Through the Committee, the Group continues to maintain an intense focus on cyber security during this year of change as new Group-wide IT systems and ways of working are put in place. We take advantage of the considerable expertise we offer to our customers to ensure that we keep pace with the cyber threat landscape as it evolves.
The Cyber Security Committee was formed to focus specifically on the cyber risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business, and the potential damage to the business as a high value target for malicious acts. The Committee's activities aim to challenge and support improvements to the Group's information security and data protection policies, defences and controls, so as to comply with data protection regulations around the world (including GDPR, the EU's General Data Protection Regulation), and ensure that the Group looks after its own information, and the information that our customers entrust to us, with the proper care and attention.
The Committee was formed in November 2016 and I have chaired the Committee since January 2018.
Chris Batterham, Jonathan Brooks and Jennifer Duvalier (all independent Non-Executive Directors) served as members of the Committee throughout the year.
The Group's Director of Risk and Assurance and the Group's Chief Information Security Officer (CISO) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate.
The Cyber Security Committee's objectives and responsibilities
The Cyber Security Committee is responsible for assessing the performance of the Group's internal security and defences and as such its duties are to:
- Oversee and advise the Board on the current cyber risk exposure of the Group and future cyber risk strategy.
- Review at least annually the Group's cyber security breach response and crisis management plan.
- Review reports on any cyber security incidents and the adequacy of resulting actions.
- Receive and consider the regular update reports from the CISO.
- Ensure the CISO is given the right of direct access to the Committee.
- Consider and recommend actions in respect of all cyber risk issues escalated by the CISO, Head of IT and the compliance function.
- Keep under review the effectiveness of the Company's controls, services and products to analyse potential vulnerabilities that could be exploited.
- Regularly assess what are the Group's most valuable intangible assets and the most sensitive Group and customer information and assess whether the controls in place sufficiently protect those assets and information.
- Review the Group's ability to identify and manage new cyber risks.
- Assess the adequacy of resources and funding for cyber security defence and control activities.
- Regularly review the cyber risk posed by third parties including outsourced IT and other partners.
- Oversee cyber security due diligence undertaken as part of an acquisition and advise the Board of the risk exposure.
- Annually assess the adequacy of the Group's cyber insurance cover.
The Committee's terms of reference (which during the year were reviewed and updated with some minor amendments) can be found in the Group's Investors' section of the Company's website, www.nccgroup.trust/uk/about-us/investor-relations. The terms of reference are reviewed annually and updated when necessary.
During the year, the Cyber Security Committee carried out an internal self-evaluation on its effectiveness, as it continues to mature since its formation in November 2016. The Committee was found to be working effectively and I am satisfied that the degree of rigour and challenge applied in performing the Committee's responsibilities is appropriate, effective and continues to improve.
As an output of both this and previous evaluations, the Committee, along with the Board, reaffirmed that cyber security is a sufficiently important risk for the business that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue.
Committee activities during the year
During the year we recruited a new CISO who joined us in August 2018, replacing the previous CISO who left earlier in 2018.
The Committee assessed both the Group's short-term tactical requirements, while simultaneously addressing longer term strategic goals around ensuring the Group's resilience to all levels of cyber attack. A strong focus was on making sure that the Group's adoption of new cloud-based systems as part of the Securing Growth Together programme progressed smoothly taking into account and mitigating where appropriate the different sorts of risks that this kind of deployment brings, and this will continue into the next year.
The Group increased its capability to respond to incidents by improving its detective and reactive controls taking full advantage of the expertise within the Group that we offer to our customers. We intend to continue to invest in the Group's infrastructure to ensure that the Group keeps up with the ever evolving cyber threat landscape.
The Committee oversaw the establishment of an Information Security and Data Protection (ISDP) Steering Group which comprises of the CISO, the Data Protection Officer along with a number of Executive Committee members and Managing Directors ensuring that cyber security matters are discussed at the very highest levels within the Group. The Committee receives regular summary reports from the ISDP at Committee meetings.
In terms of our global data protection compliance programme and internal data privacy activities, our approach continues to be proportionate, pragmatic, and risk-based. As the Information Commissioner, Elizabeth Denham, made clear following the arrival of GDPR, this is not the end, but the beginning. The Group continues to make excellent progress.
|Noteworthy highlights since our previous report include:|
|Raised awareness of the requirements for data protection impact assessments (DPIA), in particular where new cloud systems are being implemented as part of the Securing Growth Together programme. DPIAs are now completed as a matter of course for significant new systems|
|Growth of the data privacy team in the UK and EU to make sure that the Group continues to have the necessary resource to cover all its data protection obligations. We are also recruiting for a hybrid compliance and privacy role in the US|
|Strengthened data breach reporting procedures for employees and management in case of a data breach involving personal data|
|Implementation of legitimate interest assessments using a bespoke tool|
|Brexit preparation activities to facilitate the continued free flow of data to third countries in the event of a no deal Brexit|
The Committee reviewed the Company's cyber risk insurance and initiated an external benchmarking exercise to understand the robustness of its performance and risk processes relative to other external organisations. This resulted in a rebalancing of our insurance spend to give a greater coverage on cyber-related risks.
Finally, the Committee has also been conducting some 'deep dives' into specific aspects of cyber security, provoked by the release last year of the UK National Cyber Security Centre's Board Toolkit guidance material. The Committee will continue this programme of 'deep dives' on an ongoing basis.
The Committee is required, in accordance with its terms of reference, to meet at least three times per year. During this financial year, the Committee met three times.
The attendance of individual Committee members at the Cyber Security Committee meetings is shown in the table below. Unless otherwise indicated, all Directors held office throughout the year.
Chairman, Cyber Security COMMITTEE
24 July 2019