28
Cybersecurity
Cyber risk is one of the top
operational risks faced by the IOOF
Group. In line with our organisational
purpose, we are committed to
keeping our clients’ personal data
secure, by ensuring we have robust
and evolving cybersecurity and
privacy controls in place.
Our cybersecurity strategy,
policies, tactical initiatives and
operational controls are based
on the National Institute of
Standards and Technology security
framework and adhere to APRA
guidelines on information and
cybersecurity. Our Cybersecurity
Team reports to the Board on cyber
incidents, events, readiness and
improvement projects.
Like all business operations,
cybersecurity relies on people,
processes and technologies. Our
people are our rst line of defence
and IOOF has a considerable focus
on enabling and embedding a
‘cybersecurity culture’ throughout
the business. Our people undergo
various levels of awareness training,
including at induction and in
mandatory annual online training,
as well as personal one-on-one
training sessions where there is a
high cybersecurity risk.
All third-party relationships are
established only after a rigorous
due diligence process governed
by our Vendor Management
Policy. Security risk assessments
are conducted at the start of a
contract, and regularly throughout
the course of the contract. This
ensures that IOOF has adequate
assurance over the conduct and
controls third parties have in place
to protect information they hold.
IOOF collaborates with government
bodies and the industry to keep
abreast of cyber trends, and
emerging cybersecurity threats and
controls, and to discuss, collaborate
and share new cybersecurity
strategies and tactics.
IOOF is
an active member of the Joint
Cybersecurity Centre and partners
with Australia’s national Computer
Emergency Response Team and
the Financial Services Information
Sharing and Analysis Center. IOOF
is a founding member of the
Australian chapter of the Global
Cybersecurity Alliance, which is an
international, cross-sector eort
to confront, address and prevent
malicious cyber activity.
The Cybersecurity Team at IOOF is
also a member of industry groups
such as CISO Lens, the Information
Systems Audit and Control
Association and the Australian
Information Security Association.
This ensures the team receives
updates on relevant knowledge
and intelligence into the latest
trends and threats impacting
the Australian and global cyber
landscape.
With the onset of the COVID-19
pandemic in early 2020, we enacted
our Business Continuity Plan and
the workforce switched to working
from home. Appropriate policy,
procedural and technical controls
were implemented to mitigate
the risks introduced by working
from home.
The IOOF Cybersecurity Team is
currently involved in ensuring
security controls are carefully
considered and implemented as the
IOOF and MLC integration continues.
Privacy
Our clients trust us to look after
them by ensuring their personal
information is safe and secure.
The personal information we
collect is handled in accordance
with the IOOF Group Privacy
Policy, which outlines how we
manage personal information.
We have a robust program in
place to ensure privacy awareness
remains at the forefront of our
employees’ minds. Online privacy
awareness training is provided to all
employees annually and targeted
training is delivered several times a
year. We support a strong culture
of privacy compliance, where
reporting and responding to
privacy breaches is second nature.
We are continually looking for ways
to enhance our capabilities, to
ensure our controls remain eective,
and to build privacy awareness.
In May, we entered our seventh
year as an active participant
in the Oce of the Australian
Information Commissioner’s
annual Privacy Awareness Week
(PAW). This year’s theme was to
make privacy a priority and to
engage employees in initiatives
and activities to reinforce the
importance of protecting client
information.
With most of our employees
working online from home at least
part of the time, we have reinforced
that safeguarding information is
more vital than ever. Prioritising
privacy helps us to maintain our
clients’ condence that we securely
handle the personal information
they entrust us with.
Financial Accountability
Regime
The Financial Accountability
Regime (FAR) is the Australian
Government’s response to
recommendations made by the
Royal Commission into Misconduct
in the Banking, Superannuation
and Financial Services Industry. The
FAR extends the current Banking
Executive Accountability Regime
to strengthen the responsibility
and accountability of directors
and most senior and inuential
executives of nancial institutions.
Our business