NCC Group plc Annual Report 2021

Cyber Security Committee report

Maintaining and improving the Group’s resilience to cyber-attack as the threat landscape changes

Through the Committee, the Group continues to review and challenge the data governance and information security risks that affect the Group, particularly in light of the “move to remote” during the Covid-19 pandemic and the changing regulatory landscape post-Brexit and Schrems II.

Chris Stone Committee Chair

2020/21 highlights • Enhanced SOC coverage and detection capabilities across our network • Extending our Microsoft Defender for Endpoint rollout; implementation of remote application patching capability • Development of a Data Protection by Design framework, including new and revised policies, procedures and guidance • Global risk management framework initial implementation and rollout 2021/22 priorities • Running more complex cyber exercises to test our response processes • Implementing a new security awareness platform across NCC Group globally • Implementing a system to facilitate dynamic maintenance of Records of Processing across the NCC Group business • Implementing the Data Protection by Design framework across NCC Group globally

The Cyber Security Committee was formed to focus specifically on the cyber risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business, and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention. The Committee was formed in November 2016 and I have been Chair since January 2018. Chris Batterham, Jonathan Brooks and Jennifer Duvalier (all independent Non-Executive Directors) served as members of the Committee throughout the year. The Group’s Director of Global Governance, the Group’s Chief Information Security Officer (CISO), and the Group’s Chief Data Protection and Governance Officer (CDPGO) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate.

The Cyber Security Committee’s objectives and responsibilities

The Cyber Security Committee is responsible for assessing the performance of the Group’s internal security and defences and as such its duties are to: • Oversee and advise the Board on the current cyber risk exposure of the Group and future cyber risk strategy • Review at least annually the Group’s cyber security breach response and crisis management plan • Review reports on any cyber security incidents and the adequacy of resulting actions

98

Made with FlippingBook Converter PDF to HTML5