2021 Annual Report

RU

RU

Security

In 2021, activities to ensure the corporate security and access control were conducted in accordance with the Functional Strategy of MTS PJSC in the Field of Ensuring Corporate Security for 2021 and the Action Plan for Ensuring Integrated Security of MTS PJSC for 2021.

Information security

Protection of the interests of MTS PJSC in the information sphere is ensured by implementing interrelated organizational and technical measures, which form a unified information security management and provision system of MTS Group. The integrated approach allowed to protect the MTS ecosystem from external and internal security threats, ensure its compliance with the legislative requirements of the Russian Federation and international standards, as well as prevent harm to the interests of MTS PJSC. The information security system has been developed with consideration of the best global practices on the basis of national and international standards. The Company is a licensee of the Federal Service for Technical and Export Control (FSTEC) and the Federal Security Service (FSB) of Russia for activities related to technical and cryptographic protection of confidential information and monitoring of information security (IS) events, and may provide respective services.

The personal data protection system provided the third level of protection as required by Russian legislation.

Protection of secrecy of communication in communication networks with information protection mechanisms built into communication facilities was compliant with the international standards and requirements of the industry regulator.

The corporate and commercial Operational Monitoring Centers operated 24×7. The IS incident monitoring and response service was provided to 15 commercial customers. Work was initiated, which involved the development of IS products (SOC services + industrial SOC, the creation of the Tread Intelligence platform, the creation of the Red Team).

The transition to a service model of work with product teams of the MTS ecosystem has been implemented. The planned development of IS platforms to be used in MTS Group was carried out. The availability of IS assessment was ensured in the development of products (services) and support of the production processes of digital products.

Work was carried out to create a security system for significant facilities of MTS PJSC critical information infrastructure.

For the third year of succession, the British Standards Institute confirmed the compliance of the information security management system with the requirements of the international standard ISO 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. The certificate expanded the capabilities of MTS PJSC to offer services in the IS market.

The annual certification of the Internal Control System of MTS PJSC took place for compliance with the Sarbanes-Oxley Act (USA), which is mandatory for members of the New York Stock Exchange (NYSE: MBT). The company has been successfully certified. Deloitte’s external auditor’s report was issued without comment.

An assessment of the regulatory impact of 43 laws and regulations (L&R) and draft L&R on information protection was carried out with recommendations for minimizing risks. 15 proposals have been developed to make amendments to the legislation of the Russian Federation and information security standards.

Basic local regulations on information security have been updated and adapted for MTS ecosystem companies.

Information security experts were actively involved in the drawing up of new draft L&R in the area of information security in the MinTsifry (Ministry for Digital Technology, Communication and Mass Media) of Russia.

Priority areas for ensuring information security in 2021
  • Compliance of the information security management system with the requirements of regulators, existing licenses and best practices.
  • Ensuring the security of restricted information (secrecy of communication, personal data, etc.).
  • Completion of the formation of a system for protecting the critical information infrastructure.
  • Introduction of digital technologies in information security protection processes.
  • Development of information security solutions and services for internal and external customers.
  • Support for the digital transformation of MTS Group (methodological, expert, technical support for the parties involved).

SORM (Law Enforcement Support System, LESS)

In order to ensure the failure-proof operation of special complexes installed on MTS PJSC network, actions were organized and held on a permanent basis to maintain and support the equipment and software.

As part of fulfilling the tasks of implementing the requirements of Federal Law No. 374-FZ, work was performed on MTS PJSC network to implement and carry out acceptance tests of special complexes in accordance with the concept and deadlines for implementing the law agreed upon with the Federal Security Service (FSB) of Russia.

Special complexes have been installed on communication networks, the availability of which makes it possible to provide new communication technologies (NB IoT, IMS, RCS, 5G, eSIM), as well as new convergent services (MTS Connect with Virtual Number and MultiAccount functionality, WiFi Calling, VoLTE/ViLTE, RCS IP Messaging, Virtual PBX, WiFi for business).

Work on the modernization of the special equipment supporting the activities of authorized state bodies was carried out on a scheduled basis, in accordance with the approved investment program and the requirements of laws and regulations (L&R). Scheduled events were held in full.

Economic security and anti-corruption

The activities of the economic security and anti-corruption divisions of MTS PJSC are focused on identifying financial and economic risks, taking measure to mitigate them, and preventing reputational and material damage.

Taking into account the ongoing product transformation of the Company, the most important area of activity of the Economic Security and Anti-corruption Department (ESACD) was the improvement of processes for protecting the economic security.

As part of improving the efficiency of procurement processes, measures were taken to update local regulations (LRs) governing the procurement and investment activities of the Company. Measures have been implemented to strengthen the individual responsibility of procurement process participants.

In order to accelerate procurement processes, a planned transition of the ESACD participation format was carried out to the mode of monitoring and post-control of procurement procedures without direct participation in the procurement process but with the retention of the level of economic risks comparable to the current one.

For the purposes of improving the mechanism for checking counterparties, the process was automated: the impact of the subjective human factor on the results of checks was decreased, the terms were reduced significantly, and the frequency and depth of checks were increased. Furthermore, the automation of the functionality made it possible to organize verification activities in relation to the Company’s clients, which will decrease the creation of accounts receivable in the future.

To obtain competitive advantages in the B2B area, a risk-based approach was adopted in developing scoring models that take into account the specifics of the business.

With regard to subsidiaries and affiliates, a model has been built for the provision of services to the economic security function according to the system of service contracts.

The ESACD actively participated in saturating management decisions with practical measures based on the results of internal audits and investigations. Activities to compensate for the damage caused to the Company and reduce overdue accounts receivable have been strengthened. Favorable results have been achieved mainly due to the maximum openness of the Department and the possibility of direct communication and discussion of problems between functional divisions.

Priority areas for ensuring economic security and anti-corruption 2021
  • Ensuring a sustainable system of economic security in present-day conditions.
  • Prevention and suppression of economic and corruption offences, development of measures to minimize threats (risks).
  • Improvement of control mechanisms by shifting the focus to post-control.
  • Carrying out activities to verify information about candidates for employment, identify conflicts of interest and reduce the time of verification activities.
  • Improvement (updating) of local regulations in the field of protection of economic security and anti-corruption.

Security of personnel and facilities

The work to ensure access control and intra-facility regime at MTS PJSC was based on Standard ST-053 “Requirements for Ensuring the Security of MTS PJSC Facilities”. Access control at the Company’s facilities was performed by employees of private security companies using engineering and technical security equipment, access control and management tools, Closed-Circuit Television System (CCTV), signaling and communication systems.

In 2021, the work continued to implement a technical solution for access using face recognition; the algorithms and modes of operation of face recognition terminals were optimized; it was ensured that temperature measurement results are recorded in automatic mode. The introduction of this technology in MTS PJSC branches has started. The introduction of new video analytics and thermal imaging technologies made it possible to reduce the time for employees to access facilities, ensure the protection of personnel during the pandemic and optimize costs.

In order to prevent the occurrence of vandalism and theft of inventory at the facilities of the radio subsystem and to provide uninterrupted communication services, activities were carried out to ensure the continuity of operation of the priority BS due to a significant increase in their equipping with security equipment.

As part of improving the confidential document flow, the trade secret protection and other confidential information, the requirements of RP-140 “Organization of Office Work with Physical Storage Media Constituting a Trade Secret and Other Confidential Information of MTS PJSC” were updated, and the use of a basic electronic signature for confidential office work was introduced.

In order to check the readiness of the security personnel of the private security company in terms of acting in the event of emergency at the facilities of MTS PJSC, fire-fighting and anti-terrorist trainings were conducted together with the employees of the Administrative Unit. Security officers in all regions of MTS PJSC operation traveled around base stations in order to check their anti-terrorist protection.

Scheduled measures were taken to identify and eliminate possible channels of leakage of speech information circulating in the premises of the Company’s management through acoustic and technical channels.

In accordance with the legislation of the Russian Federation and the recommendations of the Ministry of Emergency Situations of Russia, as well as in accordance with the approved 2021 Action Plans for civil defense, prevention and response to emergency situations and ensuring fire safety, MTS Group took measures with respect to this area.

Priority Areas in the Field of Personnel and Facility Safety
  • Improving the efficiency of the security system and anti-terrorism protection of personnel and facilities of MTS PJSC.
  • Implementing measures to prevent theft of equipment and inventory from the facilities of MTS PJSC.
  • Maintaining readiness for action of MTS PJSC system for emergency prevention and response under threats and emergency conditions.

Antifraud

In April 2021, the Antifraud Department of the Security Block of MTS Group CC was established on the basis of Order No. 16/00112P dated April 12, 2021. On the basis of this order, the process of consolidating and coordinating the operations started as part of the fraud prevention for all fraud types.

The result of the activities of the newly established department was:

  • in the area of client fraud control: in 2021, penalties were imposed in the amount of RUB 478,350;
  • in the area of subscriber fraud: 827,902 facts of fraud were detected; the amount of prevented losses was RUB 159.947 million;
  • in the area of identifying the traffic terminated on the MTS network illegally: 77,330,368,152 calls were processed, of which 1,496,504,952 calls were blocked;
  • in the area of transactional fraud: for Q3 and Q4 2021, 49,564,972 transactions were processed, of which 723,087 transactions were blocked.
  • Results of projects on the basis on the Hexagon anti-fraud system:
  • suppression of the illegal traffic with A-number substitution: ~50 million calls per month;
  • blocking the illegal international traffic from associated operators, monthly: ~100 million calls;
  • prevention of losses in the amount of: ~RUB 4.5 million per month;
  • receipts from the Voice Antifraud service related to the protection of bank customers against fraudulent calls in 2021: RUB 13.9 million

Employees of the Antifraud Department regularly carried out activities aimed at identifying and suppressing the facts of illegal replacement of SIM cards, as well as preventing related financial and reputational losses of the Company.

A system for detecting, monitoring, analyzing, suppressing fraud and fraudulent activities has been introduced to detect fraud and organize counteraction to illegal access to subscriber data and their disclosure to third parties, as well as to combat illegal replacement of subscribers’ SIM cards.

Interaction with FinCERT of the Bank of Russia has been organized to immediately obtain information about MTS PJSC numbering used by fraudsters.

A control procedure has been implemented, which is aimed at counteracting the transit of funds on the basis of the Intellinx anti-fraud system. The amount of citizens’ funds saved was more than RUB 94 million.

Priority areas of the Fraud Department 2021
  • Upgrade of RIM hardware-software complex to perform analytics within the framework of the investigation of fraudulent activities.
  • Ensuring the continuity of the operation of MTS PJSC anti-fraud systems.
  • Development of MTS Fraud Detection Platform — MTS FDP system to upgrade and ensure the continuity of operation of the existing in-house solution in order to unify and expand the functionality of fraud management processes and increase their efficiency.
  • Development of a system of electronic interaction with law enforcement agencies.
  • Ensuring the availability of Intellinx IS.
  • Using the implemented system for detecting, monitoring and analyzing fraud and fraudulent activities to prevent fraudulent activities, both from external sources and from MTS Group employees.
  • Development of fraud monitoring in RTC JSC in order to automate anti-fraud processes.