What You Should Know About Kaspersky 2 Building a Safer World Technology Now Connects Us Across Platforms and Borders Like Never Before

What you should know about Kaspersky 2 Building a safer world Technology now connects us across platforms and borders like never before. As the world has become more digitized and globalized, we at Kaspersky have become a technology leader with an advanced and comprehensive portfolio of security solutions and services, including innovative products and technologies, cloud services and world-leading threat intelligence.

Our mission is to build a safer world, and it emphasizes our commitment to a trusted and transparent future. We believe in a tomorrow where technology improves all of our lives. Which is why we secure it, so everyone everywhere benefits from the endless opportunities it brings. In the modern world, cybersecurity is about more than just protecting devices, but about developing an ecosystem where everything connected through technology is protected. That’s why we have moved beyond the anti-virus laboratory to provide cybersecurity technology that people can trust, and our business focus has evolved towards the wider concept of “cyber-immunity”.

Our mission is simple – building a safer world. And in fulfilling that mission we aim to become ” the global leader in cybersecurity – by securing technology to make sure that the possibilities it brings become opportunities for each and every one of us. Bring on endless possibilities. Bring on a safer tomorrow.

Eugene Kaspersky, CEO

1 About Kaspersky

We are one of the world’s largest We operate in Our goal is to bring on the future for privately-owned cybersecurity 200 countries and our customers. Our advanced and companies that has been operating territories comprehensive portfolio encompasses in the market for over 23 years. solutions, including innovative products and technologies, cloud services and world-leading threat intelligence, to suit a wide range of customers. We enable and have consumers to use technologies and 34 offices services so they can enjoy their lives in 30 countries. without worrying about cybersecurity risks. We also enable corporate clients to build successful businesses by eliminating concerns about cyberthreats.

Over 4,000 highly qualified specialists work for Kaspersky.

We pride ourselves on developing world- leading security that keeps us, and over 400 million users across the globe, and 250,000 corporate clients, protected by our technology

2 Proven Transparent Independent

Kaspersky routinely scores the We are totally transparent and make it As a private company, we are independent highest marks in independent ratings even easier to understand what we do via from short term business considerations and surveys. our Global Transparency Initiative: and institutional influence.

• Measured alongside more than 100 • Independent review of the company’s We share our expertise, knowledge other well-known vendors in the source code, software updates and and technical findings with the world’s industry threat detection rules. security community, IT security vendors, • 64 first places in 86 tests in 2019 • Independent review of internal international organizations, and law • Top 3 ranking* in 81% of all processes to verify the integrity of our enforcement agencies. product tests solutions and processes. • Kaspersky has been recognized as a • Relocation to Switzerland of data Our research team is spread across the 2020 Customers’ Choice for Endpoint storage and processing for customers world and includes some of the most Detection & Response Solutions by in Europe, the United States, Canada renowned security experts in the world. Gartner Peer Insights** and several countries in Asia-Pacific We detect and neutralize all forms of • Kaspersky was named a Leader in the region. Advanced Persistent Threats (APT), Forrester Wave Endpoint Security Suites • The opening of transparency centers regardless of their origin or purpose. 2019 evaluation*** globally. • Increased bug bounty rewards up to Our Global Research and Analysis Team $100,000 per discovered vulnerability (GReAT) is well-known for the discovery * https://www.kaspersky.com/top3 in Kaspersky products. and dissemination of the most advanced ** Kaspersky recognized as the highest ranking vendor in the cyberthreats. 2020 Gartner Peer Insights Customers’ Choice for Endpoint Detection & Response. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end- user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates. https://www.gartner.com/reviews/market/endpoint- detection-and-response-solutions *** The Forrester Wave™: Endpoint Security Suites, Q3 2019. The 15 Providers That Matter Most And How They Stack Up’ by Chris Sherman with Stephanie Balaouras, Merritt Maxim, Matthew Flug, and Peggy Dostie

3 Our Global Transparency Initiative

In 2017, we launched the Global Trans- 2. We opened Transparency Centers in 4. We successfully completed the Ser- parency Initiative aimed at engaging the Zurich, Switzerland, in Madrid, Spain, in vice Organization Control for Service broader information security community Kuala Lumpur, Malaysia and in São Paulo, Organizations (SOC 2) Type 1 audit and other stakeholders in validating and Brazil. These are dedicated facilities to undertaken by one of the Big Four ac- verifying the trustworthiness of Kasper- review the company’s code, software counting firms. It confirmed that the sky products, internal processes, and updates, threat detection rules and development and release of Kasper- business operations. It also introduces other technical and business processes. sky’s threat detection rules databases additional accountability mechanisms by They also serve as briefing centers to (AV databases) are protected from which the company can further demon- learn more about Kaspersky’s engi- unauthorized changes by strong secu- strate that it addresses any security neering and data processing practic- rity controls. issues promptly and thoroughly. The fol- es. In early 2021, our North American lowing measures within the initiative have Transparency Center will open in New 5. In February 2020, Kaspersky achieved already been undertaken: Brunswick, Canada in partnership with ISO/IEC 27001:2013 certification; the CyberNB Association. international standard outlining best 1. We announced that we were adapting practices for information security our infrastructure to move a number 3. We strengthened our Vulnerability management systems. Issued by TÜV of core processes from Russia to Swit- Management Program by increasing AUSTRIA, the certification confirms that zerland. This includes customer detec- rewards to up to $100k for our Bug the company’s data security systems, tion data storage and processing for a Bounty Program and publishing Ethical including Kaspersky Security Network, number of regions. In November 2018, Principles for Responsible Vulnerability meet industry best practices. we started relocation of data process- Disclosure. The company also sup- ing for European customers. As the ports the Disclose.io framework which 6. We launched Cyber Capacity Building next step, the company is moving provides Safe Harbor for vulnerability Program – a dedicated training on prod- data from customers from the United researchers concerned about possible uct security evaluation which is aimed States and Canada. negative legal consequences of their at government organizations, academia discoveries. and companies to help them develop mechanisms and skills for security as- sessments of ICT products they use.

4 Kaspersky moved core infrastructure to Switzerland and opens Transparency Centers

Customer data storage Transparency Independent and processing Centers review Malicious and suspicious files received from A facility for trusted partners and Third-party assessment of internal processes users of Kaspersky products in Europe, government stakeholders to review to verify the integrity of Kaspersky solutions the United States, Canada and several the company’s code, software and processes. countries in Asia-Pacific region* are updates and threat detection rules, In 2019 Kaspersky has achieved the SOC 2 Type 1 processed and stored on Swiss servers. along with other activities. report in accordance with the SSAE 18 standard (Security criteria) issued by one of the Big Four accounting firms.

Madrid, Spain Transparency Center

Zurich, Switzerland Kuala Lumpur, Transparency Center Malaysia Data centers Transparency Center Bug bounty program New Brunswick, Aimed to make Kaspersky more secure, Canada it encourages independent security researchers Transparency Center to supplement the company’s own work (to be open in 2021) in vulnerability detection and mitigation. São Paulo, Brazil Transparency Center The company also supports the Disclose.io framework which provides Safe Harbor for vulnerability researchers concerned about possible negative legal consequences of their discoveries.

*Australia, New Zealand, Japan, Bangladesh, Brunei, Cambodia, India, Indonesia, South Korea, Laos, Malaysia, Nepal, Pakistan, Philippines, Singapore, Sri Lanka, Thailand, and Vietnam. 5 Kaspersky’s principles of fighting cyberthreats

Kaspersky is determined to detect and The following list of threats, as reported neutralize all forms of malicious programs, by Kaspersky’s GReAT team, shows the regardless of their origin or purpose. different languages used in each threat: It does not matter which language the threat “speaks”: Russian, Chinese, Spanish, • Russian language: Moonlight Maze, German, or English. The company’s RedOctober, CloudAtlas, Miniduke, experts have published at least 17 reports CosmicDuke, Epic Turla, Penquin about APT attacks with Russian-language Turla, Turla, Black Energy, Agent.BTZ, included in the code. Teamspy, Sofacy (aka Fancy Bear, APT28), CozyDuke • English language: Regin, Equation,

Q Duqu 2.0, Lamberts, ProjectSauron DU U ” • Chinese language: The great thing about the fast- IceFog, SabPub, Nettraveler, Spring paced technological developments DU2.Q0U Dragon, Blue Termite is how they connect so many • Spanish language: Careto/Mask, OJEC people around the world. However, PR T El Machete • Korean language: Darkhotel, Kimsuky, as our connectivity grows, PET EX R Lazarus so do the number of attacks. S AURON LURK • French language: Animal Farm Kaspersky security experts use

• Arabic language: Desert Falcons, all their knowledge, experience Stonedrill and Shamoon and intelligence to prevent threat L ADOW AZARUS SH One of Kaspersky’s most important actors from taking advantage FAC SO Y assets in fighting cybercrime is the of our constantly growing

PAD GReAT, comprising top security connectivity and technological researchers from all over the world – progress around the world. Europe, Russia, the Americas, Asia, and the Middle East. Costin Raiu, Head of GReAT

6 Advanced Persistent Threat Landscape in 2019

According to Kaspersky’s GReAT team, in 2019 the top targets for APTs were governments, and the most significant threat actor was Lazarus.

Top 10 targets: Top 12 targeted countries:

Government Saudi IranFrance Germany Russia China Diplomatic Arabia Energy Military Telecommunications Financial institutions Banks Educational South Korea Defense Crypto currency business Vietnam

Top 10 significant threat actors: Malaysia 1 Lazarus 6 Lamberts India 2 Barium 7 APT10 3 Turla 8 OrigamiElephant 4 BlueNoroff 9 OilRig Kazakhstan 5 Zebrocy 10 HoneyMyte Afghanistan

7 8 Principles for the processing of user data

Kaspersky’s approach to processing TÜV AUSTRIA has certified that Kaspersky user data is based on respecting and applies a management system in line with What is the Kaspersky protecting people’s privacy, as well the ISO/IEC 27001:2013 standard in the Security Network? as commitment to the transparency delivery of malicious and suspicious files and accountability. The data that is using Kaspersky Security Network (KSN) Kaspersky Security Network processed is crucial for identifying infrastructure, as well as safe storage (KSN) is one of Kaspersky’s main new and as yet unknown threats and and access to these files in the company’s cloud systems that was created offering better protection products to data-centers in Zurich, Switzerland; to maximize the effectiveness users. Analyzing big data from millions Frankfurt, Germany; Toronto, Canada of discovering new and unknown of devices to strengthen protection and Moscow, Russia. cyberthreats and thereby capabilities is an industry best ensure the quickest and most practice that is applied by IT security effective protection for users. vendors around the world. It is a must KSN is an advanced cloud- for securing users’ digital lives from based system that automatically cyberthreats. processes cyberthreat-related AUST R IA data received from millions of Users of Kaspersky products can devices owned by Kaspersky always choose how much data they CERTIFIED users across the world, who ISO/IEC 27001 provide, based on the product or Certificate No. TAD ISMS 19924 have voluntarily opted to use service used and the respective TÜV AUSTRIA CERT GMBH this system. This cloud-based agreements accepted. All data approach is now the industry processed and/or transferred is standard, applied by many global robustly secured through encryption, IT security vendors. digital certificates, segregated storage, strict data access policies and by other methods.

9 Kaspersky’s role in the global IT security community

Kaspersky participates in joint operations and cyberthreat investigations with the global IT security community, international organizations such as INTERPOL, law enforcement agencies and CERTs worldwide.

• We cooperate with INTERPOL, • We are a member of the Industrial • We have been at the forefront of Europol, law enforcement agencies Internet Consortium that helps protecting victims of stalkerware – and CERTs worldwide in the joint organizations more easily connect and a type of a commercial spyware fight against cybercrime and optimize assets and operations to drive deemed to be legal, but which may provide the organization with human agility across all industrial sectors. lead to domestic abuse as it can resources support, training, and be used to secretly monitor and threat intelligence data on the latest • We launched the No More Ransom track a partner’s device activity. cybercriminal activities. initiative in July 2016 jointly with the The company is the first in the Dutch National Police, Europol and Intel industry to have updated its product • We host the annual Kaspersky Security Security. The non-commercial initiative with a special Privacy Alert. Analyst Summit which brings together united public and private organizations the world’s foremost IT security experts. aims to inform people of the dangers Also, Kaspersky teamed up with other of ransomware, and helps them IT Security companies and advocacy • We are a part of the Securing Smart to recover their data without having organizations working with victims of Cities not-for-profit global initiative to pay criminals. domestic violence to launch a global that aims to solve the existing and initiative called the Coalition Against future cybersecurity problems of Stalkerware. smart cities.

10 Cooperation with law Legislation of the Russian enforcement agencies Federation Are we a Russian company? Officially, culturally and strategically As a private company, we have no As a responsible company, Kaspersky we are a global cybersecurity inappropriate ties to any government complies with the laws of all the countries company even though our but are proud to collaborate with the in which it operates and makes every effort geographical roots are Russian. Our authorities of many countries, as well to ensure user data is safe. Kaspersky is not holding company is registered in the as international law enforcement subject to Russia’s System of Operative- UK, we have over 4,000 employees agencies, and commercial and public Investigative Measures (SORM) and other in more than 30 countries, our R&D entities in fighting cybercrime. similar laws, since the company doesn’t and security experts are based on We work with local authorities in provide communication services. four continents, and over 80% of the best interests of international our revenue comes from outside of cybersecurity, providing technical This was confirmed as a result of a voluntary Russia. This further demonstrates consultations or expert analysis of third-party legal assessment of Russian that working inappropriately malicious programs, in compliance with legislation related to data-processing. with any government would be court orders or during investigations – Conducted by prominent Russian and detrimental to the company’s all in accordance with industry international law expert, Dr. Kaj Hober, bottom line, as we would then risk standards. Professor of International Investment and the largest sector of our business. Trade Law at Uppsala University in Sweden, the analysis covers three Russian laws related to data processing and storage. The results are freely available online and provide an unbiased and fair legal assessment.

11 Proven. Transparent. Independent.