33 CONSOLIDATED FINANCIAL STATEMENTS 2024 While the broader objective on completion of the project is to create digital dexterity and diversity to transition the Group into a more agile and resilient state, the more specific objectives and target outcomes are identified as follows: • Increased member value-added services and functionality • Enhanced/More unified member experiences across all delivery channels • Implementation of an operating model that will be resilient against potential changes and challenges and can ensure long-term success and a sustainable future Cybersecurity & Cyber Incident Mitigation The ongoing global surge in cyber-related attacks, with their substantial economic, reputational, and legal repercussions, remains a cause for concern for all financial services entities. Ransomware attacks are particularly worrisome as they employ multiple strategies such as the use of Remote Desktop Protocol as the vector, email phishing and software vulnerabilities. Artificial Intelligence (AI) has unfortunately become a weapon not only for organisations in a positive way but also for attackers and perpetrators of bad intentions. Its use in security solutions under contract to the Group therefore continues to be a focused area of defence. As the threat actors are capitalising on generative AI to create new and improved code for more sophisticated malware that is harder for cybersecurity tools to detect, the Group and its service partners must conversely use it to discover and mitigate their deeds. To safeguard our information assets and minimize the risk of cyber incidents, the BPWCCUL Group has implemented a range of strategies and solutions: • Regular system updates and patching to mitigate the risk of exploited vulnerabilities. • Security training and automated phishing email simulations for new and existing employees, promoting vigilance and the recognition of potentially dangerous emails. • Filtering and blocking of spam-related emails, with non-compliant messages flagged as SPAM and external emails tagged for heightened security. • Real-time monitoring and analysis of email attachments, enabling immediate alerts for suspicious emails and follow-up by our internal team. • Utilisation of anti-malware agents, including AI-powered solutions, to bolster our security defences. • Managed intrusion prevention and detection services, actively detecting and blocking malicious inbound and outbound traffic using countermeasures and threat intelligence. • Advanced threat detection systems designed to identify adversarial behaviour even when no malware is present. • Continuous, automated vulnerability assessments and annual onsite penetration and vulnerability tests by a leading independent third-party service provider to investigate, analyse, and report on any discovered security vulnerabilities. • A defined Cybersecurity Incident Response Plan (CIRP) to manage and respond to cyber incidents, incorporated into our Business Continuity and Disaster Recovery plans and activities. • Alignment of our activities with frameworks such as COBIT 5, ISO 27001, and the NIST Cybersecurity Framework to inform the development of appropriate policies, including information security and change management. Data Privacy & Protection With the increasing number of information security breaches reported worldwide, data privacy and the protection of our members privacy is of paramount importance. The data privacy and protection initiative which was outlined to you prior year continued during the reporting period, where we focused on the implementation of some key elements required to support the full framework to govern our data protection and privacy activities.Over the past year we drafted: 1. A data privacy processing agreement that accompanies all new contracts for services associated with the processing of members’ personally identifiable information. 2. A Data Privacy Policy that will govern the management of privacy operations across the group of companies, a necessary precursory step to ensure that the data protection and privacy program can be fully implemented. 3. Data privacy incident management and response procedures to outline the process to be followed in the event there was a data privacy breach. Cognisant of the requirements of the Barbados Data Protection Act 2019, we also assigned the duties of a Data Privacy Officer to a senior officer with the requisite knowledge of data protection laws and practices, while the full framework with a substantive officer is being built out. The role is to advise the Credit Union of its rights and responsibilities under the Act,
RkJQdWJsaXNoZXIy MTA2MDM=