Our Cyber Security Committee focuses specifically on the cyber risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business and the potential damage to the business as a high value target for malicious acts.
The Committee aims to challenge and support improvements to the Group’s information security and data protection policies, defences and controls. This ensures compliance with global data protection regulations around the world, as well as the Group looking after its own information, and the information that its customers entrust to it, with the proper care and attention.
Read the Cyber Security Committee’s latest report in our 2024 Annual Report and Accounts on pages 77 and 78.
Penetration testing and vulnerability scanning
We conduct monthly external and quarterly internal vulnerability assessment scans, which, as well as looking for vulnerabilities, also test the capabilities of our software patching regime. We also conduct regular penetration tests against our systems.
Managed Detection and Response
Intruder Detection Systems/Intruder Prevention Systems (IDS/IPS) are deployed on the network perimeter analysing all inbound and outbound traffic, with rules reviewed regularly.
Our firewalls employ IPS where traffic is logged and monitored; the firewalls are configured for static analysis, which drop packets where relevant and alert the information security team. Additional layers include an array sensor positioned within the firewall analysing all decrypted traffic generating signature-based alerts, which are monitored 24/7 by our own Security Operations Centre (SOC). The alerts generated are governed by strict service-level agreements, ensuring a rapid response and triage of the incident by our own IT security team.
IPS is deployed on all endpoints in the form of anti-virus and an application control system which is managed centrally, enabling the fine-grained control across all endpoints.
Data protection
Our Data Privacy Policy forms part of a larger data protection programme of policies, processes, procedures and controls designed to meet the requirements of GDPR, the CCPA and other applicable data privacy legislation. This includes standard induction and annual refresher training, dedicated training for high risk roles and dedicated policies and procedures, which form part of our Information Security Management System.
There are dedicated procedures for identifying and reporting data breaches, responding to data subject access requests (DSAR) and conducting Data Protection Impact Assessments. We also have a series of incident and breach management processes in place that cover the identification, containment and remediation of any potential security incident or potential data breach. These also ensure that any notification requirements are identified and integrated into our processes.
An inter-group transfer agreement is in place to support our global operations. Depending on the specific client engagements we are undertaking, a statement of work may include a requirement to collaborate with other parts of the Group.
Where such collaborations involve international data transfers, we work with clients to ensure our contractual agreements meet the transfer requirements of all applicable data protection legislation.
