Re: Annual Report to Shareholders: Principal Risks and Uncertainties
Every company should now have Data and Cyber Security (or similar) in the risks & Uncertainties section.
Extracted from the above (2015) (Published 12th June 2015 according to their site):-
4. Data and cyber security
Potential impact:
Failure to prevent the loss
or exploitation of personally identifiable or
commercially sensitive information could
result in loss of competitive advantage,
regulatory fines, damage to the brand,
and ultimately, churn.
Mitigation:
The Group continually reviews and seeks best
practice external guidance on its data and cyber security
capability and invests in and implements new solutions,
both to prevent and detect incidents. TalkTalk continues
to adopt the Ten Steps to Cyber Security as a control
framework for mitigating key areas of risk.
Progress is
monitored via the in house Data Council, which convenes
monthly and is chaired by the Chief Technology Officer
(CTO). In FY15, key initiatives including the encryption of
hardware and removable media, a data loss prevention
solution, vulnerability scanning and penetration testing
have been completed.
A new Head of Security has also
been appointed to establish and oversee the new
Security Operations Centre, the activities of which have
been outsourced to cyber security experts BAe systems.
----------
Extracted from their 2014 Annual Report
Potential impact:
Failure to prevent
the loss or exploitation of personally
identifiable or commercially sensitive
information could result in loss of
competitive advantage, regulatory
fines, damage to the brand and
ultimately churn.
Mitigation:
The Group continually
reviews and seeks best practice
external guidance on its data security
capability and invests in and implements
new solutions, both to prevent and detect
security breaches. In F Y14, there have
been initiatives including increased
hardware and removable media
encryption, further enhancements
to the Group’s data loss prevention
capability and roll-out of advanced
solutions to protect customer credit
card details. The Group has also adopted
a ‘Ten Steps to Cyber Security’ programme,
to increase protection against intrusion
and attack; improve detection and
management of breaches; and increase
protection against loss of personal data.
The Data Governance Council meets
monthly to review progress against the
risk mitigation plans aligned to the Ten
Steps to Cyber Security.
(apologies for the abysmal formatting)