Cybersecurity and Data Privaсy

GRI 3-3; 418-1; SV-PS-230a.1; SV-PS-230a.2

Cybersecurity

Expert RA has an information security (IS) system, designed to establish and enable an ongoing control of the IS risk, which should not go beyond the limits set in the Agency’s Information Security Enforcement Provision.

Basic principles of information security:	Timely detection of IS-related problems, predictability of their development and assessment of their impact on the Agency’s business goals
	Awareness of the need for IS
	Personal responsibility
	Limitation of authority
	Comprehensive protection
	Adequate protection
	Ergonomic protection
	Document-based transactions
	Continuity of the IS system control and improvement processes

Expert RA constantly monitors and audits the IS system, using the results of this work to analyse the effectiveness of taken measures with due account of changes in the IT environment, new threats, and IS incidents and issues. We also develop and introduce additional protection measures. This enables a continuous implementation of the principles of safe operation.

We conduct staff trainings to increase IS awareness; the training programme is adjusted to account for current threats. Employees can contact the Asset Protection Service (APS) any time to get advice on IS issues. Where necessary, APS informs the employees about the current threats through information letters.

Personal Data

The main purpose of protecting personal data (PD) is to minimise the physical, material, financial or moral damage, both direct and indirect, arising from the possible materialisation of threats to the PD security.

Expert RA responsibly handles PD and confidential information received from its employees and customers, as well as its suppliers and contractors.

The Asset Protection Service controls the security of handling PD. This work is supervised by the Security Director, who is a member of the Management Board in charge of arranging PD processing in Expert RA. When handling PD and insider information, employees are guided by the Agency by-laws, including a model of threats to PD in processing formation systems.

Expert RA has approved:

List of PD-containing documents and PD processing systems
Limited list of employees with access PD processing

100% of employees are familiar with current law and regulations concerning PD protection. Expert RA systematically tests employees engaged in PD processing for knowledge of PD protection regulatory documents and compliance therewith. Measures are taken to ensure the security of PD processing in accordance with the Agency’s Internal Control Plan to Ensure Compliance with PD Laws and Local Regulations.

Measures taken by Expert RA to enhance information security:

Expert RA has been entered in the register of PD operators (Reg. No.77-23-153368).
PD are processed in accordance with applicable laws.
Documents related to PD processing are adopted and continuously updated.
Measures are taken to improve data security.
A compliance audit for data processed by a third-party company has been conducted.
Expert RA staff are regularly informed about PD handling rules.

Customer Insider Information

Expert RA registers and controls confidential information coming from customers (insider information) strictly in accordance with the current laws of the Russian Federation. As part of compliance with regulatory requirements, measures are taken to prevent, detect, and suppress:

Misuse of insider information
Market manipulation

The measures are implemented in accordance with the Rules of Internal Control for the prevention, detection and suppression of the misuse of insider information and (or) Market Manipulation of Expert RA JSC.

2024 Key Facts	There are no cases of personal data leakage There are no cases of misuse of insider information
Material Topic	Improving cyber resilience and stakeholder data privacy
UN SDGs
Target group	Responsible business
Key aspect	Cybersecurity and Data Privacy