Risk description Key controls and risk mitigation Technology risk is the risk that system-related failures, such as service outages or information security incidents, may disrupt business. Technology risk is inherent not only in our IT assets, but also in the people and processes that interact with them, including through dependency on third-party suppliers. Cyber risk, which can be driven by people, process and/or technology, is the risk that the Group will be compromised because of cyber attacks, security breaches, unauthorised access, loss or destruction of data, unavailability of service, computer viruses and malware, employee misconduct or other events that could have an adverse security or resilience impact. With the advent of digitalisation, and given the fact that technology is a key enabler, and dependency in the success of our business, the management of IT risks is a must in order to meet our strategic objectives and to ascertain the continuity of our operations. Disruption to technology may adversely impact the Group’s reputation and operations. • IT Operations are responsible for capturing and tracking IT risks that relate to core aspects of technology service provision (e.g. infrastructure risks, failure of the core IT system and/or cyber attacks). • The dedicated IT Security team is responsible for the monitoring and reporting of cyber security risks. • From the second line of defence perspective, the Risk Management team has developed and implemented a framework for the measurement and monitoring of the technology and cyber risk profile, and control environment measurement. • Policies, standards and procedures have been implemented and are reviewed on a periodic basis. • Regular training and awareness, especially on emerging trends in cyber attacks. • Due diligence and clear contracts in place for third party engagement. • IT and cyber security risks are also independently tracked by the Risk Management team and the risks are reported to the risk forums and to the Risk Management Committee, at least on a quarterly basis. Key developments • The threat landscape associated with cyber risk continues to evolve and there is growing regulatory attention on this subject. • The Group continues to invest heavily to protect the Group against cyber attacks. Further investment into IT security with the replacement of our core antivirus system, deployment of data leakage prevention across all endpoints, shifting from signaturebased technology to a more user behavioural technology, are amongst the latest initiatives. • Development of an array of IT standards, encompassing all key activities within IT and cyber security, so as to create better consistency and alignment with business strategy. Moreso, the standards have been refreshed to keep up-to-date with evolving business needs, the threat landscape associated with cyber risk, while ensuring alignment with the recent guideline issued by the Bank of Mauritius on Cyber and Technology Risk Management issued in May 2023. • IT resilience: the Group continues to optimise its approach to IT and operational resilience by investing in technology improvements and enhancing the resilience of systems that support the Group’s critical business processes and important business services. Constant effort is made with respect to updating Business Impact Analysis (‘BIA’) documents for all departments, as well as the overall Business Continuity Plan for the organisation. A Disaster Recovery Test, as well as a Call Tree Test was performed this year as part of overall BCM efforts. Operational risk 67 OUR YEAR AT A GLANCE OUR PEOPLE GOVERNANCE FINANCIAL STATEMENTS
RkJQdWJsaXNoZXIy MzQ3MjQ5