Kaspersky Transparency Principles

1. Whatyou should knowabout Kaspersky

2. 3 Building a safer world Technology now connects us across platforms and borders like never before. As the world has become more digitized and globalized, we at Kaspersky have become a technology leader with an advanced and comprehensive portfolio of security solutions and services, including innovative products and tech- nologies, cloud services and world-leading threat intelligence. Our mission is to build a safer world, and it emphasizes our commitment to a trusted and transparent future. We believe in a tomorrow where technology improves all of our lives. Which is why we secure it, so everyone everywhere benefits from the endless opportunities it brings. In the modern world, cybersecurity is about more than just protecting devices, but about developing an ecosystem where everything connected through technology is protected. That’s why we have moved beyond the anti-virus laboratory to provide cybersecurity technology that people can trust, and our business focus has evolved towards the wider concept of “cyber-immunity”. Our mission is simple – building a safer world. And in fulfilling that mission we aim to become the global leader in cybersecurity – by securing technology to make sure that the possibilities it brings become opportunities for each and every one of us. Bring on endless possibilities. Bring on a safer tomorrow. ” Eugene Kaspersky, CEO

3. 4 About Kaspersky We are one of the world’s largest privately-owned cybersecurity companies that has been operating in the market for over 22 years. Our deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. We operate in 200 countries and territories and have 34 offices in 30 countries. We pride ourselves on developing world- leading security that keeps us, and over 400 million users across the globe, and 270,000 corporate clients, protected by our technology Over 4,000 highly qualified specialists work for Kaspersky.

4. 5 Proven Kaspersky routinely scores the highest marks in independent ratings and surveys. • Measured alongside more than 100 other well-known vendors in the industry • 73 first places in 88 tests in 2018 • Top 3 ranking* in 88% of all product tests • For the second time in a row, Kaspersky was recognized as a Gartner Peer Insights Customers’ Choice for Endpoint Protection Platforms in 2018** Transparent We are totally transparent and will make it even easier to understand what we do via our Global Transparency Initiative: • Independent review of the company’s source code, software updates and threat detection rules. • Independent review of internal processes to verify the integrity of our solutions and processes. • Relocation to Switzerland of data storage and processing for customers in Europe (with other countries to follow). • The opening of three transparency centers globally by 2020. • Increased bug bounty rewards up to $100,000 per discovered vulnerability in Kaspersky products. Independent As a private company, we are independent from short term business considerations and institutional influence. We share our expertise, knowledge and technical findings with the world’s security community, IT security vendors, international organizations, and law enforcement agencies. Our research team is spread across the world and includes some of the most renowned security experts in the world. We detect and neutralize all forms of Advanced Persistent Threats (APT), regardless of their origin or purpose. Our Global Research and Analysis Team (GReAT) has been actively involved in the discovery and disclosure of some of the most prominent malware attacks with links to governments and state organizations. * https://www.kaspersky.com/top3 ** Kaspersky has been named a September 2017 and November 2018 Customers’ Choice for Endpoint Protection Platforms. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates. https://www.gartner.com/reviews/customers- choice/endpoint-protection-platforms

5. 6 In 2017, we launched the Global Trans- parency Initiative aimed at engaging the broader information security community and other stakeholders in validating and verifying the trustworthiness of Kasper- sky products, internal processes, and business operations. It also introduces additional accountability mechanisms by which the company can further demon- strate that it addresses any security is- sues promptly and thoroughly. The following measures within the initiative have already been undertaken: 1. We announced that we were adapting our infrastructure to move a number of core processes from Russia to Switzerland. This includes customer detection data storage and processing for a number of regions. In November 2018, we started relocation of data processing for European customers. 2. We opened Transparency Centers in Zurich, Switzerland and in Madrid, Spain. These are dedicated facilities to review the company’s code, software updates, threat detection rules and other technical and business processes. The Spanish center also serves as a briefing center to learn more about Kaspersky’s engineering and data processing practices. In August 2019, we announced the upcoming opening of the third Transparency Center in Malaysia, for the APAC region. 3. We extended our Bug Bounty Program to include rewards of up to $100,000 for the discovery and coordinated disclosure of severe vulnerabilities, to supplement our vulnerability detection and mitigation efforts. The company also supports the Disclose.io frame- work which provides Safe Harbor for vulnerability researchers concerned about possible negative legal conse- quences of their discoveries. 4. We successfully completed the Service Organization Control for Service Organ- izations (SOC 2) Type 1 audit undertaken by one of the Big Four accounting firms. It confirmed that the development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorized changes by strong security controls. Our Global Transparency Initiative Trust and transparency are becoming fundamental to the success of tech companies. We’re proud to be the trendsetter in this transformation, and as a technology company, we‘re focused on ensuring the very best IT infrastructure for the security of our products and data. Trust needs to be reestablished in relationships among companies, governments and people, and our Global Transparency Initiative is a significant step toward this. Anton Shingarev, Vice President for Public Affairs ”

6. Switzerland For Europe, with the U.S., Canada, Singapore, Australia, Japan and South Korea, as well as other countries, to follow later For compiling software before distribution to customers worldwide A facility to review the company’s code, software updates and threat detection rules opened for trusted partners and government stakeholders. In 2019 the company also opened a Transparency Center in Madrid, Spain and announced the opening of the third Transparency Center in Malaysia. Independent supervision and review Customer data storage and processing Software assembly Transparency Center Long and famous history of neutrality Robust approach to data protection legislation Proven. Transparent. Independent. 7 KasperskymovescoreinfrastructuretoSwitzerland and opens Transparency Centers

7. 8 Kaspersky is determined to detect and neutralize all forms of malicious programs, regardless of their origin or purpose. It does not matter which language the threat “speaks”: Russian, Chinese, Spanish, German, or English. The company’s experts have published at least 17 reports about APT attacks with Russian-language included in the code. Kaspersky’s principles of fighting cyberthreats The following list of threats, as reported by Kaspersky’s GReAT team, shows the different languages used in each threat: • Russian language: Moonlight Maze, RedOctober, CloudAtlas, Miniduke, CosmicDuke, Epic Turla, Penquin Turla, Turla, Black Energy, Agent.BTZ, Teamspy, Sofacy (aka Fancy Bear, APT28), CozyDuke • English language: Regin, Equation, Duqu 2.0, Lamberts, ProjectSauron • Chinese language: IceFog, SabPub, Nettraveler, Spring Dragon, Blue Termite • Spanish language: Careto/Mask, El Machete • Korean language: Darkhotel, Kimsuky, Lazarus • French language: Animal Farm • Arabic language: Desert Falcons, Stonedrill and Shamoon One of Kaspersky’s most important assets in fighting cybercrime is the GReAT, comprising top security researchers from all over the world – Europe, Russia, the Americas, Asia, and the Middle East. The great thing about the fast- paced technological developments is how they connect so many people around the world. However, as our connectivity grows, so do the number of attacks. Kaspersky security experts use all their knowledge, experience and intelligence to prevent threat actors from taking advantage of our constantly growing connectivity and technological progress around the world. Costin Raiu, Head of GReAT ” SOFACY PROJECT SAURON DUQU2.0 DUQU LURK LAZARUS SHADOW PAD EXPETR

8. 9 According to Kaspersky’s GReAT team, in 2018 the top targets for APTs were governments; and the most significant threat actor was Sofacy. Advanced Persistent Threat Landscape in 2018 Government Diplomatic Energy Military Telecommunications Financial institutions IT companies Military contractors Political parties NGOs Sofacy Turla Lazarus DarkHotel LuckyMouse Top 10 targets: Top 10 targeted countries: Top 10 significant threat actors: ScarCruft APT10 StrongPity SandCat OceanLotus 1 2 3 4 5 8 9 10 7 6 ChinaRussiaSaudi Arabia Mongolia South Korea Iran Germany India Malaysia Kazakhstan

10. 11 What is the Kaspersky Security Network? Kaspersky Security Network (KSN) is one of Kaspersky’s main cloud systems that was created to maximize the effectiveness of discovering new and unknown cyberthreats and thereby ensure the quickest and most effective protection for users. KSN is an advanced cloud-based system that automatically processes cyberthreat-related data received from millions of devices owned by Kaspersky users across the world, who have voluntarily opted to use this system. This cloud-based approach is now the industry standard, applied by many global IT security vendors. How do you anonymize the data you process? Kaspersky takes user privacy extremely seriously. The company implements the following measures to anonymize obtained data: • The information is used in the form of aggregated statistics; • Logins and passwords are filtered out from transmitted URLs, even if they are stored in the initial browser request from the user; • When we process possible threat data, by default we do not use the suspicious file. Instead we use hash-sum, which is a one-way math function that provides a unique file identifier; • Where possible, we obscure IP addresses and device information from the data received; • The data is stored on separated servers with strict policies regarding access rights, and all the information transferred between the user and the cloud is securely encrypted. Principles for the processing of user data Respecting and protecting people’s privacy is a fundamental principle of Kaspersky’s approach to processing users’ data. The data that is processed is crucial for identifying new and as yet unknown threats and offering better protection products to users. Analyzing big data from millions of devices to strengthen protection capabilities is an industry best practice that is applied by IT security vendors around the world. It is a must for securing users’ digital lives from cyberthreats. Users of Kaspersky products can always choose how much data they provide, based on the product or service used and the respective agreements accepted. All data processed and/or transferred is robustly secured through encryption, digital certificates, segregated storage, strict data access policies and by other methods.

11. 12 Kaspersky’s role in the global IT security community Kaspersky participates in joint operations and cyberthreat investigations with the global IT security community, international organizations such as INTERPOL, law enforcement agencies and CERTs worldwide. • We cooperate with INTERPOL in the joint fight against cybercrime and provide the organization with human resources support, training, and threat intelligence data on the latest cybercriminal activities. • We host the annual Kaspersky Security Analyst Summit which brings together the world’s foremost IT security experts. • We are a part of the Securing Smart Cities not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities. • We are a member of the Industrial Internet Consortium that helps organizations more easily connect and optimize assets and operations to drive agility across all industrial sectors. • We launched the No More Ransom initiative in July 2016 jointly with the Dutch National Police, Europol and Intel Security. The non-commercial initiative united public and private organizations aims to inform people of the dangers of ransomware, and helps them to recover their data without having to pay criminals. • We have been at the forefront of protecting victims of stalkerware – a type of a commercial spyware deemed to be legal, but which may lead to domestic abuse as it can be used to secretly monitor and track a partner’s device activity. The company is the first in the industry to have updated its product with a special Privacy Alert. Furthermore, the company cooperates with Electronic Frontier Foundation.

12. 13 Are we a Russian company? Officially, culturally and strategically we are a global cybersecurity company even though our geographical roots are Russian. Our holding company is registered in the UK, we have over 4,000 employees in more than 30 countries, our RD and security experts are based on four continents, and over 80% of our revenue comes from outside of Russia. This further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line, as we would then risk the largest sector of our business. As a private company, we have no inappropriate ties to any government but are proud to collaborate with the authorities of many countries, as well as international law enforcement agencies, and commercial and public entities in fighting cybercrime. We work with local authorities in the best interests of international cybersecurity, providing technical consultations or expert analysis of malicious programs, in compliance with court orders or during investigations – all in accordance with industry standards. Cooperation with law enforcement agencies Legislation of the Russian Federation As a responsible company, Kaspersky complies with the laws of all the countries in which it operates and makes every effort to ensure user data is safe. Kaspersky is not subject to Russia’s System of Operative- Investigative Measures (SORM) and other similar laws, since the company doesn’t provide communication services. This was confirmed as a result of a voluntary third-party legal assessment of Russian legislation related to data-processing. Conducted by prominent Russian and international law expert, Dr. Kaj Hober, Professor of International Investment and Trade Law at Uppsala University in Sweden, the analysis covers three Russian laws related to data processing and storage. The results are freely available online and provide an unbiased and fair legal assessment.

13. Proven. Transparent. Independent. 14