Cyber Security Committee report continued
Committee effectiveness For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year. During the year the Committee, along with the Board, reaffirmed that Cyber Security and data protection are sufficiently important risks for the business and that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue. Committee activities during the year The continuing focus, in terms of Cyber Security, was ensuring the risks to the Group remained well documented and the types of threats and attacks were well understood, building on a risk analysis which was performed during the year before to ensure cyber risks map to the enterprise risk architecture, and the work of the Global Technical Services (GTS) security team was tailored to the highest value areas. Training has been a critical area once again this year, with an increased emphasis on identifying phishing emails as this is an attack vector that is frequently observed. All colleagues now partake in monthly phishing exercises that cycle through difficulty levels to target different attacker sophistication, with educational assistance sent out post-exercise to help identify suspicious elements of an email that may indicate a phishing attack. Board training and updates on developments within Cyber Security are also provided regularly. Turning to data protection, the regulatory landscape is continually evolving – this past year saw regulatory updates including the Data (Use and Access) Act 2025 (UK), the phased implementation of certain aspects of the European Union Artificial Intelligence Act (EU AI Act), and changes to Australia’s Privacy Act coming into effect, to name a few. The data protection and governance team, along with colleagues in the Group legal team, is working closely to stay abreast of such changes and support the business accordingly. The team has also continued to experience a number of Data Subject Rights Requests it receives as individuals become more aware of their rights under GDPR.
Noteworthy highlights since our previous report include: • All Rights Requests received this year have been fulfilled within legally compliant time periods. • Considerable work has gone into our public facing policies and notices. The transparency of information provided to the public and colleagues has significantly improved in line with best practice. This includes the candidate notice (which is available in English, Spanish and, in the coming weeks, Dutch) and sub-processor and third party processor information, amongst others. • The project to transfer our Records of Processing Activities into a unified system nears completion. Following last year’s work on the standard terms and conditions, further work has been done to strengthen the Group’s data protection position in client contracts through updates to the data processing agreements. Additionally, appendices have been drafted for each service line. This provides clarity to clients and ensures a tailored and commercial approach. Committee meetings During this financial year, although the Committee only met once, meetings were held in September 2024 and October 2025 in the weeks just preceding and following the financial year. The attendance of individual Committee members at the Cyber Security Committee meetings is shown in the table on page 65.
Julie Chakraverty Chair, Cyber Security Committee 11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 80
Made with FlippingBook Online newsletter maker