|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We have implemented comprehensive cybersecurity management and security emergency response management policies that are integrated into our overall risk management system. These procedures aim to ensure our overall network security, protect our data transmission system and prevent data leakage and other cybersecurity incidents. We have a strong in-house cybersecurity management working group, led by our cybersecurity officer, that consists of the information security department, the IT foundational service department, and the system operation and maintenance department. Working together, these departments identify, assess, and manage cybersecurity risks on a daily basis. We have established a sound responding mechanism for external security attacks and violations and safeguarded the confidentiality of information and data of our company, employees and users. More specifically, we have established a strict data control system, taking a series of measures including data encryption, network firewall, network monitoring, and access control to ensure data security. In this way, we strive to ensure that information and data can only be obtained and used when necessary. We also regularly conduct inspections, cleaning, data backup of our databases, equipment, and network supporting facilities. In order to implement cybersecurity awareness to every grassroots position, we have provided training programs to ensure that our employees have full access to the basic knowledge and principles of information security and promulgated data governance policies such as the QiFu Technology Cybersecurity Management System, the QiFu Technology Data Classiﬁcation and Grading Management System, and the QiFu Technology Personal Information Protection and Data Governance Basic Policy to regulate the data and network usage within our company.
In addition, we have also launched a data security governance project. This initiative comprehensively clarifies user data and its protection measures, and further improves and strengthens the details and depth of data security protection. We have conducted a more meticulous review of the entire data lifecycle and formulated strict and operable standard processes around it. For data at different levels, we adopt differentiated security protection strategies to ensure that highly sensitive data receives the highest level of protection. At the same time, we strengthen cooperation and communication with external professional institutions, learn from advanced network security concepts and technologies, and continuously optimize our security system. We closely monitor industry trends and the latest security threats, and promptly adjust and update our security strategies and measures. Through these efforts, we will continuously consolidate and enhance the company’s network security level, and safeguard the data security of the company, employees, and users.
At the level of network security devices, we have implemented the Zero Trust system, which have:
(i) enhanced our security protection: by implementing the Zero Trust strategy, we have successfully extended security controls from the network perimeter to every access point and user, significantly boosting the overall security protection level of the system;
(ii) improved user experience: although the security controls are strengthened, by optimizing the authentication process and access policies, we have ensured a smooth experience for users when accessing our company’s resources;
(iii) reduced security risks: the implementation of the Zero Trust architecture has effectively minimized the risk of internal breaches and external attacks, as every access request is subject to authentication and authorization; and
(iv) enhanced compliance: through the adoption of the Zero Trust strategy, we have better met industry security standards and regulatory requirements, thereby enhanced the company’s compliance level.
To address cybersecurity emergencies, we have designed and implemented the Qifu Technology Emergency Response Management Regulations. Under these regulations, we established a cybersecurity emergency management team, which consists of the emergency response leadership group, the emergency response cybersecurity assurance group, the emergency response technical process group and the emergency response information notification group. Under the guidance of the regulations, these groups maintain a cybersecurity risk detection system, operate a multi-layer data protection regime, conduct regular risk assessments of our network and business infrastructures and carry out regular cybersecurity drills. These measures help us promptly identify cybersecurity risks and incidents. The Qifu Technology Emergency Response Management Regulations also serve to standardize and strengthen our emergency response procedures. They form a step-by-step cybersecurity response plan, covering a wide range of topics, including incident notification, impact assessment, response initiation, department coordination, data restoration, case analysis and outcome disclosure. When a cybersecurity incident occurs, we evaluate the type and impact of the incident, report and notify working parties and affected individuals, and carry out appropriate plans that we prepare in advance.
Besides, we engage law firms and auditors to conduct thorough due diligence of data compliance and assessments of our information system annually. We also work closely with third-party service providers to ensure their compliance with our cybersecurity standards and to assess risks arising from our engagements with them. We strive to provide the highest standards of data protection and information security for our consumers and SMEs and maintain and enhance the reliability, stability and scalability of our network infrastructure. In addition, we regularly conduct IT audits. Internally, we regularly conduct security audits of network configuration changes, sensitive authority accounts and operation log audits. Externally, we regularly accept IT audits, ISO certiﬁcation audits, equal assurance inspections and ESG assessments from third-party audit teams to fully protect our information, network, and data security. To ensure the smooth and secure operations of our business during peak traffic, we intend to continue to conduct regular maintenance of our security system, closely monitor the development of information technology and security technologies used in the industry and make necessary upgrades to enhance our information technology systems.
As of the date of this annual report, we have not experienced any material cybersecurity incidents or identified any material cybersecurity threats that have affected or are reasonably likely to materially affect us, our business strategy, results of operations or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have implemented comprehensive cybersecurity management and security emergency response management policies that are integrated into our overall risk management system. These procedures aim to ensure our overall network security, protect our data transmission system and prevent data leakage and other cybersecurity incidents. We have a strong in-house cybersecurity management working group, led by our cybersecurity officer, that consists of the information security department, the IT foundational service department, and the system operation and maintenance department. Working together, these departments identify, assess, and manage cybersecurity risks on a daily basis. We have established a sound responding mechanism for external security attacks and violations and safeguarded the confidentiality of information and data of our company, employees and users. More specifically, we have established a strict data control system, taking a series of measures including data encryption, network firewall, network monitoring, and access control to ensure data security. In this way, we strive to ensure that information and data can only be obtained and used when necessary. We also regularly conduct inspections, cleaning, data backup of our databases, equipment, and network supporting facilities. In order to implement cybersecurity awareness to every grassroots position, we have provided training programs to ensure that our employees have full access to the basic knowledge and principles of information security and promulgated data governance policies such as the QiFu Technology Cybersecurity Management System, the QiFu Technology Data Classiﬁcation and Grading Management System, and the QiFu Technology Personal Information Protection and Data Governance Basic Policy to regulate the data and network usage within our company.
In addition, we have also launched a data security governance project. This initiative comprehensively clarifies user data and its protection measures, and further improves and strengthens the details and depth of data security protection. We have conducted a more meticulous review of the entire data lifecycle and formulated strict and operable standard processes around it. For data at different levels, we adopt differentiated security protection strategies to ensure that highly sensitive data receives the highest level of protection. At the same time, we strengthen cooperation and communication with external professional institutions, learn from advanced network security concepts and technologies, and continuously optimize our security system. We closely monitor industry trends and the latest security threats, and promptly adjust and update our security strategies and measures. Through these efforts, we will continuously consolidate and enhance the company’s network security level, and safeguard the data security of the company, employees, and users.
At the level of network security devices, we have implemented the Zero Trust system, which have:
(i) enhanced our security protection: by implementing the Zero Trust strategy, we have successfully extended security controls from the network perimeter to every access point and user, significantly boosting the overall security protection level of the system;
(ii) improved user experience: although the security controls are strengthened, by optimizing the authentication process and access policies, we have ensured a smooth experience for users when accessing our company’s resources;
(iii) reduced security risks: the implementation of the Zero Trust architecture has effectively minimized the risk of internal breaches and external attacks, as every access request is subject to authentication and authorization; and
(iv) enhanced compliance: through the adoption of the Zero Trust strategy, we have better met industry security standards and regulatory requirements, thereby enhanced the company’s compliance level.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|In the event of a major cybersecurity incident, our Chief Executive Officer reports to the board of directors, which bears the ultimate responsibility for the company’s cybersecurity risks
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|board of directors
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|our Chief Executive Officer reports to the board of directors, which bears the ultimate responsibility for the company’s cybersecurity risks
|Cybersecurity Risk Role of Management [Text Block]
|The cybersecurity officer of our company is responsible for coordinating our internal cybersecurity planning and construction, and assessing, identifying, managing and responding to cybersecurity incidents. The officer is also responsible for reviewing and evaluating whether cybersecurity threats create material risks and whether such risks have or are reasonably likely to have a major impact on our company. In addition, the officer is responsible for the decision-making and reporting of major cybersecurity matters. Our cybersecurity officer has over 16 years of experience in the field. The officer reports and provides regular updates to our Chief Executive Officer on any material cybersecurity incidents or risks.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|cybersecurity officer
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our cybersecurity officer has over 16 years of experience in the field.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The officer reports and provides regular updates to our Chief Executive Officer on any material cybersecurity incidents or risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef