We anticipate, identify and mitigate cyber threats through our management of information security risk.
We do this to protect our customers’ and colleagues’ data and the Group’s services.
Our risk and controls frameworks help us to manage and mitigate risks, and our in‑house cybersecurity professionals identify, protect, detect, respond and recover from cyber threats and attacks.
Our Bupa-wide Enterprise Policy on Information Security and related Standards, which undergo regular review to ensure alignment with changing regulations and industry best practice, underpin our cybersecurity management.
Robust governance over this management is performed by all three levels of our three lines of defence risk management model. They consistently perform risk assessments and audits to identify, monitor and report upon key threats, security controls and metrics, including those related to our third parties, to ensure Bupa remains within risk appetite.
A cybersecurity mindset is proactively encouraged throughout the organisation. Regular mandatory cybersecurity training is taken by all employees no matter what their role. Oversight and constructive challenge to our regular Information Security risk management reporting is offered through the active engagement of the Bupa Enterprise Risk Committee, the Board Risk Committee and Subsidiary Boards.
We regularly engage accredited cybersecurity experts for independent assessments. Recognising both the importance of operational resilience and the threats posed by cybercriminals, our disaster recovery and incident management frameworks are built to support rapid restoration of essential healthcare services in the event of a cyberattack.