Cybersecurity
Information Security Risk Management and Strategy
Our approach to risk management is designed to identify, assess, prioritize and manage major risk exposures that could affect our ability to execute our corporate strategy and fulfill our business objectives. As part of our information security and privacy program, the Information Security and Management System (the ISMS), we perform risk assessments in which we map and prioritize information security risks identified through the processes described below, including risks associated with our use of third-party service providers. These assessments inform our ISMS strategies and oversight processes and are included with other enterprise risks as part of our broader enterprise risk management. We view information security risks as one of the key risks categories we face. IT system vendors are subject to security review and audits. For more information regarding the cybersecurity-related risks we face, please refer to section 2.7.4 “Our business and operations could suffer in the event of system failures or unauthorized or inappropriate use of or access to our systems”.
Our processes for assessing, identifying and managing information security risks and vulnerabilities are embedded across our business as part of our ISMS. Among other things, we conduct audits and tests of our information systems (including review and assessment by independent third-party advisors, who assess and report on the maturity of our security measures and help identify areas for continued focus and improvement) and review information security threat information published by government entities and other organizations in which we participate. We conduct training on data security matters for our employees to be aware and vigilant against potential data security risks and data privacy is incorporated into our overall compliance training, such as through privacy-specific training for employees and contractors. Phishing training is also implemented regularly, which includes mock phishing emails to test employee vigilance. In addition, employees are required to read and acknowledge information security policies that are relevant to their specific role. We also have implemented and maintain information security incident response plans, which include processes to triage, assess severity for, escalate, contain, investigate and remediate information security incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
Information Security Governance and Oversight
Our ISMS enables our Board of Directors to establish a mutual understanding with our senior management team of the effectiveness of our information security risk management practices and capabilities, including the division of responsibilities for reviewing our information security risk exposure and risk tolerance, tracking emerging information risks and ensuring proper escalation of certain key risks for periodic review by the Board of Directors and its committees. As part of its broader risk oversight activities, the Board of Directors oversees risks from information security threats, both directly and through the audit and compliance committee of the Board of Directors. The audit and compliance committee also oversees our internal control over financial reporting.
As an element of its cybersecurity oversight activities, the audit and compliance committee regularly reviews the results of our enterprise risk assessments, including information security risk assessments, as well as management's strategies to detect, monitor and manage such risks and related risk assessment and risk management policies. Our ISMS contains provisions regarding reporting to the Global Risk Management Committee. Additionally, the data protection officer (the DPO) provides regular updates to senior management, and the audit and compliance committee as a component of the audit and compliance committee’s compliance updates. The DPO also regularly reports to the Global Corporate Compliance Committee, the Global Risk Management Committee and the General Counsel on matters such as the status of the organizational privacy plan, data breaches and routine programs. In addition to these regularly scheduled updates from the DPO, the Global Head of Business Information Systems reports to the audit and compliance committee or the full Board of Directors, as appropriate, on how certain information security risks are being managed and progress towards agreed mitigation goals, as well as any potential material risks from cybersecurity threats that have been detected by the information security team.
Our information security team is responsible for day-to-day identification, assessment and management of the information security risks we face. Our Global Head of Business Information Systems has 32 years of experience in information management systems and the managers reporting to the Global Head of Business Information Systems have over 40 cumulative years of experience in information security. Our incident response and data breach procedures are designed for the timely detection, reporting, and investigation of all security incidents, as well as the timely notification of any reportable breaches (including any material cybersecurity incidents and personal data breaches) to the competent authorities and the timely communication to the affected individuals, where relevant. We maintain records of breaches on our quarterly corporate risk dashboard and our personal data breach register, and we monitor and regularly report our security and data breach metrics to senior management, including the audit and compliance committee of our Board of Directors, the Global Corporate Compliance Committee, and the Global Risk Management Committee. In addition to the ordinary-course Board of Directors and audit and compliance committee reporting and oversight described above, we also maintain disclosure controls and procedures designed for prompt reporting to the Board of Directors and timely public disclosure, as appropriate, of material events covered by our risk management framework, including information security risks.