SMG Swiss Marketplace Group AG Sustainabilty Report 2024

Cybersecurity

A comprehensive Information Security Management System (ISMS), based on the ISO/IEC 27001 standard, guides our actions to identify, prevent, and mitigate cybersecurity risks, and to report and remediate incidents effectively. IAZI follows the Service Organization Control Type 2 (SOC 2) framework, a cybersecurity compliance framework for organisations handling sensitive customer data. In 2024, IAZI’s SOC 2/Type II certification was successfully renewed following an external audit.

Our risk management approach

We apply an adaptive approach to risk management, evaluating the severity of risks to our users, assets, and platforms and acting accordingly. Risks can broadly be categorised into two types:

Operations-related risks that could affect our services, such as botnets, spammers, ransomware, and malware attacks; and
Platform-related risks that could impact our customers, such as disingenuous sellers, unauthorised account takeovers, and phishing scams.

To ensure a comprehensive view of our security posture and shape future actions to maintain an adaptive and resilient system, we conduct multiple risk assessments from different perspectives. The results provide a more holistic understanding of the threats we face and serve as the foundation for setting internal, quantifiable targets that drive ongoing improvement.

Our cybersecurity policy landscape

Cybersecurity is defined in the SMG Security Policy as the main reference point for all security-related matters across SMG, encompassing physical security, cybersecurity, and information and data security. It details the organisational structure, responsibilities, methodologies, frameworks, and core principles that govern security at SMG. It applies to all SMG employees and third-parties such as contractors who have access to or interact with SMG’s infrastructure, systems, services, or premises.

Related policies and directives include the SMG Workplace Security Guideline, the SMG Vulnerability Management Guideline, SMG Incident Management Guideline, and the SMG Crisis Management Guideline, among others. All directives are reviewed at least annually to ensure they incorporate developments in the digital landscape and remain aligned with SMG’s strategic goals.

Leveraging cutting-edge solutions to prevent and mitigate security risks

We utilise firewalls as a first-line of defence, data-enriched intelligence tools that detect suspicious activity on our platforms, and fraud detection and prevention mechanisms to safeguard our systems.

To prevent phishing attacks and account takeovers, we implement a range of security measures for account access and creation, tailored based on risk-scoring. In 2024, we introduced a state-of-the-art adaptive Multi-Factor Authentication (MFA) system designed to significantly enhance account security for our users. This advanced authentication system enables our customers to securely and conveniently sign in to our websites and apps. It includes smart push notifications and passwordless login where possible, adding an extra layer of protection against phishing. Moving forward, we aim to continue to refine and enhance this implementation, increase user awareness, and accelerate adoption across our user base.

Launched in 2023, we have continued to promote and support the adoption of a new payment feature on Ricardo, MoneyGuard, providing a secure, fast, and flexible transaction for buyers and sellers on the platform. MoneyGuard enables sellers to offer additional payment methods like TWINT and credit cards, ensuring transactions are processed securely without the need to share sensitive bank details. Payments are held until buyers receive and verify their items, enabling smooth and trustworthy transactions for all parties involved.

These innovations are core to our risk-based security strategy, furthering our goal to be leaders in adaptive security.

In parallel, we are improving our financial infrastructure, most notably through the rollout of our billing engine, enabling consistent enforcement of 3D Secure and transaction-level reconciliation. These enhancements improve traceability, reduce fraud risk, and lay the foundation for greater standardisation across platforms.

Empowering our employees as a crucial line of defence

Security is a company-wide endeavour at SMG. All employees undertake mandatory basic cybersecurity training upon joining the company. Additionally, we have implemented an automated, hands-on platform to enhance awareness and continuously strengthen our employees’ defences against phishing. We also encourage further engagement with the topic through training resources on our e-learning platform. Regular internal awareness communications are maintained throughout the year, along with a dedicated programme during Cybersecurity Month.

Cybersecurity Month: Driving awareness and engagement

Every October, we dedicate an entire month to intensifying focus, learning, and engagement around cybersecurity. Our internal programme features expert talks, crisis simulations, and competitions designed to address the challenges of this rapidly evolving space. A yearly highlight is our lockpicking session, which provides a hands-on demonstration of physical security vulnerabilities, reinforcing the importance of both digital and real-world security measures.

Training sessions equip employees with the skills needed to counter cyber threats, while live simulations give employees an insight into their own handling of high-pressure situations. These activities empower our teams to better understand cybersecurity challenges and their critical role as SMG’s first line of defence.

Externally, we reinforce our commitment to digital safety throughout the month by sharing insights, practical tips, and best practices via our blog and social media channels, helping customers protect themselves in the wider digital landscape. Topics include phishing, account takeovers, and fraud.

These activities play a vital role in raising awareness of vulnerabilities and best practices, inspiring action, and offering collaboration opportunities for employees, partners, and customers. By driving awareness both within and beyond our organisation, SMG contributes to building a more secure digital environment for all.

Monitoring and testing

We employ a comprehensive range of measures to monitor and continuously improve our systems, including penetration tests, third-party security audits, application testing, logging, and ongoing monitoring.

In addition to automated security testing, we leverage crowdsourcing with Bug Bounty programmes and actively encourage internal and external parties, such as security researchers, industry partners, vendors, customers, and consultantsm to report potential vulnerabilities as part of our Vulnerability Disclosure Program (VDP). This collaborative approach allows stakeholders to scrutinise our applications, identify vulnerabilities, and strengthen our security posture through continuous feedback and improvement.

We regularly evaluate our security assurance through internal evaluation frameworks and Key Performance Indicators (KPIs) to ensure that risk treatment is appropriate and policies and directives are enforced. In 2024, we performed security tests and third-party audits on every platform, further strengthening their maturity and resilience.