|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Potential risks stemming from internal and external factors that could impact Turkcell’s strategic objectives, as well as potential opportunities, are carefully assessed. The identification of threats, particularly those affecting information assets, is a critical component of our risk management approach.
Our Enterprise Risk Management team maintains a comprehensive database of evaluated risks, regularly updated and monitored in collaboration with various functions. Risks are classified based on their potential impact and likelihood of occurrence, categorized as very high, high, medium, or low. Additionally, the team aims to ensure that information assets are protected through various measures like confidentiality, integrity and availability.
In our risk management tool, we have eight profiles in total, including information security risks, under which cyber risks are documented. If the levels of these risks are evaluated as high or very high, then the Enterprise Risk Management team reports them to the Early Detection of Risk Committee (EDRC). The Early Detection of Risks Committee is a sub-committee of the Board that was established to assist in the oversight of early detection of risks that may jeopardize the Company’s existence, development and continuation, and in taking the necessary measures and remedial actions to manage such risks. Cyber incidents occurring in the world and in Türkiye are also analyzed, as well as the effects that may occur if a similar cyber-attack occurs at Turkcell, and the preparations taken throughout the company are presented to the EDRC upon request of the Cyber Security Directorate.
As part of its Cyber Defense Center, Turkcell has a Security Operations Center (SOC) team that reports to the Cyber Security Directorate. The SOC team is responsible for monitoring, analyzing and responding to cybersecurity threats. This team gathers information about potential threats from various sources, including internal logs, external feeds and industry reports. By maintaining a dedicated SOC team, Turkcell can stay informed about the latest cybersecurity trends and aim to proactively mitigate potential risks. The Cyber Security Directorate at Turkcell consists of over 160 highly skilled and certified professionals. The Cyber Security Directorate is headed by Turkcell’s Cyber Security Director who benefits from numerous years of experience in the cybersecurity domain and who reports directly to the Chief Information and Communication Technology Officer. The team is composed of individuals with diverse backgrounds and expertise, including cybersecurity analysts, incident responders, security architects, and ethical hackers. This diversity allows the team to approach cybersecurity from different perspectives and to develop comprehensive strategies to mitigate risks effectively.
In addition to their technical skills, the members of the Cyber Security Directorate hold relevant certifications in cybersecurity. These certifications demonstrate their expertise and commitment to upholding the highest standards of cybersecurity practices. Furthermore, the Cyber Security Directorate is continuously updating its skills and knowledge to stay ahead of emerging cyber threats. The team regularly participates in training programs, workshops, and conferences to stay abreast of the latest trends and developments in cybersecurity.
Monitoring is an ongoing process at Turkcell, with the Cyber Security Directorate employing advanced tools and technologies to detect and respond to security incidents in real-time. This includes monitoring network traffic, analyzing logs and events, and conducting regular security audits to ensure compliance with security policies and standards.
Cyber attackers are constantly on the lookout for vulnerabilities in systems that they can exploit to gain unauthorized access or cause harm. To mitigate these risks, Turkcell conducts regular vulnerability scans across its network and systems. These scans help identify potential weaknesses, such as outdated software, misconfigured settings, or unpatched vulnerabilities, which could be exploited by attackers.
Once vulnerabilities are identified, Turkcell takes immediate action to address them. This may involve applying patches, updating software, or reconfiguring systems to close off the identified weaknesses. By promptly addressing vulnerabilities, Turkcell reduces the likelihood of successful cyber-attacks and enhances the overall security posture of its systems.
Operational security
Turkcell utilizes various types of resources to ensure the security of its operations. These resources include open-source tools and technologies, which are software or hardware solutions that are freely available for use, modification and distribution. Open-source resources are often used in cybersecurity for tasks such as network monitoring, vulnerability assessment and threat detection. To address potential cybersecurity threats stemming from our engagement with third-party service providers, we aim to increasingly include specific agreements, covenants and representations in our contracts with such providers to require them to comply with cybersecurity rules and requirements that we deem appropriate, especially when providing services to and processing data from us. As part of their contractual commitments, those vendors and partners must report any cybersecurity incident which may have a significant impact. For third-party service providers who assist with the making of applications or software we use or make available to our customers, we may also conduct vulnerability and penetration tests to ensure compliance with our cybersecurity standards. We also aim to develop contingency plans for business continuity if our vendors are subject to a cyberattack that impacts our use of their systems.
In addition to open-source resources, Turkcell also leverages proprietary tools and technologies, which are developed and owned by the company or licensed from third-party vendors. Proprietary resources can offer unique features and functionalities tailored to Turkcell’s specific cybersecurity needs, such as advanced threat detection algorithms or custom security protocols.
Furthermore, Turkcell collaborates with third-party vendors to enhance its cybersecurity capabilities. These vendors provide specialized services and solutions, such as threat intelligence feeds, penetration testing and security audits. By engaging with third-party vendors, Turkcell can access additional expertise and resources to strengthen its cybersecurity posture.
In addition to internal audits, Turkcell’s cybersecurity practices are also subject to external audit processes. These external audit processes help validate Turkcell’s cybersecurity practices and demonstrate its commitment to maintaining a high level of security and compliance. These external audits include compliance with various ISO standards, such as ISO 20000 for IT service management, ISO 22301 for business continuity management, ISO 31000 for risk management, ISO 27017 for cloud security, and ISO 27001 for information security management. As of 2024, all of these certificates are valid.
In the event of incidents related to cyber-attack risks, Turkcell’s 24/7 SOC team diligently monitors and tracks these incidents as part of its comprehensive analysis and intervention processes. The SOC team is equipped with advanced tools and technologies to swiftly detect, analyze, and respond to cyber threats, in order to be positioned to protect Turkcell’s information assets and infrastructure.
The incident management process at Turkcell is robust and structured, governed by detailed written action plans and procedures. These plans cover various aspects of incident response, including the delineation of cyber incident response responsibilities across the organization, methods for incident detection and reporting, communication protocols with stakeholders, and guidelines for the use of cybersecurity tools and products.
In the event of a cyber incident, Turkcell’s -SOC team follows a systematic approach to ensure a swift and effective response. This includes conducting a thorough end-to-end analysis of the incident in accordance with the established action plans and procedures. The goal is to contain the incident, mitigate its impact, and restore normal operations as quickly as possible. Throughout the incident management process, the team maintains a high level of transparency and communication with senior management. All actions taken, as well as the outcomes and lessons learned from each incident, are documented and reported to senior management to ensure continuous improvement in Turkcell’s cybersecurity practices. Any cyber incident which may have a material effect is conveyed to the EDRC. Cybersecurity incidents undergo a comprehensive assessment by relevant stakeholders based on their materiality levels.
During 2024, all identified security incidents were managed pursuant to our existing protocols for responding to such incidents. As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. See “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Business—Our business is heavily dependent on the continuity and security of our information technology and network technology services, which are subject to physical and cybersecurity threats.”
Furthermore, Turkcell conducts a comprehensive risk assessment to anticipate the potential damages that could result from a cyber incident. This includes evaluating the financial losses, reputational damage, legal implications such as GDPR, PCI DSS, Regulatory Bodies’ audits and investigations, and impact on customer trust that could arise from a cyber-attack. Based on this assessment, Turkcell determines the risk level and develops strategies to manage and mitigate these risks effectively. Turkcell and its group subsidiaries have risk-based business and services continuity and systems recovery plans covering natural or man-made risks, including cyber risks, in place for key business processes, which are tested periodically.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our Enterprise Risk Management team maintains a comprehensive database of evaluated risks, regularly updated and monitored in collaboration with various functions. Risks are classified based on their potential impact and likelihood of occurrence, categorized as very high, high, medium, or low. Additionally, the team aims to ensure that information assets are protected through various measures like confidentiality, integrity and availability.In our risk management tool, we have eight profiles in total, including information security risks, under which cyber risks are documented.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|If the levels of these risks are evaluated as high or very high, then the Enterprise Risk Management team reports them to the Early Detection of Risk Committee (EDRC). The Early Detection of Risks Committee is a sub-committee of the Board that was established to assist in the oversight of early detection of risks that may jeopardize the Company’s existence, development and continuation, and in taking the necessary measures and remedial actions to manage such risks. Cyber incidents occurring in the world and in Türkiye are also analyzed, as well as the effects that may occur if a similar cyber-attack occurs at Turkcell, and the preparations taken throughout the company are presented to the EDRC upon request of the Cyber Security Directorate.As part of its Cyber Defense Center, Turkcell has a Security Operations Center (SOC) team that reports to the Cyber Security Directorate. The SOC team is responsible for monitoring, analyzing and responding to cybersecurity threats. This team gathers information about potential threats from various sources, including internal logs, external feeds and industry reports. By maintaining a dedicated SOC team, Turkcell can stay informed about the latest cybersecurity trends and aim to proactively mitigate potential risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Early Detection of Risk Committee (EDRC). The Early Detection of Risks Committee is a sub-committee of the Board that was established to assist in the oversight of early detection of risks that may jeopardize the Company’s existence, development and continuation, and in taking the necessary measures and remedial actions to manage such risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As part of its Cyber Defense Center, Turkcell has a Security Operations Center (SOC) team that reports to the Cyber Security Directorate. The SOC team is responsible for monitoring, analyzing and responding to cybersecurity threats. This team gathers information about potential threats from various sources, including internal logs, external feeds and industry reports. By maintaining a dedicated SOC team, Turkcell can stay informed about the latest cybersecurity trends and aim to proactively mitigate potential risks. Any cyber incident which may have a material effect is conveyed to the EDRC.
|Cybersecurity Risk Role of Management [Text Block]
|Throughout the incident management process, the team maintains a high level of transparency and communication with senior management. All actions taken, as well as the outcomes and lessons learned from each incident, are documented and reported to senior management to ensure continuous improvement in Turkcell’s cybersecurity practices.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
As part of its Cyber Defense Center, Turkcell has a Security Operations Center (SOC) team that reports to the Cyber Security Directorate. The SOC team is responsible for monitoring, analyzing and responding to cybersecurity threats. This team gathers information about potential threats from various sources, including internal logs, external feeds and industry reports. By maintaining a dedicated SOC team, Turkcell can stay informed about the latest cybersecurity trends and aim to proactively mitigate potential risks. The Cyber Security Directorate at Turkcell consists of over 160 highly skilled and certified professionals. The Cyber Security Directorate is headed by Turkcell’s Cyber Security Director who benefits from numerous years of experience in the cybersecurity domain and who reports directly to the Chief Information and Communication Technology Officer. The team is composed of individuals with diverse backgrounds and expertise, including cybersecurity analysts, incident responders, security architects, and ethical hackers. This diversity allows the team to approach cybersecurity from different perspectives and to develop comprehensive strategies to mitigate risks effectively.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Cyber Security Directorate is headed by Turkcell’s Cyber Security Director who benefits from numerous years of experience in the cybersecurity domain and who reports directly to the Chief Information and Communication Technology Officer. The team is composed of individuals with diverse backgrounds and expertise, including cybersecurity analysts, incident responders, security architects, and ethical hackers. This diversity allows the team to approach cybersecurity from different perspectives and to develop comprehensive strategies to mitigate risks effectively.In addition to their technical skills, the members of the Cyber Security Directorate hold relevant certifications in cybersecurity. These certifications demonstrate their expertise and commitment to upholding the highest standards of cybersecurity practices. Furthermore, the Cyber Security Directorate is continuously updating its skills and knowledge to stay ahead of emerging cyber threats. The team regularly participates in training programs, workshops, and conferences to stay abreast of the latest trends and developments in cybersecurity.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Cyber incidents occurring in the world and in Türkiye are also analyzed, as well as the effects that may occur if a similar cyber-attack occurs at Turkcell, and the preparations taken throughout the company are presented to the EDRC upon request of the Cyber Security Directorate.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef