NCC Group plc Annual Report 2022

Cyber Security Committee report

Monitoring the cyber security and data protection landscapes

The Committee is dedicated to driving continuous improvement in both the cyber security and data protection environments. This has been achieved through challenging the “norm”, proactively managing a changing

risk environment, sponsoring key projects, and encouraging innovative solutions.

2021/22 highlights • Focus on defining the role of NCC as potentially both a controller and processor in certain service lines to maintain compliance with contractual and data transfer obligations • Project to support maturing global service delivery model from the perspective of data transfer and data sovereignty requirements • Global information risk management framework, with dedicated information risk scoring matrix, has been embedded and better articulates the data risks faced by the Group and therefore supports continuous improvement • Establishment of Global Technical Services (GTS) in November 2021, with strong focus on removing legacy technologies and simplifying our IT estate, which will continue into 2022/23 • Cyber Security Review against the NIST Framework in February 2022, and greater use of other third party benchmarks like Microsoft’s Secure Score to help objectively prioritise security improvements 2022/23 priorities • Implementing a ticketing system to improve workload management and reporting requirements for greater visibility and ability to more accurately measure trends • Revamping the data protection governance structure to include Data Leads and Champions, with Steering Committee membership comprising ExCom • Streamlining security processes as part of the Global Technical Services target operating model to improve security team efficiency • Running more complex cyber exercises to test our response processes

Chris Stone Committee Chair

The Cyber Security Committee was formed to focus specifically on the cyber risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business, and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention. The Committee was formed in November 2016 and I have been Chair since January 2018. Chris Batterham and Jennifer Duvalier (both independent Non‑Executive Directors) served as members of the Committee throughout the year. Jonathan Brooks stepped down from the Committee when he stepped down from the Board on 27 January 2022. Julie Chakraverty (an independent Non-Executive Director) joined the Committee when she was appointed to the Board on 1 January 2022. Julie brings welcome new experience with her strong financial services and technology background and is a strong addition to the Committee’s membership. On 1 September 2022, Lynn Fordham was appointed to the Committee. The Group’s Director of Global Governance, the Group’s Chief Information Security Officer (CISO), and the Group’s Chief Data Protection and Governance Officer (CDPGO) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate.

103

Made with FlippingBook Online newsletter maker