Cybersecurity and information security

Macquarie acknowledges that:

• Cybersecurity risk arises when threat actors target the people, processes, or technology that support our business activities, and that advanced persistent threats may originate from, for example, statesponsored activities. 
• Information security risk arises through the collection, use, processing, distribution and retention of information assets.  

The cyber and information security threat landscape includes financially motivated actors, nation states, and hacktivists who strive to obtain unauthorised access to systems and data or disrupt Macquarie services from anywhere in the world.

Macquarie manages cyber and information security risk through Macquarie’s operational risk management framework. Cyber and information risk is defined as the intentional unauthorised use, modification, disclosure, or destruction of technology systems or information resources, which compromises their confidentiality, integrity, or availability in a way that results in:  

• A prolonged or material impact to Macquarie’s most critical technology assets, data and operations. 
• Material adverse impacts to customers, clients, counterparties, stakeholders, or our operations, assets, reputation and security. 

Macquarie operates a control environment that seeks to: 

• Actively identify and assess threats. 
• Safeguard against unauthorised access, lateral movement, and other cyber tactics, techniques and procedures used by malicious threat actors. 
• Detect and manage potential cyber security incidents, events and vulnerabilities. 
• Minimise the impact of material incidents and facilitate timely recovery. 
• Identify and assess the nature, classification, and use of sensitive information. 
• Control access, replication and distribution within and outside of Macquarie’s control environment. 
• Protect sensitive information including when in transit and at rest. 
• Securely transport and dispose of data-bearing equipment and physical and electronic records whether held by us or by our service providers.  

Take reasonable and appropriate measures to assess the adequacy of information security capabilities and seek alignment to our expected control standards where feasible of external parties who access, process, or retain Macquarie’s sensitive information outside of Macquarie’s control environment.

We continuously monitor for changes in the cyber threat landscape, assess the potential impact of identified threats on Macquarie, implement controls to mitigate these threats and manage our residual risks in accordance with our risk appetite.

Macquarie aims to align to the United States of America’s National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and regularly performs assessments which show a strong alignment to ensure cybersecurity capabilities are implemented that are appropriate for Macquarie’s size and threats faced.

Macquarie is subject to applicable privacy and data protection, cyber and information security regulations and laws in the countries in which it operates, which include the Australian Prudential Regulation Authority’s CPS 234 Prudential Standard on Information Security and the New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies.

Macquarie has dedicated specialist teams who design, implement, monitor, and assess Macquarie’s cyber and information security controls. These teams implement policies and procedures to:

• Identify, manage, and report cyber and information security risks to Management and the Board.
• Regularly assess the design and operating effectiveness of controls, including controls operated by Macquarie’s suppliers that are relevant to protecting Macquarie’s data and systems.
• Train and raise awareness of cyber and privacy risks. Macquarie’s staff are required to complete a cybersecurity awareness learning module, which is typically delivered annually.
• Implement data and asset protection controls which include ensuring:
  • Access, including privileged access, to systems and data is managed;
  • The potential for data loss is minimised; 
  • System vulnerabilities are identified and remediated;
  • Systems are designed and changed securely;
  • Malware execution is prevented;
  • Data is handled and destroyed securely; and
  • Systems and data are resilient. 
• Proactively identify threats and monitor security events.
• Detect and respond to cybersecurity incidents, including severe but plausible cybersecurity incidents, by mitigating, containing, and recovering from the circumstances of the incident. If a cyber or information security incident occurs disclosures are made to clients, customers, regulators, and other stakeholders in accordance with relevant regulations and laws.
• Conduct regular testing of Macquarie’s ability to respond and mitigate the impact of a cyber or information incident.

Macquarie’s operational risk management process includes the assessment of current and emerging risks and internal and relevant external incidents.

Macquarie follows the ‘three lines of defence’ model where the business, the first line, owns the risk and is responsible for having systems, resources, management processes and operational controls in place for identifying, measuring, evaluating, monitoring, and controlling or mitigating material risks. The Risk Management Group (RMG) are an independent team, who are the second line, that provides independent and objective review and challenge, oversight, monitoring and reporting in relation to Macquarie’s material risks. Internal Audit are the third line who provide independent and objective risk-based assurance on the compliance with, and effectiveness of, Macquarie’s financial and risk management framework, including its governance, systems, structures, policies, processes and people for managing material risks.

Cyber controls are tested throughout the year on a risk basis through processes which include, management control assessments, operational risk assurance reviews, and internal audits.