Cyber Security Committee report
The Cyber Security Committee’s objectives and responsibilities The Cyber Security Committee is responsible for assessing the performance of the Group’s internal security and defences and as such its duties are to: • Oversee and advise the Board on the current cyber risk exposure of the Group and future cyber risk strategy • Review at least annually the Group’s Cyber Security breach response and crisis management plan • Review reports on any Cyber Security incidents and the adequacy of resulting actions • Receive and consider the regular update reports from the DIS and GC and ensure the DIS and GC are given the right of direct access to the Committee • Consider and recommend actions in respect of all cyber and data protection risk issues escalated to it • Keep under review the effectiveness of the Group’s controls, services and products to analyse potential vulnerabilities that could be exploited • Regularly assess what the Group’s most valuable intangible assets are and the most sensitive Group and customer information and assess whether the controls in place sufficiently protect those assets and information • Review the Group’s ability to identify and manage new cyber risks • Assess the adequacy of resources and funding for data protection and Cyber Security defence and control activities • Regularly review the cyber and data protection risk posed by third parties including outsourced IT and other partners • Oversee Cyber Security and data protection due diligence undertaken as part of an acquisition and advise the Board of the risk exposure • Annually assess the adequacy of the Group’s cyber insurance cover The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website. The terms of reference are reviewed annually and updated when necessary.
Julie Chakraverty Chair, Cyber Security Committee
The Cyber Security Committee was formed to focus specifically on the cyber and data protection risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention. The Committee was formed in November 2016 and I have been Chair since July 2022. Jennifer Duvalier and Lynn Fordham (both Independent Non-Executive Directors) served as members of the Committee throughout the year. Chris Stone (Company Chair) is also a member of the Committee. The Group’s SVP, Global Governance, Estates and Procurement, the Director of Internal Security (DIS), and the Group General Counsel (also Head of Data Governance) (GC) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate, as are the Data Protection and Governance Officers.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 79
Made with FlippingBook Online newsletter maker