Our Board formed a Cyber Security Committee in 2016 to focus specifically on the cyber risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business, and the potential damage to the business as a high-value target for malicious acts.
The Committee aims to challenge and support improvements to the Group’s information security and data protection policies, defences, and controls. This ensures compliance with global data protection regulations around the world as well as pledges the Group to maintain the security of its own information and the information that its customers entrust to it with the proper care and attention.
Penetration testing and vulnerability scanning
We conduct monthly external and quarterly internal vulnerability assessment scans, which, as well as looking for vulnerabilities, also test the capabilities of our software-patching regime. We also conduct quarterly penetration tests against our systems.
Managed detection and response
Intruder Detection Systems/Intruder Prevention Systems (IDS/IPS) are deployed on the network perimeter analysing all inbound and outbound traffic, with rules reviewed regularly.
Our firewalls employ IPS where traffic is logged and monitored; the firewalls are configured for static analysis, which drop packets where relevant and alert the Information Security team. Additional layers include an array sensor positioned within the firewall to analyse all decrypted traffic generating signature-based alerts. This is all monitored 24/7 by our own Security Operations Centre (SOC). The alerts generated are governed by strict service-level agreements, ensuring a rapid response and triage of the incident by our IT Security team.
IPS is deployed on all endpoints in the form of anti-virus and an application control system, which is managed centrally to enable fine-grained control across all endpoints.
Data protection
Our Data Privacy Policy forms part of a larger data protection program of policies, processes, procedures, and controls designed to meet the requirements of GDPR, the CCPA, and other applicable data privacy legislation. This includes standard induction and annual refresher training, dedicated training for high-risk roles, and dedicated policies and procedures, which form part of our Information Security Management System.
There are dedicated procedures for identifying and reporting data breaches, responding to data subject rights, and conducting Data Protection Impact Assessments. We also have a series of incident and breach management processes in place that cover the identification, containment, and remediation of any potential security incident or potential data breach. These also ensure that any notification requirements are identified and integrated into our processes.
An inter-Group transfer agreement is in place to support our global operations. Depending on the specific client engagements we are undertaking, a statement of work may include a requirement to collaborate with other parts of the Group.
Where such collaborations involve international data transfers, we work with clients to ensure our contractual agreements meet the transfer requirements of all applicable data protection legislation.