The mission of the Information Security Department is to assure the confidentiality, integrity and availability of information as appropriate. To this end, it is responsible for translating the risk appetite of the Group into effective and efficient controls which (a) minimise impact to operations, (b) ensure better risk management, and (c) are compliant with regulations.
The Information Security Department is responsible and accountable for the development and implementation of the information security framework, to assist the Group’s efforts to protect its information assets.
The role of the head of Information Security includes the following (list is not exhaustive):
- Advise and provide recommendations to the Board on the development of an information security policy in line with the Group’s size and complexity of activities and information distribution channels.
- Advise and provide recommendations to senior management on the development and implementation of the Group’s information security program in the form of security policies, standards, guidelines, procedures and processes.
- Oversee the dissemination and implementation of the information security program institution-wide.
- Cooperate with the Bank’s business and support units and other internal control functions, for the effective implementation of security principles in the development of their policies and procedures.
- Develop and implement in cooperation with the risk management Division, an information security risk assessment and management program.
- Participate in the activities required for the implementation of effective security controls in the bank’s IT infrastructure and provide guiding principles to the IT for the operations of network and information systems.
- Plan, organise and coordinate information security assessment activities throughout the institution.
- Monitor compliance with information security policies, standards, guidelines, processes and procedures.
The Head of Information Security submits an annual report to the Board, through the Risk Committee which includes among others a summary of the most important information security risks the Bank faces at the time of reporting and a list of all important information security incidents and corrective actions taken to prevent recurrence.
The Bank’s Group Compliance Division (GCD) provides independent oversight of the management of the Bank’s compliance with laws, regulations, guidelines and internal rules relevant to the activities of the Bank in the jurisdictions in which it operates.
The role of the GCD includes the following:
- Oversee, coordinate, monitor and facilitate compliance with existing laws, rules and regulations through the implementation of the Bank’s compliance system and program in accordance with the requirements of the Central Bank of Cyprus (CBC) and other regulatory authorities, including but not limited to the identification and control of compliance risks, prudential reporting obligations as well as compliance training.
- Track and evaluate all new regulations or amendments to existing regulatory issuances and disseminate these immediately to the implementing units for their information and action.
- Initiate requests for policy pronouncements or revisions to ensure new regulations are made part of the Bank’s policies and procedures.
- Provide guidance, advisories and training to employees on significant laws and regulations.
- Report to senior management and to the Board on significant compliance issues.
- Liaise with the regulatory authorities and appear before their bodies upon summons to clarify matters related to the compliance system.
- Annually prepare a report to the CBC on the Bank’s compliance with the Central Bank’s Directives.
The Bank has in place an independent Audit Function, through which the Bank’s Board, senior management and shareholders may be provided with reasonable assurance that its key organisational and procedural controls are effective, appropriate, and complied with. The role of the Group Internal Audit Division includes the following:
- Develop and implement an effective annual internal audit program to be approved by the Audit Committee that covers the entire operations of the Bank including subsidiaries and affiliates.
- Submit to the Audit Committee an annual report on the performance of Internal Audit activities, responsibilities, and performance relative to the audit plans and strategies as approved by the Committee including significant risk exposures, control issues and such matters as may be needed or requested by the Board of Directors and senior management.
- Conduct independent assessment of adequacy and effectiveness of management and IT control frameworks, risk management and governance processes of all units of the Bank including subsidiaries and affiliates.
- Monitor the resolution of internal control weaknesses noted during the examination with the end view of mitigating risks and strengthening the control environment.
- Examine and analyse the organisational structure, checks and balances, methods of operations and use of human and physical resources to reveal defects in order to prevent fraud or irregularities.
- Certify that the conduct of auditing activities is in accordance with the International standards on the Professional Practice of Internal Auditing.
The Bank’s Group Risk Management Division (GRMD) ensures that all material risks are identified, measured and properly reported. The Division is actively involved in elaborating the institution’s risk strategy and in all material risk management decisions.
The Board ensures the independence of the GRMD by providing it with direct access to the Board and the Risk Committee without any impediment.
The GRMD is independent from executive functions, business line responsibilities, operations and revenue generating functions. The GRMD functionally reports to the Risk Committee and administratively to the CEO.
The role of the GRMD includes the following (list is not exhaustive):
- Assist the Risk Committee, Board of Directors and senior management to establish and communicate the Bank’s risk management objectives and direction.
- Assist the Board Risk Committee and senior management to develop and communicate management policies.
- Facilitate in the identification, measurement, monitoring, reporting and control of risks.
- Monitor and assess decisions to accept particular risks whether these are consistent with board approved policies on risk tolerance and the effectiveness of the corresponding risk mitigation measures.
- Report to senior management, the Risk Committee and the Board the results of the assessment and monitoring of risk exposures.
- Have sufficient expertise and operating experience enabling the challenging of decisions that affect the institution’s exposure to risk.
- Annually prepare a report to the CBC presenting key issues and developments within the Bank and review of the main risk areas.
- Submit reports to the Board and relevant Committees and attend their meetings to present said reports and provide additional information and/or classification or assistance on managing the issues raised.
- Involved in any changes to the institution’s strategy, risk appetite framework and risk limits.