• Receive and consider the regular update reports from the CISO and CDPGO and ensure the CISO and CDPGO are given the right of direct access to the Committee • Consider and recommend actions in respect of all cyber risk issues escalated to it • Keep under review the effectiveness of the Group’s controls, services and products to analyse potential vulnerabilities that could be exploited • Regularly assess what are the Group’s most valuable intangible assets and the most sensitive Group and customer information and assess whether the controls in place sufficiently protect those assets and information • Review the Group’s ability to identify and manage new cyber risks • Assess the adequacy of resources and funding for cyber security defence and control activities • Regularly review the cyber risk posed by third parties including outsourced IT and other partners • Oversee cyber security due diligence undertaken as part of an acquisition and advise the Board of the risk exposure • Annually assess the adequacy of the Group’s cyber insurance cover The Committee’s terms of reference can be found in the Investor Relations > Corporate Governance section of the Company’s website (www. nccgroupplc.com/investor-relations/corporate-governance). The terms of reference are reviewed annually and updated when necessary. Committee effectiveness During the year, the Cyber Security Committee carried out an internal self-evaluation on its effectiveness, as it continues to mature since its formation in November 2016. The Committee was found to be working effectively and I am satisfied that the degree of rigour and challenge applied in performing the Committee’s responsibilities is appropriate and effective and continues to improve. In terms of specific focus areas for the year ahead we agreed on the following: • Continuing to take the papers/presentations as read and focusing on more value-adding dialogue, discussion, and interaction rather than going through the Committee briefing packs • Acknowledgement that the presenter from the National Cyber Security Centre had been excellent and more external presenters should be used where possible • A review of whether external advisers/consultants could attend future Committee meetings • More frequent updates on the nature of the changing cyber threat landscape, e.g. what are the current major topics within cyber and the significant threats As an output of both this and previous evaluations, the Committee, along with the Board, reaffirmed that cyber security is a sufficiently important risk for the business that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue. Committee activities during the year The Committee continues to make sure that the Group’s resilience to cyber-attack is maintained and improved as the threat landscape changes. As the Securing Growth Together programme comes to its latter stages, more focus was put on longer-term initiatives that will stand the Group in good stead in the years to come. In November, the Committee had a fascinating talk from the Director of Operations at the UK’s National Cyber Security Centre (NCSC), about the NCSC’s perception and analysis of the cyber threat that faces the UK.
The Group continues to improve its cyber security controls. Building on our initial rollout of Microsoft Defender for Endpoint in 2020, we extended this to servers as well as endpoints, giving us ever-deeper security insight into our IT assets. In addition, we invested in technology that allows us to patch application software on endpoints in a more automated way across the internet, rather than requiring a VPN connection. Both of these controls stood us in good stead during the coronavirus pandemic, when almost all colleagues were working remotely. Our SOC implemented its latest detection suite across our networks, and we continue to benefit from novel detection methods and techniques as the SOC’s “customer zero”; as those detection techniques are refined, they are rolled out into our commercial offering. In terms of our global data protection programme and internal data privacy activities, we are developing a three year strategy to align the approach across the business, continue to improve our privacy maturity, and support in light of the rapidly changing regulatory landscape. Considerations include the newly approved Standard Contractual Clauses and their requirement for detailed information security provisions to be documented for each service line, as well as updating internal agreements to secure our global business in terms of facilitating data transfers. Noteworthy highlights since our previous report include: • A suite of tools has been created to enable Data Protection by Design to continue, and to make the assessment process more efficient and easier for the business to engage with. These include a Data Protection Impact Assessment (DPIA) triage form, and DPIA light and DPIA full templates, with guidance also produced. The data protection team has been working closely with IT to embed this into its processes • The expansion of the data protection and privacy team’s remit to encompass data governance, including the appointment of Data Protection Officers to partner with North America and APAC, respectively, with appointment of a Data Protection Manager in NCC Europe, headed up by the Chief Data Protection and Governance Officer • Bespoke gap analysis tool created covering all principles and articles within GDPR, which flexes to accommodate the complexity of our different business areas/service lines • Assessment of the situation with the UK adequacy decision and the additional safeguards required to ensure the free flow of data from the EU to the UK should adequacy be revoked, as well as planning for the impact of the recent issue of the new Standard Contractual Clauses by the EU Commission Committee meetings During this financial year, the Committee met three times and the attendance of individual Committee members at the Cyber Security Committee meetings is shown in the table below. Unless otherwise indicated, all Directors held office throughout the year.
Attendee
Meetings attended
Chris Stone
Chris Batterham
Jonathan Brooks 1
Jennifer Duvalier
1 Was absent for July 2020’s meeting due to illness.
Chris Stone Chair, Cyber Security Committee 14 September 2021
NCC Group plc — Annual report and accounts for the year ended 31 May 2021
99
Made with FlippingBook Converter PDF to HTML5