Risks and risk management Principal risks and uncertainties continued Risk How we mitigate Progress in FY21 IT SYSTEMS, DATA AND CYBER • Steering Group in place to oversee the • Refreshed our education and SECURITY Group’s approach to IT security and awareness programmes to keep data protection. colleagues informed and to reduce Description • Formal IT governance processes likelihood of an event occurring, Operations impacted by failure to develop in place to cover all aspects of IT including tailored GDPR training technology to support the strategy, lack management. for colleagues across the business of availability due to cyber attack or other • Changes to IT services are managed provided by a specialist GDPR legal failure, and reputational damage/fines through a combination of formal practice. due to loss of personal data. programmes for large and complex • Further developed our IT security projects, or bespoke iterative governance with specific recruitment to Link to strategy: development methodologies for increase capability and resource. All focus areas smaller-scale changes. • Implemented periodic Disaster Performance indicator: • A detailed IT development and Recovery testing with results reported Number of major incidents security roadmap is in place, aligned to to Audit & Risk Committee. Reportable data breaches strategy. • Continued to implement the GDPR risk Executive responsibility: • Comprehensive third-party support in treatment plan and have recruited a Chief Information Officer place for relevant technologies. dedicated GDPR specialist. Reports to: • Business continuity in place for all • Continued to implement security Chief Executive Officer major systems and applications. improvements. • Business process, authorisation • Internal audit review of our cyber Impact compared to FY20: controls and access to sensitive maturity completed and a number transactions are kept under review. of actions completed to address its • Point of sale end-to-end encryption findings. in place on our payment terminals • Desktop test of our readiness to of which software is updated manage a cyber breach completed. continuously. • Aligning to the ISO27001 framework to • Cyber insurance cover in place. broaden our cyber security perspective across the enterprise, whilst retaining Board oversight: Cyber Essentials and NIST. • Cyber security is a standard agenda • Crisis management simulation exercise item for the Audit and Risk Committee. conducted to test our resilience and • Major security incidents reported by response in a cyber security terrorism the Company Secretary. scenario. • Recruited specialist resource across various technology teams to improve capabilities and resilience. IT SYSTEMS, DATA AND CYBER SECURITY Information security policies and systems This year we have decided to align to the ISO 27001 audit frequency framework. We carry out formal penetration testing at least We have a number of policies in place to set out how we annually; this happens far more frequently when we test manage IT, cyber security and data management, including new areas of the commercial website and any new software an overall Personal Information Security Policy, a Data developments. Vulnerability assessments are carried out Protection Policy, and other policies covering matters continuously. such as use of social media and personal devices to access In 2020, our new Internal Auditor, KPMG, carried out a Group systems. business-wide controls ‘health check’, as well as an audit We measure ourselves against the National Cyber Security of general IT controls and cyber security. Both resulted in Centre’s (NCSC) ‘Ten Steps’ to cyber security and, in several actions, and progress has been made to address recent years, we have been working towards aligning these, including allocating additional resources. Further our management systems to the NCSC Cyber Essentials details are in the report of the Audit and Risk Committee Plus standard to provide external assurance. on page 137. 86 DUNELM GROUP PLCANNUAL REPORT & ACCOUNTS 2021