|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
Risk management and strategy
We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes.
As a foundation of this approach, we have implemented a layered governance structure to help assess, identify and manage cybersecurity risks. Our privacy and cybersecurity policies encompass incident response procedures, information security and vendor management. To help develop these policies and procedures, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do business (including the Personal Data Law, as further described in “Item 4. Information on the Company—B. Business Overview-Regulation”), as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks. In addition, we are assessed at least once a year by certain third-party independent consultants who conduct, among other things, penetration testing and mobile application security checks.
We design and regularly assess our information security program, guided by Payment Card Industry Data Security Standard and SWIFT CSP (Customer Security Program), as well as industry best practices. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools. In addition, our business continuity
and disaster recovery policies are subject to regular testing and updating, and help to ensure the availability of our services, protection of customer data and prompt restoration of our operations in the event of a cyberattack.
We have processes to oversee and identify material risks from cybersecurity threats associated with our use of any third-party service provider. For example, before automated exchanges of data between the Company and any third party, such exchanges are subject to cybersecurity risk assessments aimed at identifying and minimizing attendant risks. In addition, such exchanges are quarantined so as to protect other Company systems from exposure to such risks. We also obligate certain of our vendors to adhere to privacy and cybersecurity measures via various contractual provisions, including an obligation to notify us of the unauthorized receipt of confidential information by their third parties.
Our employees undergo mandatory information security training and testing annually. In addition, annually, as part of our security program awareness, we hold programming dedicated to information security, during which we discuss issues arising throughout the year, including the main types of information security threats and best practices in combatting them.
For a description of risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, see “Item 3. Key Information—D. Risk Factors—Failure to improve or maintain technology infrastructure could affect our business.” While we have experienced cybersecurity incidents, to date, we do not believe that we experienced a material cybersecurity incident.
Governance
As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including board oversight and executive commitment. Our cybersecurity team, led by our Chief Information Security Officer (“CISO”), assesses and manages our material risks from cybersecurity threats. Our CISO has served in this role for eight years and is certified under ISO 27001 (information security, cybersecurity and privacy protection) standards, as well as an “Ethical Hacker” and Security by Cisco’s Cybersecurity Academy. Our reporting framework for cybersecurity risks is centralized at our subsidiary Kaspi Bank, and because our information security systems are integrated across the Company, risks are reported via Kaspi Bank regardless of whether they impact Kaspi Bank or other divisions of the Company. Information on cybersecurity risks is reported as appropriate from the CISO of the Company to the management of Kaspi Bank, and then to the board of directors of Kaspi Bank. The audit committee of the full Company, comprised of independent members of the board of directors of the Company, is ultimately responsible for reviewing material cyber risks reported within this framework based at Kaspi Bank. The audit committee oversees the responsibilities of the board of directors of the Company relating to Company-wide operational risk affairs, including risks from cybersecurity threats.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Role of Management [Text Block]
|
As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including board oversight and executive commitment. Our cybersecurity team, led by our Chief Information Security Officer (“CISO”), assesses and manages our material risks from cybersecurity threats. Our CISO has served in this role for eight years and is certified under ISO 27001 (information security, cybersecurity and privacy protection) standards, as well as an “Ethical Hacker” and Security by Cisco’s Cybersecurity Academy. Our reporting framework for cybersecurity risks is centralized at our subsidiary Kaspi Bank, and because our information security systems are integrated across the Company, risks are reported via Kaspi Bank regardless of whether they impact Kaspi Bank or other divisions of the Company. Information on cybersecurity risks is reported as appropriate from the CISO of the Company to the management of Kaspi Bank, and then to the board of directors of Kaspi Bank. The audit committee of the full Company, comprised of independent members of the board of directors of the Company, is ultimately responsible for reviewing material cyber risks reported within this framework based at Kaspi Bank. The audit committee oversees the responsibilities of the board of directors of the Company relating to Company-wide operational risk affairs, including risks from cybersecurity threats.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity team, led by our Chief Information Security Officer (“CISO”), assesses and manages our material risks from cybersecurity threats. Our CISO has served in this role for eight years and is certified under ISO 27001 (information security, cybersecurity and privacy protection) standards, as well as an “Ethical Hacker” and Security by Cisco’s Cybersecurity Academy.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our reporting framework for cybersecurity risks is centralized at our subsidiary Kaspi Bank, and because our information security systems are integrated across the Company, risks are reported via Kaspi Bank regardless of whether they impact Kaspi Bank or other divisions of the Company.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The audit committee of the full Company, comprised of independent members of the board of directors of the Company, is ultimately responsible for reviewing material cyber risks reported within this framework based at Kaspi Bank. The audit committee oversees the responsibilities of the board of directors of the Company relating to Company-wide operational risk affairs, including risks from cybersecurity threats.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef