anti-Money Laundering Policy (AML Policy)

    • Establishes principles and procedures for client identification, transaction monitoring, and prevention of suspicious activities related to money laundering and terrorist financing.

  • Privacy Policy

    • Defines the principles for collecting, processing, storing, and protecting personal data of clients and website users. It outlines the Company's responsibilities regarding data subjects and procedures for informing them.

  • Cookie Policy

    • Regulates the Company's use of cookies and similar technologies on its website, and informs users about the types and purposes of cookies used.

  • Terms of Use

    • Establish general rules and conditions for the use of the Company's website and services, including user responsibilities and service usage limitations.

  • AML/CTF Program

    • Describes a comprehensive set of measures and procedures aimed at fulfilling the Company's legal obligations regarding anti-money laundering and combating terrorist financing, including internal controls, transaction monitoring, and regulatory reporting.

These documents are regularly reviewed to ensure compliance with regulatory requirements, legislative changes, and internal standards.

14.2. International and Industry Standards and Guidelines

The development and implementation of this Policy are guided by the following international and industry standards:

  • GDPR (General Data Protection Regulation, EU Regulation 2016/679)
    Sets out the principles and legal requirements for the processing of personal data, including mandatory breach notification rules.
  • ISO/IEC 27001:2013 — Information Security Management System (ISMS)
    International standard specifying requirements for establishing, implementing, maintaining, and continually improving an information security management system.
  • ISO/IEC 27005:2018 — Information Security Risk Management
    Standard that provides guidelines for information security risk management.
  • NIST SP 800-61 — Computer Security Incident Handling Guide
    Guide from the U.S. National Institute of Standards and Technology outlining best practices for incident response in information security.

14.3. Legal and Regulatory Compliance

The Company adheres to national and international laws and regulations in the field of data protection and information security, including:

  • National data protection laws of the countries in which the Company operates.
  • Legislation on anti-money laundering and counter-terrorism financing (AML/CFT).
  • Sector-specific requirements and recommendations issued by financial and payment service regulators.

14.4. Contractual Obligations and Agreements

This Policy also reflects obligations arising from contracts and agreements with third parties (contractors, partners, and clients), including:

  • Contracts and agreements that contain requirements for data protection and liability for data breaches.
  • Confidentiality and non-disclosure agreements (NDAs).

14.5. Document Interactions and Priority

In the event of inconsistencies between this Policy and other internal Company documents, priority is given to the provisions that ensure the highest level of data protection.

The Company regularly reviews its internal policies and procedures to ensure compliance with current regulations and their relevance in the face of evolving security risks and threats.

14.6. Documentation and Availability

All internal policies and procedures are available to employees via the Company's corporate document management system.

Employees are regularly informed about updates to regulatory requirements and internal documents.

14.7. Continuous Improvement and Policy Updates

The Company regularly reviews and updates related documents and policies in response to external regulatory changes, internal practices, and industry best practices.

All changes are coordinated with relevant departments and approved by Company leadership.

15. Review & Revision

Finassets acknowledges the necessity of regularly reviewing and updating this Data Breach Policy to ensure its alignment with evolving regulatory requirements, internal corporate standards, and the dynamic landscape of information security threats.

15.1. Objectives of Regular Review

The regular review and revision process is intended to:

  • Ensure compliance with current legal and regulatory requirements.
  • Reflect emerging risks, threats, and vulnerabilities in the field of information security.
  • Account for changes in the Company's technological infrastructure, organizational structure, and business processes.
  • Improve the effectiveness of data breach prevention and response measures.

15.2. Review Frequency and Triggers

The Company reviews the Policy under the following conditions:

  • Scheduled Review: At least once per year.
  • Unscheduled Review: Mandatory after significant security incidents, changes in legislation or regulatory requirements, or substantial modifications to internal infrastructure or business processes.

15.3. Policy Review and Update Stages

The review and revision process includes the following steps:

Stage 1. Review Initiation

The Information Security Department initiates the review process based on a set schedule or upon identification of a triggering event.

A working group is formed, including representatives from Information Security, Legal, IT, and other relevant departments.

Stage 2. Current State Assessment

Incident reports, audit and monitoring results, employee feedback, and regulatory changes are analyzed.

The effectiveness of current Policy provisions is evaluated.

Stage 3. Drafting Proposed Revisions

The working group prepares a draft of proposed changes, including:

  • Description and justification of changes
  • Implementation timelines
  • Assigned responsibilities
Stage 4. Internal Review and Approval

The draft is reviewed by all relevant departments.

The Legal and Compliance teams verify alignment with legal and regulatory requirements.

Stage 5. Approval of Updated Policy

The final version is approved by the CEO or the Board of Directors.

The approved Policy is enacted via an official order or directive.

Stage 6. Publication and Employee Notification

The updated Policy is published in the corporate document management system and made accessible to all employees.

Employees are formally informed of the changes and their implications.

15.4. Responsibility for Review and Revision

  • The Information Security Department coordinates the review process.
  • The Legal Department and Compliance Officer ensure legal accuracy and compliance.
  • Senior Management is responsible for approving and implementing the revised Policy.

15.5. Documentation and Archiving of Revisions

All Policy revisions are documented in the corporate document management system with review dates and a description of the changes.

Previous versions of the Policy are archived and remain available for internal and external audit.

15.6. Implementation Monitoring and Effectiveness Evaluation

The Information Security Department monitors compliance with and implementation of the updated Policy.

The effectiveness of changes is evaluated within 6 months of implementation, with a report submitted to management.

15.7. Employee Training Following Policy Updates

Each Policy update is followed by additional training and awareness sessions.

Changes are incorporated into ongoing employee training programs.

15.8. Continuous Improvement of the Review Process

The Company regularly evaluates the efficiency of the review process itself.

Based on accumulated experience, revisions are made to improve responsiveness and effectiveness.