Case study: How Investec promotes information security
Investec is an international specialist bank and asset management group that provides a diverse range of financial products and services to a select client base in three principal markets, the UK and Europe, South Africa and Asia/Australia, as well as certain other countries. Investec builds information security and IT risk management capabilities across the group while promoting the responsible handling of personal data, so as to enable business continuity while protecting information assets by proactively identifying and mitigating threats to its people, processes, technology and data.
This case study is based on the 2019 Corporate Sustainability and ESG Supplementary Report by Investec published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.
Abstract
Investec recognises that information and technology resources are critical business assets Tweet This!, which need to be appropriately managed and secured. In order to promote information security Investec took action to:
- provide information security training
- promote cybersecurity
Subscribe for free and read the rest of this case study
Please subscribe to the SustainCase Newsletter to keep up to date with the latest sustainability news and gain access to over 2000 case studies. These case studies demonstrate how companies are dealing responsibly with their most important impacts, building trust with their stakeholders (Identify > Measure > Manage > Change).
With this case study you will see:
- Which are the most important impacts (material issues) Investec has identified;
- How Investec proceeded with stakeholder engagement, and
- What actions were taken by Investec to promote information security
Already Subscribed? Type your email below and click submit
What are the material issues the company has identified?
In its 2019 Corporate Sustainability and ESG Supplementary Report Investec identified a range of material issues, such as gender, diversity and transformation, auditor independence, improving and sustainable returns, impact of the political and economic environment. Among these, promoting information security stands out as a key material issue for Investec.
Stakeholder engagement in accordance with the GRI Standards
The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:
Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.
Key stakeholder groups Investec engages with:
To identify and prioritise material topics Investec engaged with its stakeholders through the following channels:
| Stakeholder Group | Method of engagement |
| Employees
| · Quarterly magazine · Staff updates hosted by executive management · Group and subsidiary fact sheets · Tailored internal investor relations presentations · Induction training for new employees · Regular staff communications · Dedicated comprehensive intranet · Senior management engagement breakfasts |
| Investors and shareholders
| · Annual general meeting · Four investor presentations · Stock exchange announcements · Comprehensive investor relations website · Shareholder roadshows and presentations · Regular meetings with investor relations team and executive management · Annual meeting with investor relations, group company secretarial, the chairman of the board, senior independent director and chairman of the remuneration committee · Regular email and telephone communication · Annual and interim reports |
| Clients
| · Client relationship managers in each business · Regular face-to-face, telephone and email communications · Meetings with senior management · Comprehensive website and app · Industry relevant events · Client marketing events |
| Rating agencies
| · Meetings with investor relations team, group risk management and executive management · Tailored rating agency booklet · Tailored presentations · Regular email and telephone communications · Annual and interim reports · Four investor presentations · Comprehensive investor relations website |
| Government and regulatory bodies
| · Active participation in a number of policy forums · Response and engagement with all relevant bodies on regulatory matters · Consulted with industry bodies |
| Equity and debt analysts
| · Four investor presentations · Stock exchange announcements · Comprehensive investor relations website · Regular meetings with investor relations and executive management · Regular email and telephone communications · Annual and interim reports |
| Media
| · Regular email and telephone communications · Stock exchange announcements · Comprehensive website · Meetings with executive management, economists and industry spokespersons · Dedicated third party public relations teams |
| Suppliers
| · Centralised negotiation process · Ad hoc procurement questionnaires requesting information on suppliers’ environmental, social and ethical policies |
What actions were taken by Investec to promote information security?
In its 2019 Corporate Sustainability and ESG Supplementary Report Investec reports that it took the following actions for promoting information security:
- Providing information security training
- During the reporting year Investec ran a modular computer based training (CBT) information security awareness campaign, aimed to educate staff about the threats to Investec’s information, give them insight into the potential risks of data compromise, and to arm them with the knowledge they need to safeguard Investec’s (and their) data. A total of 81% of staff completed the training during the year. The campaign covered a broad range of topics consisting of the following modules:
- Module 1 – Data protection: The different classifications of information, the importance of protecting it, and how to securely handle the information you access in your role
- Module 2 – Cybersecurity: The threats you may face when you are online, the dangers of tricks and techniques used by cyber criminals, and how to guard against these
- Module 3 – Mobile devices and social media: The risks associated with using mobile devices, the potential dangers of social media, and what you can do to keep your data and devices safe
- Module 4 – Beyond the office: The importance of being vigilant and how to protect information when out of the office – be it at home, in public places, or while travelling
- Module 5 – Security essentials: The fundamentals of information security, social engineering, and secure use of IT resources to safeguard both corporate and personal data.
- Promoting cybersecurity
- Investec maintains a risk-based strategy incorporating prediction, prevention, detection and response capabilities, to ensure the group is adequately protected against advanced cyber attacks. Continual monitoring provides visibility and enables proactive response to evolving cyber threats. Investec maintains active participation in the global cybersecurity industry to stay current and relevant. Targeted attack simulations by external specialists are performed, to measure and improve cyber defences. These are complemented by non-technical exercises involving the board and senior leadership to evaluate and improve cyber incident response and crisis management.
Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?
The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data
Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:
- Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
- Targets: 16.3, 16.10
78% of the world’s 250 largest companies report in accordance with the GRI Standards
SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.
Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.
7 GRI sustainability disclosures get you started
Any size business can start taking sustainability action
GRI, ISEP, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom (venue: London School of Economics)
- Exclusive FBRH template to begin reporting from day one
- Identify your most important impacts on the Environment, Economy and People
- Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP.
- Benchmarking methodology to set you on a path of continuous improvement
See upcoming training dates.
References:
1) This case study is based on published information by Investec, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:
http://database.globalreporting.org/
2) https://www.globalreporting.org/standards/gri-standards-download-center/
Note to Investec: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.