Information Security Policy

1. Overview

1.1. Information is a valuable asset of the of Pacific Private Bank Limited (hereinafter – the “Company”), therefore its loss, illegal change or disclosure, damage or termination of information processing may cause disruptions in the operation of the Company, and cause damage to the interested parties. Taking this into account, the Company takes measures to ensure information security.
1.2. The purpose of Information security policy (hereinafter – the “Policy”) is to ensure appropriate and effective information security management and to prevent disruption of operations and the occurrence of damage due to violations of confidentiality, integrity, and availability of information.
1.3. Information Security Policy is owned by Information Security Team and is a parent document for related information security policies.

2. Scope

2.1. The Policy applies to:
2.1.1. all Company activity processes and all structural divisions;
2.1.2. all Company information, regardless of its form and storage method;
2.1.3. all employees of the Company and third parties who are subject to legal acts and/or access to Company information or information is provided on the basis of contractual relations processing tools to perform the functions (rights) provided for in legal acts or the contract;
2.1.4. services provided by external service providers.

3. Roles and Responsibilities

3.1. CEO

• Provides visible support and commitment to Information Security and allocates appropriate resources to implement Information Security Management System.

3.2. CISO

• Is responsible for development and implementation of Information Security strategy.
• CISO is responsible for the development, implementation, maintenance, and monitoring of the Information Security Management System.
• CISO is responsible for compliance with regulatory requirements.
• CISO reports to senior management on the performance of the ISMS.

3.3. Information Security Team

• Owns the Information Security Policy.
• Provides subject matter expertise in Information Security controls across the Company.
• Provides training and education for Personnel.
• Investigates, analyses and responds to Information Security Incidents.
• Carries out Information Security testing and proactive monitoring of security threats and vulnerabilities.

3.4. Infrastructure Team

• Ensures that the processes for which the team is responsible for, are designed in accordance with Information Security requirements described in Information Security policies.
• Ensures timely implementation of corrective actions related to Information Security Management System requirements.

3.5. All Employees

• Participate in mandatory Information Security trainings, and timely completion of assigned online Information Security trainings.
• Are adhered to this policy, and other related Information Security policies and procedures.
• Reports any Information Security incidents to Information Security Team personnel.

4. Information Security Management System

4.1. The security of the information handled by the Company includes three main aspects:
4.1.1. Confidentiality – protection of information from unauthorized disclosure;
4.1.2. Integrity – protection of information against unauthorized or accidental change;
4.1.3. Availability – ensuring that information is available when it is needed.
4.2. The Company's Information Security Management System (hereinafter – ISMS) implements this Policy and defines the main principles of information security assurance and management.
4.3. The Company's ISMS requirements are determined in accordance with:
4.3.1. Legal acts of the European Union, as much as they are applicable to the Republic of Vanuatu, regulating information security and personal data processing, including the General Data Protection Regulation (EU) 2016/679 (hereinafter – GDPR);
4.3.2. Methodological instructions of the State Data Protection Inspectorate and the European Data Protection Board and other legal sources related to Information processing and security;
4.3.3. ISO/IEC 27001:2022 Information security management system requirements;
4.3.4. Payment Card Industry Data Security Standard (PCI DSS) requirements;
4.3.5. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) (hereinafter – DORA);
4.3.6. Company’s ICT strategy.
4.4. Company’s objectives are defined in the Company’s Information Security Strategy.
4.5. The Company will conduct an IT risk assessment annually to identify, evaluate, and manage potential risks that could affect its operations, assets, employees, customers, reputation, and legal or regulatory compliance.
4.6. After conducting an ICT risk assessment, Chief Information Security Officer (hereinafter – “CISO”) must create or revise a Risk Management Plan. This plan should outline the strategies and actions for reducing identified risks, including assigning responsibilities for risk management activities, setting timelines, and determining necessary resources.
4.7. The Company undertakes to ensure proper and efficient management of information security, in order to avoid disruption of operations due to the disclosure of confidential information, information breach of integrity or unavailability of information due to its loss or system failure.
4.8. Information security is managed through consistent planning, implementation, testing, and continuous improvement of the ISMS.
4.9. Any violation of information security norms is considered an information security incident, which may have a negative impact on the continuity of the Company's activities and cause reputation damage.
4.10. Company employees and third parties who have violated ISMS requirements are subject to disciplinary measures.
4.11. ISMS consists of the policies and procedures shared in Company’s shared drive. CISO is responsible for policy development, implementation, and maintenance. All the documents must be approved by the Chief Executive Officer (hereinafter referred to as the “CEO”) of the Company.

5. Final Provisions

5.1. The Company reserves the right to change the Policy at any time without prior notice.
5.2. In the event that any changes are made, the revised Policy shall be communicated to all employees of the Company.
5.3. CISO ensures that the employees of the Company are informed about the Policy, carries out appropriate security training, conducts an annual review of the Policy and initiates its amendments (if necessary).
5.4. The Policy shall be approved by the CEO of the Company.