37 Inizio Sustainability Report 2023 Information security and data privacy The nature of our business means we process personal information. Such information may be provided by our clients, can include patient information, or may be informationpertaining to our employees and their families. This means data security must be at the heart of everything we do, and we work closely with our stakeholders to protect allof the personal information we process or control. Governance and Technology (NIST) Cybersecurity and the Swiss-US DPF, allowing us Training Our central security and compliance Framework. To keep pace with the to make transatlantic data transfers. We expect every employee to be teams are responsible for our Group- evolving security threat, we’ve grown responsible for the information they wide policies and procedures, and our internal security team and we’re We manage our privacy and data process. We have mandatory privacy operate under our Chief Technology working with key security partners to governance program using a class- and security training, support, and Officer, Chief Information Security mitigate threats. We’re also extending leading third-party cloud-based updates, to ensureour people have Officer, Group Head of Risk and Cyber Essentials certification across solution. This supports a wide range the knowledge to perform their roles, Compliance, and Group Data the Group, to meet client expectations.of assessments, including data in line with our clients’ expectations. Protection Officer. We also support protection impact assessments, our individual businesses to ensure We maintain the information security records of processing, cookie Our security awareness platform they have the resources and risk register and provide input to compliance, and country assessments. provides targeted training to our knowledge they need to manage the the Enterprise Risk Management We perform information security and people around the globe and is data in their custody. Our Information Program. We have a vulnerability data privacy due diligence on vendors translated into multiple languages. Security Governance Committee management program involving that process sensitive data for us and We perform annual phishing tests, meets quarterly and provides both internal and third-party risk those that integrate with our systems. tailored by region and language, oversight and feedback on our assessments of our security posture. The depth of these assessments and provide regular reminders to security strategy and performance. depends on the sensitivity and our people, based on the current Certifications nature of the engagement. threat landscape. We distribute security reports Our security teams have bi-weekly to our senior leadership certifications from organizations To ensure people understand teams, with monthly updates to the such as ISACA and Integrated their rights under data protection Executive Council. Our multiple Security Consultants Ltd (ISC). Our legislation, we provide them with reporting committees also receive security and privacy team have privacy notices. These include their security and privacy updates, memberships of the Information rights under the General Data including the Audit Committee andthe Risk and Controls Committee,Security Forum, the EuropeanCyber Security Organisation, and theProtection Regulation (GDPR). Certified which meet on a quarterly basis. International Association of Privacy During 2023, we did not receive any substantiated complaints about to the new EU-US DPF, the UK Professionals. During 2023, Inizio Extension to the EU-US DPF, and We have redesigned our Group certified to the new EU-US Data breaches of customer privacy and Protection Framework (DPF), the there were no losses of customer the Swiss-US DPF, facilitating security policies to align them with transatlantic data transfers. the National Institute of Standards UK Extension to the EU-US DPF, data during the year under review.