We recognise the importance of data security and privacy practices to our stakeholders including customers, supply partners and employees. The expectations of our stakeholders are increasing and evolving at a fast pace, and we aim to meet those expectations and comply with relevant regulatory requirements.
Governance
Recognising that data security and privacy is a shared responsibility across the Group, a Cyber Security & Privacy Steering Committee was set up during the year comprising members of the Executive Leadership Team and senior IT management and led by the Group CEO. The Steering Committee reviews progress made against a number of projects and, recognising the complexity in this area, provides guidance on the priorities for the Group.
The Board receives an update at each regular Board meeting on cyber security and privacy matters. In addition, the Audit & Risk Committee receives in-depth reports on cyber security and privacy at least annually.
Areas of focus
During the year During the year, EBOS commenced a project to align and, where necessary, uplift, privacy processes. A data mapping exercise was undertaken and areas for potential improvement were identified. It is expected that the work under this project will be on-going. Privacy policies and collection notices across the Australian and New Zealand businesses are being updated to reflect the collection, use and disclosure practices of specific businesses. Privacy impact assessments are also undertaken for new processes in Australia and New Zealand as those are being considered or implemented.
In relation to data security, EBOS continues to invest resources in polices, processes and technology to respond to emerging threats. The risk of a significant cyber security incident has been identified in the Group’s strategic risk profile. Having regard to this, during the year cyber security response plans were implemented or improved at the leadership (Board and Executive Leadership Team) and IT operational levels, and cyber incident simulation exercises were undertaken.
The Group has also undertaken a project to align our security policies, standards and procedures to ISO/IEC 27001, an internationally recognised standard for the management of information security, with a view to being certified against this standard by an independent auditor.