IT Management and Information Security

At Ziraat Katilim, activities related to information security are carried out within a structure aligned with the Bank's internal control and oversight mechanisms. In this context, information security processes are handled under the coordination of the Head of Internal Systems Group, and the said Head of Group carries out its activities under the supervision of the Board of Directors. The ultimate responsibility for ensuring information security within the Bank rests with the Board of Directors. The Board of Directors considers information security management as an integral part of corporate governance practices and oversees the implementation of policies and strategies aimed at protecting information assets.

Within the framework of the Banking Law, the Bank's Articles of Association and other relevant legislative provisions, as well as the policies and strategies determined by the Board of Directors, the Information Security Committee has been established to coordinate activities related to information security. The duties and authorities of the Committee are determined by the Board of Directors. The development, approval and periodic update of information security policies, as well as the definition of duties and responsibilities related to information security, are carried out under the responsibility of the Committee. The Committee also conducts review activities in extraordinary situations such as significant security incidents, the emergence of new vulnerabilities, or critical infrastructure changes. Decisions taken by the Information Security Committee are directed to the relevant information technologies teams for implementation and the necessary actions are ensured.

Operational activities related to information security are carried out by the Information Security unit reporting to the General Manager. These activities are monitored under the coordination of the Head of Internal Systems Group and are subject to the supervision of the Banking Regulation and Supervision Agency (BRSA). In addition, information security practices are regularly evaluated through audits conducted within the scope of the Information Security Management System in accordance with the ISO 27001 Information Security Management System Standard.

Information Systems Management at the Bank is one of the fundamental structures supporting the Bank's operational continuity and the uninterrupted execution of business processes. In this context, the information technology infrastructure is managed in alignment with the Bank's corporate objectives and business priorities.

In order to increase efficiency in Information Systems management processes, an Information Technology Governance Model was designed in 2024 and its implementation was initiated across the Bank. In the same period, the Agile Management Model was adopted and the Strategic Governance application, which addresses project and demand management in an integrated manner, was put into operation. Through this structure, it was aimed to prioritize information systems requests, clarify approval processes and manage resource utilization more effectively.

In 2025, within the scope of the Strategic Governance application, effort tracking and performance monitoring mechanisms were established in demand and project management processes and regular reporting was initiated. The products and services planned by the Bank's business families for use by customers and internal personnel are submitted to Ziraat Teknoloji through the Strategic Governance demand management application after completing the required approval and feasibility stages. Following the infrastructure and software development activities carried out within Ziraat Teknoloji, the products and services integrated into the information systems infrastructure are made available for use after acceptance tests conducted by the business families.

Within the scope of the Agile Management Model, evaluation meetings held at the end of each cycle have strengthened decision-making processes in line with risks and data, enabling faster, more flexible and higher-quality outputs in information systems management.

Cybersecurity, Data Privacy and IT Risk Management

With the acceleration of digitalization in banking processes, risks related to information systems and data security have become more complex and dynamic. Taking this development into consideration, Ziraat Katilim continuously improves its efforts to enhance the reliability of information systems and to protect the confidentiality and integrity of customer and Bank data. In this context, in addition to technical investments in the security infrastructure, an approach is adopted in which security is addressed as an institutional responsibility. A holistic information security management approach supported by employee trainings and awareness activities is implemented.'

Ziraat Katilim focuses on identifying emerging risks and continuously improving system security in order to protect the confidentiality and security of customer and Bank data. This approach is implemented within the framework of an integrated information security management strategy supported by comprehensive security policies and standards, as well as strong security awareness and training programs, and involving the application of advanced and multi-layered defense systems.

In line with information security strategies and policies, an IT Risk Management structure has been established. Information technology risk is recognized as one of the Bank's corporate risk components and is addressed as an integral part of banking operations. In order to ensure business continuity and data integrity, the Bank manages operational risks and information technology risks within an integrated structure.

Information assets are classified according to confidentiality, integrity and availability criteria, and security controls appropriate to the criticality of the assets are determined. The effectiveness of the defined controls is monitored through regular testing and necessary improvement activities are carried out for the risks identified. The ISO 27005 Information Security Risk Management Standard is taken as the basis in these processes.

Information security and cybersecurity processes are conducted in consideration of the Banking Law No. 5411, the Regulation on Banks' Information Systems and Electronic Banking Services issued by the Banking Regulation and Supervision Agency, the Law on the Protection of Personal Data, ISO 27001, ISO 27005, COBIT (Control Objectives for Information and Related Technology) and NIST (National Institute of Standards and Technology) standards. In addition, in accordance with the Presidential Circular No. 2019/12 on Information and Communication Security Measures published in the Official Gazette dated July 6, 2019 and numbered 30823, compliance is ensured with the Information and Communication Security Guide prepared by the Presidency of the Republic of Türkiye Digital Transformation Office.

National and international regulatory developments are regularly monitored. The Bank's information security policies and the practices supporting these policies are kept up to date in alignment with the requirements of the regulatory authorities to which it is subject. In line with digital transformation, new technologies and developments in processes, information security regulations are periodically reviewed.

Information Security Awareness and Training Activities

At Ziraat Katilim, a structured Information Security Awareness Program covering all employees is implemented in order to support the establishment of an information security culture throughout the institution. Information security topics are included in the orientation programs applied during employees' onboarding processes and in face-to-face classroom trainings, aiming to ensure that employees reach a basic level of awareness before starting their duties.

Every year at the Bank, information security awareness trainings that include updated cyber threat topics and best practices are assigned to all employees, and the completion status of these trainings is monitored regularly. In order to ensure the continuity of information security awareness, informative bulletins containing current information security incidents and best practices are prepared on a monthly basis and shared with all employees.

On the other hand, in order to raise awareness regarding phishing attacks and to increase awareness against social engineering and phishing attempts, internal drills are conducted throughout the year. The findings obtained as a result of these exercises are analyzed. Additional trainings are planned for employees who fail the drills, aiming to increase their level of awareness.

In 2024, inspectors of the Bank's Audit Board who take part in information systems audit processes received training on network security, operating system security and secure configuration. In addition, trainings related to ISO 27001 Information Security Management System audits were completed, and inspectors who were successful in the examinations became entitled to receive the ISO 27001 Lead Auditor certificate. Furthermore, SQL Server trainings were organized in order to support data analytics-based audit activities.

In 2025, Inspection Authority and Inspection Proficiency trainings were conducted in order to support the professional development of assistant inspectors. Within the scope of the Inspection Authority training, 20 different trainings were delivered in a program lasting 14 days. Within the scope of the Inspection Proficiency training, 23 different trainings were conducted in a program lasting 26 days.

Business Continuity Plans for Uninterrupted Service

Ziraat Katilim implements practices aimed at protecting information technology assets within a systematic framework in order to ensure business continuity, maintain focus on corporate objectives, and strengthen customer experience and satisfaction. In this context, the continuity and reliability of the information systems infrastructure are maintained, and operational and technological risks that may affect the uninterrupted delivery of digital banking services are closely monitored. Through implemented controls and monitoring mechanisms, it is aimed to ensure the secure and sustainable operation of the Bank's digital service infrastructure.

At the Bank, the business continuity governance structure consists of the ISAD (Business Continuity and Emergency) Committee, Head Office Units, Intervention Teams designated in branches, and the Coordination Office. The coordination function is carried out by the Head of Operations Center Department, and planning, implementation and monitoring processes related to business continuity are managed in an integrated manner through this structure. In order to manage processes effectively in potential emergency and crisis scenarios, the Crisis Center is activated, and response and recovery activities are coordinated through this center. Within the scope of the Bank's Business Continuity Process, the coordination of activities related to the preparation, update and implementation of the Business Continuity Plan is carried out by the ISAD Coordination Office.

Ziraat Katilim conducts its business continuity activities within a systematic structure in compliance with legislation in order to ensure the uninterrupted continuation of banking activities. In this context, the Ziraat Katilim Business Continuity Plan has been prepared in accordance with Article 13 of the Regulation on Banks' Internal Systems and Internal Capital Adequacy Assessment Process, Article 28 of the Regulation on Banks' Information Systems and Electronic Banking Services, and the TSE ISO 22301 Business Continuity Management System Standard, and was updated in 2024. Within the scope of the updated plan, the structures and scenarios supporting the continuity of the Bank's critical activities have been reviewed and the business continuity framework has been reassessed by taking current risks into consideration.

The Business Continuity Plan includes managerial processes and strategies that ensure preparedness against risks that may arise in the event of interruptions in the Bank's activities due to emergencies and unexpected situations originating from information systems and physical security.

Within the scope of the updated plan, scenarios are created for potential interruptions in information systems and operational activities. While preparing these scenarios, the potential impacts of disruptions in activities are addressed in three stages: before the event, during the event and after the event. In case of interruptions, Head Office units and branches are expected to act in accordance with the predetermined scenarios.

In accordance with the Regulation on Banks' Information Systems and Electronic Banking Services, Emergency Operations Center tests are conducted regularly every year. In order to determine the processes to be tested, Business Impact Analysis studies are conducted with the participation of all Bank units, and critical processes and critical personnel are identified for the Bank. The processes determined based on the results of the Business Impact Analysis are subjected to tests by the relevant personnel. Based on the findings obtained from these tests, the Business Continuity Plan and its annexes are updated at least once a year, and Communication Chain Tests are conducted twice a year.

In 2025, implementation and development activities within the scope of business continuity were continued, and the Business Continuity Plan and the Disaster/Emergency Action Process Plan were published within the Bank as separate documents.

In 2025, the following activities were carried out in the information systems infrastructure to support business continuity;

Significant technical improvements were implemented in the information systems infrastructure in 2025 with the aim of ensuring business continuity.

• Work on the Active'Active Data Center Project has been initiated.
• Core Switch and Metro Ethernet Switch devices that had completed their lifecycle have been replaced.
• Operating systems of Windows and Linux servers have been upgraded to the latest versions.
• Findings at the database and code levels that could hinder business continuity have been identified and necessary improvements have been implemented.
• Web access logs of application servers have been centrally collected and monitored.
• Work has been initiated for the backup of the SWIFT system, and the process to establish a redundant active'passive structure for SAA (SWIFT Alliance Access) is underway.
• The Blacklist query structure has been addressed to establish a redundant architecture, and structural improvement activities are being carried out to prevent risks that may harm the system.
• Security projects including;
  - Cloud DDoS Protection Project (Akamai), DDoS Protection Renewal Project, x
  - IPS (Intrusion Prevention System) Renewal Project,
  - NAC (Network Access Control) Transformation Project
  have been completed and system resilience has been enhanced.

Innovations implemented within the scope of information systems management in 2025 to enhance customer experience and service delivery efficiency; The Mobile and Internet Branch infrastructure has been renewed and made available to Bank customers with interface and functionality improvements enhancing user experience. The Request to Payment System, which enables customers to request payments digitally from the persons who will make payments, has been implemented. An infrastructure enabling the physical delivery of gold purchased by Bank customers through branches or the mobile application has been established. The Secure Payment Service has been launched to enable customers to carry out second-hand vehicle sales transactions securely.

The Social Media Content Creator Account, which enables automatic taxation of income earned by content creators on social media platforms without the need for tax declaration, has been introduced.

• The Home-Based Production Account, enabling customers who sell products produced at home through electronic platforms without opening a separate workplace to benefit from tax reductions, has been made available to customers.
• The Shared Account Service, in which a portion of savings is evaluated in participation accounts and another portion in investment funds, has been launched.
• Necessary infrastructure works have been completed in compliance with the Circular on Identity Verification and Transaction Security Criteria published by the BRSA.

In 2025 and beyond, Ziraat Katilim plans to focus on areas such as strengthening artificial intelligence infrastructure, increasing automated processes through Robotic Process Automation (RPA), new data center investments and the end-to-end modernization of core banking interfaces. By addressing information systems management with a continuous improvement approach, Ziraat Katilim aims to provide a reliable, flexible and sustainable technology infrastructure within the digital banking ecosystem.

Systems Established to Protect Data Confidentiality

Ziraat Katilim takes the necessary technical and administrative measures to ensure that personal data are stored securely, to prevent unlawful processing, and to ensure their lawful destruction. In this context, data processing activities are carried out within the framework of all relevant legal regulations, primarily Article 20 of the Constitution, the Personal Data Protection Law No. 6698 and the Banking Law No. 5411.

In line with the Personal Data Protection Implementation Principles and Procedures, the Bank fulfills its obligation to inform data subjects, provides relevant disclosures across all service channels and attaches importance to obtaining the necessary explicit consents. Acting in its capacity as a data controller, the Bank records and maintains the personal data it processes within the Data Controllers' Registry Information System (VERBIS). Policies and disclosure texts related to data processing activities can be accessed through the Bank's corporate website.

The approach to personal data protection is not limited to customer data; the protection of employees' personal information and data is also among the fundamental principles. Ziraat Katilim takes measures in compliance with the relevant legal regulations in order to ensure the confidentiality of employees' personal information, prevent its sharing with unauthorized persons and protect individuals' fundamental rights and freedoms. In this context, employees' responsibilities regarding data privacy are clearly defined and compliance with the determined measures and regulations is expected. This approach is implemented in alignment with the Bank's Human Resources and Human Rights Policy.

In order to identify and eliminate security vulnerabilities in the Bank's information systems, penetration tests are conducted by independent firms at least once a year within the scope of the BRSA Circular on Penetration Tests for Information Systems. These tests aim to identify unauthorized access to the Bank's information systems, data leakage and similar security vulnerabilities. Based on the findings obtained from the penetration tests, action plans are developed and reported quarterly to the Board of Directors and the Banking Regulation and Supervision Agency.

Within the Bank, Network Security Control Systems are operated to protect against threats that may arise from the corporate network and external networks. Rules have been defined regarding the use of network resources, including USB usage, file sharing outside the Bank, database and application access, and the installation of non-standard applications. Standards have been defined regarding computers and access to be provided for third-party company employees, consultants and auditors who will work at Bank locations.

The use of network resources is monitored through Data Loss Prevention (DLP) systems. Data transfers conducted via e-mail and the internet are monitored in real time. In 2025, in addition to monitoring mechanisms, preventive controls were activated within the scope of data loss prevention applications. Furthermore, USB usage at the end-user level has been restricted in order to reduce the risk of data being transferred outside the institution. In order to support security processes, log records related to transactions are created and monitored regularly.

In order to strengthen information security practices in mobile channels, the scope of security policies applied to mobile devices was expanded in 2025, and a mobile application security service was introduced to protect customers against malicious software that may exist on their mobile devices.

Compliance efforts with the Circular on Identity Verification and Transaction Security Criteria have been completed in processes related to electronic banking services and the establishment of contractual relationships in electronic environments. The level of security in transactions conducted through digital channels has been strengthened.

In order to strengthen the security of customer data and protect confidentiality in analytical activities, the "Customer ID Decoder" application, which converts customer numbers into an encrypted structure, has been designed to be used in processes carried out with technology business partners.

Data Security Awareness and Training Activities

In order to raise awareness across the institution within the scope of personal data protection, both classroom and remote trainings are regularly provided to all employees, and the completion of these trainings is mandatory. In this way, it is aimed to ensure that employees reach a common level of knowledge regarding PDPL obligations, fundamental principles and best practices.

Measures Taken Against Cyber Security Threats

In line with its legal responsibilities, Ziraat Katilim aims to follow new and advanced security systems and implement the most effective data privacy and security solutions. The Cyber Security Center operating within the Bank monitors the Bank's information systems and alarm mechanisms with a continuous monitoring and response approach seven days a week. The Center conducts vulnerability and exposure scans, performs analyses regarding potential threats and carries out the necessary response processes.

The information security infrastructure is managed within an integrated structure covering network, endpoint, application and data security. In this context, network and endpoint security solutions, protection systems against denial-of-service attacks, intrusion detection and prevention mechanisms, access control applications, firewalls, e-mail security solutions, as well as data loss prevention (DLP) and web/DNS security systems are utilized. In order to centrally monitor security incidents, system logs are collected and analyzed through the Security Information and Event Management (SIEM) infrastructure.

In addition, code review processes are carried out to ensure application security, and regular penetration tests and vulnerability management activities are conducted.

During 2024, activities were carried out to control code standards within the Bank, and source code security scans and audits were conducted. Web application firewall implementations were activated, and vulnerability analyses were performed for newly developed applications and systems. Furthermore, an MAM/MDM solution was put into service in order to enhance the security of corporate mobile devices.

In 2025, expansion and improvement activities were carried out in network and endpoint security controls used against cyber threats. New products were implemented for DDoS and intrusion prevention systems used against denial-of-service attacks. IPS, EDR and EPP solutions continued to be actively utilized. During the same period, the capacity of the SIEM infrastructure was increased and capabilities for collecting and analyzing log records were strengthened.

Within the scope of data loss prevention applications, the effectiveness of existing rules was enhanced and preventive controls were implemented in addition to monitoring mechanisms. The scope of security policies applied to the Bank's mobile devices was expanded. In order to protect customers against malicious software that may exist on their mobile devices, a mobile application security service was put into operation.

Within the Bank, the Cyber Incident Response Team (SOME) operates as part of the processes related to information security violations. Security incidents and vulnerabilities related to information systems are monitored and recorded through central monitoring mechanisms. In this context, the Bank receives Cyber Security Center services operating on a 24/7 basis.

Ziraat Katilim carries out its activities related to cybersecurity and data privacy within the framework of a continuous improvement approach. Short-, medium- and long-term targets in this field are determined in line with regulatory requirements, the development of risk management capacity and the strengthening of technological infrastructure. In the coming periods, it is planned to expand the use of artificial intelligence-supported products in security solutions in order to enhance early threat detection and response capacity.