Business conduct and ethics

Cybersecurity 

Macquarie acknowledges that cybersecurity risk arises when threat actors target the people, processes or technology that support our business activities and that advanced persistent threats may introduce risks beyond our reasonable control. The cyber threat landscape includes financially motivated actors, nation states and hacktivists who strive to obtain unauthorised access to systems and data or disrupt Macquarie services from anywhere in the world.

Macquarie manages cyber and information security risk through Macquarie’s operational risk management framework. Cyber and information risk is defined as the intentional unauthorised use, modification, disclosure, or destruction of technology systems or information resources, which compromises their confidentiality, integrity, or availability in a way that significantly impacts the operation of a Macquarie business or service. Macquarie seeks to function within a controlled environment that reduces the likelihood of cyber incidents occurring, while ensuring that our security capabilities and incident response measures can effectively mitigate the impact of potential incidents in a timely manner.

We continuously monitor for changes in the cyber threat landscape, assess the potential impact of identified threats on Macquarie, implement controls to mitigate these threats and manage our residual risks in accordance with our risk appetite.

Macquarie is aligned to the United States of America’s National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and regularly performs assessments to ensure cybersecurity capabilities are implemented that are appropriate for Macquarie’s size and threats faced.

Macquarie is committed to complying with cybersecurity regulations and laws in the countries in which it operates, which include the Australian Prudential Regulation Authority’s CPS 234 Prudential Standard on Information Security and the New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. In addition, Macquarie is committed to complying with data protection requirements in each jurisdiction that are applied through privacy regulations and laws.

Macquarie has dedicated specialised teams who design, implement, monitor, and assess Macquarie’s cybersecurity controls. These teams implement policies and procedures to:

• Identify, manage, and report cybersecurity risks to Management and the Board.
• Regularly assess the design and operating effectiveness of controls, including controls operated by Macquarie’s suppliers that are relevant to protecting Macquarie’s data and systems.
• Train and raise awareness of cyber and privacy risks. Macquarie’s staff are required to complete a cybersecurity awareness learning module, which is typically delivered annually.
• Implement data and asset protection controls which include ensuring:
  • Access, including privileged access, to systems and data is managed;
  • The potential for data loss is minimised;
  • System vulnerabilities are identified and remediated;
  • Systems are designed and changed securely;
  • Malware execution is prevented;
  • Data is handled and destroyed securely; and
  • Systems and data are resilient.
• Proactively identify threats and monitor security events.
• Detect and respond to cybersecurity incidents, including severe but plausible cybersecurity incidents if they occur by mitigating, containing, and recovering from the circumstances of the incident. If a cybersecurity incident occurs disclosures are made to clients, customers, regulators, and other stakeholders in accordance with relevant regulations and laws.
• Conduct regular testing of Macquarie’s ability to respond and mitigate the impact of a cyber incident.

Macquarie’s operational risk management process includes the assessment of current and emerging risks and internal and relevant external incidents.

Macquarie follows the ‘three lines of defence’ model where the business, the first line, owns the risk and is responsible for having systems, resources, management processes and operational controls in place for identifying, measuring, evaluating, monitoring, and controlling or mitigating material risks. The Risk Management Group (RMG) are an independent team, who are the second line, that provides independent and objective review and challenge, oversight, monitoring and reporting in relation to Macquarie’s material risks. Internal Audit are the third line who provide independent and objective risk-based assurance on the compliance with, and effectiveness of, Macquarie’s financial and risk management framework, including its governance, systems, structures, policies, processes and people for managing material risks.

Cyber controls are tested throughout the year on a risk basis through processes which include, management control assessments, operational risk assurance reviews, and internal audits.

Data privacy

The Macquarie Group Privacy Policy sets out why we need to collect personal information, how we collect it, what we do with it, how it is stored and who we might share it with. It also describes how individuals can access or correct information about themselves and how to ask further questions or make a complaint. The policy is administered by a dedicated privacy and data function and is supported by privacy and data training and awareness activities typically delivered annually.

Macquarie has processes in place to investigate data breaches involving personal information and will notify clients, customers, regulators, and other appropriate stakeholders of a data breach where we are required to do so under local legislation or as is otherwise appropriate in the circumstances.

To find out more about what we have done over the last year, refer to the Macquarie Group Sustainability Report.