Item 16J.
INSIDER TRADING POLICIES
Our insider trading policy is included in our code of ethics, which is incorporated by reference to our annual report on Form
20-F
filed on April 28, 2016. See “Item 16B. Code of Ethics” and “Item 19. Exhibits.”
 
Item 16K.
CYBERSECURITY
Risk Management and Strategy
We operate in an era of “digital transformation” marked by a proliferation of ev
olvin
g technologies, including artificial intelligence, and the increasing use of the Internet and mobile devices to conduct financial transactions. A significant portion of our daily operations relies on our information technology systems, including customer service, billing, the secure processing, storage and transmission of confidential and other information as well as the timely monitoring of a large number of complex transactions. As a large financial institution, we recognize the importance of building and preserving trust with our customers and protecting their personal information in our
day-to-day
operations.
As part of our overall risk management system and processes, we maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to disruption of business operations or financial reporting systems, fraud, theft, harm to employees or customers, violation of privacy laws, reputational risk and other litigation and legal risk, among others. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing and identity management systems. In particular, our banking platforms include a host of encryption, antivirus, multi-factor authentication, firewall and patch-management technologies designed to protect and maintain the systems and computers across our businesses. In addition, in order to protect our Internet banking services from system failures and cyber attacks, we process our online transactions through two separate data processing centers and monitor and report on any unusual delays or irregularities reported by our branches, and regularly implement various information technology system related initiatives and upgrades at the group and subsidiary level.
We also maintain a robust crisis management system, which provides a framework for responding to cybersecurity incidents based on the severity of the incident. In the case of a cyber incident, we follow internal reporting procedures to notify the Information Security Department, which is responsible for putting together an emergency response team to promptly address the incident and notify all relevant parties of such incident in order to minimize any further damage from the incident. We conduct regular evaluations for any weaknesses in our electronic financial infrastructure, and analyze the frequency and potential effects of any cyber threats on our systems in order to prevent any potential cyber attacks. We also carry limited insurance that provides protection against potential losses arising from cybersecurity incidents and regularly review our policy and levels of coverage based on current risks.
We and our major subsidiaries have obtained the Information Security Management System (“ISMS”) certifications of the Korea Internet and Security Agency, which share significant overlaps with the International Organization for Standardizations (“ISO”) certifications. Kookmin Bank and KB Kookmin Card have each obtained ISO 27001 certification, which relates to information security. Kookmin Bank has also obtained ISO 20000 certification, which relates to information technology service management, and BS 25999 (now ISO 22301) certification, which relates to business continuity management. Kookmin Bank is the first Korean bank to have obtained all three such international certifications. In addition, we, Kookmin Bank and KB Insurance have each obtained ISMS certification, which relates to information security management, and KB Securities, KB Kookmin Card, Kookmin Bank and KB Capital have obtained
ISMS-P
certification, which relates to personal information in addition to information security management. KB Kookmin Card has also obtained PCI DSS certification, which relates to the protection of credit card data, and ISO 27701 certification, which relates to the management of personally identifiable information. These certifications are valid for three years, and we are
 
213
subject to an annual audit to maintain such certifications. In addition, our cybersecurity program is reviewed and evaluated by external, independent third parties, who assess and report on any weaknesses in our information technology systems on both a periodic and continual basis. Furthermore, we utilize the curriculum provided by the Financial Security Institute to provide cybersecurity trainings to all of our employees.
From time to time, we engage certain third-party service providers that may process the personal information of our customers. In such cases, we enter into security management agreements with such service providers to ensure that they comply with our strict security standards. We also conduct periodic
on-site
inspections of such service providers and provide them with periodic security training sessions.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents.
See “Item 3.D. Risk Factors—Other risks relating to our business—Our operations have been, and will continue to be, subject to increasing and continually evolving cybersecurity and other technological risks” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial condition.
Governance
Board of Directors
Our board of directors’ principal role is one of oversight, recognizing that management is responsible for the
day-to-day
design, implementation and maintenance of an effective cybersecurity program for protecting against, and mitigating, data privacy and cybersecurity risks. Members of our board of directors stay apprised of the rapidly evolving cyber threat landscape as well as cybersecurity risks specific to us and our subsidiaries, and provide guidance to management as appropriate in order to enhance the effectiveness of our overall cybersecurity program.
Our board of directors has delegated the direct responsibilities relating to assessing and managing cybersecurity risks to our Chief Information Security Officer (“CISO”), who provides periodic reports on risk assessment and cybersecurity strategies to the board of directors. These reports include information about our information security management system and our personal information protection policy. In addition, the CISO provides quarterly evaluation reports to the board of directors concerning the sharing of customer information among our subsidiaries. The board of directors also reviews and approves our cybersecurity risk management processes on a periodic basis. In particular, the board of directors reviews our evaluation report on our use of customer information on a quarterly basis and our evaluation report on our management and use of personal credit information on an annual basis. It also reviews our overall cybersecurity strategy plan once every three years.
Management
The
day-to-day
monitoring,
assessment
and management of material cybersecurity risks is conducted by our management. We and each of our major subsidiaries operate an information security system operated by a CISO, who is responsible for managing cybersecurity risk management processes under the supervision of the board of directors at their respective companies. As part of such process, the CISO provides monthly reports to our chief executive officer on the results of our cybersecurity assessments.
We and each of our major subsidiaries also maintain an Information Security Department and an Information Security Committee, each chaired by the CISO, which monitors incidents of customer information misuse, unauthorized access to our customer information and failure to comply with information security policies, among others, through an integrated information security management system. Our Information Security Committee is responsible for reviewing and approving the following:
 
 
 
our annual general information security and information technology work plans;
 
 
 
strategies and plans for ensuring the safety of electronic financial transactions and the protection of our customers;
 
214
 
 
the results of vulnerability evaluations of our electronic financial infrastructure and the plans for implementing remedial measures; and
 
 
 
matters related to cybersecurity incidents and violations of cybersecurity regulations.
More specifically, the cybersecurity risk management processes described above are managed by our CISO at the group level, who heads our information security division. Our current CISO has over 25 years of work experience in information security and over 3 years of work experience in information technology, and has also obtained a master’s degree from the Korea University School of Cybersecurity.
 
215