Macquarie recognises that cyber and information security risk is inherent in the use of the technology platforms that support our business activities. We seek to operate in a control environment that limits the likelihood of a cyber or information security incident, and we seek to ensure that the impact of a cyber or information security incident can be minimised by our information security capability and incident response.
Macquarie manages cyber and information security risk through Macquarie’s operational risk management framework. Macquarie has no appetite for operational risk incidents that threaten Macquarie’s viability, have a material impact on Macquarie’s earnings, or that cause significant damage to Macquarie’s reputation, staff, clients, counterparties or the markets or communities in which Macquarie operates.
The cyber threat landscape includes financially motivated entities, nation states and hacktivists who attempt to gain access directly to our systems or data from anywhere in the world either directly or through our clients, staff, or suppliers. Cyber attacks are increasing as the dependency on technology increases, and our businesses grow in prominence.
Macquarie is aligned to the United States of America National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and regularly performs assessments to ensure cybersecurity capabilities are implemented that are appropriate for Macquarie’s size and threats faced.
Macquarie complies with cybersecurity regulations and laws in the countries in which it operates, which include the Australian Prudential Regulation Authority’s CPS 234 Prudential Standard on Information Security and the New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. In addition, Macquarie complies with data protection requirements in each jurisdiction that are applied through privacy regulations and laws.
- Macquarie has dedicated specialised teams who design, implement, monitor, and assess Macquarie’s cybersecurity controls. These teams implement policies and procedures to:
- Identify, manage, and report cybersecurity risks to Management and the Board.
- Regularly assess the design and operating effectiveness of controls, including controls operated by Macquarie’s suppliers that are relevant to protecting Macquarie’s data and systems.
- Train and raise awareness of cyber and privacy risks with Macquarie’s staff.
- Implement data and asset protection controls which include ensuring:
- access, including privileged access, to systems and data is controlled;
- the potential for data loss is minimised;
- system vulnerabilities are identified and remediated;
- systems are designed and changed securely;
- malware execution is prevented;
- data is handled and destroyed securely; and
- systems and data are available.
- Proactively identify threats and monitor security events.
- Respond to security incidents if they occur by mitigating, containing, and recovering from the circumstances of the incident. If a security incident occurs disclosures are made to clients, customers, regulators, and other stakeholders in accordance with relevant regulations and laws.
Macquarie’s operational risk management process includes the assessment of current and emerging risks and internal and relevant external incidents.
Macquarie follows the ‘three lines of defence’ model where the business, the first line, owns the risk and is responsible for designing and operating appropriate controls and periodically assuring the effective design and operation of controls. The Risk Management Group (RMG) are an independent team, who represent line two, that provides tools and guidance to ensure risk management framework is effective and consistently applied across each business. Internal Audit are the third line who provide independent assurance to the Board Audit Committee (BAC) that the Operational Risk Management Framework is operating effectively, including business implementation and RMG’s oversight of line one.
Macquarie has processes in places to investigate data breaches involving personal information and will notify clients, customers, regulators, and other appropriate stakeholders of a data breach that has a material impact where we are required to do so under local legislation or as is otherwise appropriate in the circumstances. Where notification is required, we will do so promptly and in accordance with the time period for notification provided for under local legislation, for example within 72 hours in jurisdictions governed by the General Data Protection Regulation.