We invest in enhancing our cyber security measures, ensuring we adapt not only to new and emerging technologies and cyber threats, but also to continue to improve the resilience of our business operations overall.
We respect every person’s privacy and comply with all relevant laws in the collection, use and protection of personal information in connection with our business.
When we work with others who may see or process our data – from business partners to suppliers, to customers – we make clear how important privacy is to us and the standards they must meet to work with us. We only collect and handle personal information when needed, and only for legitimate business purposes.
Cyber security governance
We have identified cyber security as a principal operational risk with potential to impact people, environment, community and operational performance – including our supply chain.
Our Cyber Security Steering Committee (CSSC) is our primary governance body overseeing cyber security. The CSSC, which reports to the Group’s Executive Committee, is responsible for our cyber strategy and provides oversight for Group-wide initiatives.
Cyber security improvement
We invest in our information systems and technology infrastructure and teams to advance our digital agenda while also safeguarding our assets. Key measures include:
- Enhancing key cyber controls, including prevention, detection, response and recovery
- Improving cyber security standards, and enhancing monitoring and compliance
- Improving IT asset management with executive level sponsorship and oversight from our CSSC
- Implementing new technology solutions to improve cyber threat detection and response for critical assets
- Maturing third-party risk management through contractual inclusions and proactive compliance assessments
- Enhancing business resilience plans for cyber breaches across our critical assets
Cyber security awareness
Maintaining strong cyber security awareness is more important than ever. We have improved our cyber security training and awareness programme, including improving the quality of our Group-wide mandatory training to address specific risks, continuous engagement of cyber security topics through various internal channels and forums, targeted campaigns (including about phishing trends and campaigns), executive briefings and tailored support for key business areas.
Strengthening our resilience
Our businesses are required to maintain business resilience management plans to support major incident response and recovery, including cyber security events. We also have a dedicated business resilience management plan for our Information Services and Technology function, which is tested annually.