Data privacy and cybersecurity
Our stakeholders depend on us to protect the data they entrust us with. As we continue to use innovative technologies to deliver better services and automate and digitize processes to attract clients and team members, strong data privacy and cybersecurity programs are key to our success.
DATA PRIVACY
CYBERSECURITY
Our approach Our comprehensive Privacy Compliance framework establishes the principles of our organization-wide privacy management program to protect the personal information of our clients and comply with applicable legal and regulatory requirements. Our Chief Privacy Officer oversees our privacy management program and is responsible to set and monitor the effectiveness of related policies and procedures. The GCR Committee oversees privacy risk management and receives regular reporting as part of its oversight responsibilities. Incidents involving suspected or actual breaches of privacy are documented and investigated by our Privacy Office. If a privacy breach has occurred, our team follows established procedures to limit its impact, understand the root cause of the incident, ensure that the issue is remediated and take preventative steps to avoid recurrence. Where appropriate, we notify applicable regulators and impacted individuals. Our privacy management program extends to third-party service providers, and we assess their privacy management practices and controls prior to providing them with any personal information of our clients. Once satisfied with the service provider’s procedures and safeguards, we will only provide them with the personal information required to deliver contracted services. Training and awareness We make privacy a key focus for our team members and take steps to ensure they are aware of privacy-related regulatory obligations relevant to their role, know how to comply with those obligations, and are accountable to achieve effective compliance. All team members are required to undergo privacy training as part of their onboarding experience, and on an annual basis thereafter. Privacy principles, such as only accessing information for legitimate business purposes, are also embedded in our Code of Conduct, which applies to all our directors, officers and team members.
Our approach Our cybersecurity program is a mature practice, influenced by well-recognized industry security frameworks. Our program follows the National Institute of Standards and Technology (NIST) framework and aligns to others, including Control Objectives for Information and Related Technology (COBiT) 5, which supports the development, implementation, enhancement and monitoring of information technology governance and information management, and ISO/IEC 27001, an international standard to manage information security. Responsibility for our cybersecurity risk management program resides with the Chief Information Security Officer, with accountability to the Chief Information Officer. Within our three lines of defence model, our Information Security team is responsible for execution of our cybersecurity risk management program, with second and third line oversight provided by the Risk Management and Internal Audit teams. Our Board of Directors provides oversight of our cybersecurity risk management program and receives quarterly reporting on key activities and the ongoing maturation of our program.
Our program is managed by a team of technical and cybersecurity professionals dedicated to proactive
identification, containment, and eradication of cybersecurity threats. We have a comprehensive control framework that is continually assessed for effectiveness using well-established threat intelligence and risk management programs. On an annual basis, our cybersecurity control environment is tested by a third-party service provider. The results of all assessments and progress on any remediation activities are shared with our Board.
Refer to our Privacy Statement to learn more about our privacy management practices, including an overview of how we collect, use and disclose personal information, and the choices clients may exercise in this regard.
18 2022 SUSTAINABILITY REPORT AND PUBLIC ACCOUNTABILITY STATEMENT
Powered by FlippingBook