Privacy policy

Introduction

Discovery Limited and its subsidiaries “Discovery” rely heavily on information technology (IT) systems to support the company’s operations, people, and processes. As such, when cybersecurity or privacy incidents take place, the investigation and response must be timely, reliable, and available.

This policy sets out the requirements for cybersecurity and privacy incident response for Discovery to mitigate, as quickly as possible, any threat to the confidentiality, integrity, and availability of critical information assets.

This document constitutes the Cybersecurity and Privacy Incident Response Policy for Discovery Limited (‘Discovery’) and sets out the requirements and responsibilities for incident management in a manner consistent with industry best practices. This document is a statement of Discovery’s intent to ensure that cybersecurity and privacy incidents are managed appropriately to safeguard Discovery’s information assets in the event of a cybersecurity or privacy incident and to comply with applicable laws and regulations in all regions of operation.

 

The purpose of this policy is to define the principles for the logging, monitoring, and management of cybersecurity or privacy incidents. This policy document stipulates the controls that must be in place to enable Discovery to respond to cyber and privacy related incidents in a structured manner. This includes the identification, response, recovery, and post-incident activities. The policy addresses all Discovery technology, systems, data, and networks implemented in data centers, on premise, private, hybrid and/or public cloud infrastructures, including all other Discovery IT assets implemented across all IT environments.

 

Application

 

SCOPE

This policy applies to Discovery and its South African and international subsidiaries. This includes:

 

·        All executive and non-executive directors.

·        All senior managers.

·        Full-time, part-time or temporary employees.

·        Any independent contractors or consultants under our direct control

·        Cybersecurity and Privacy employees

We assert our influence over business partners we don’t control or operate and encourage them to act in a manner consistent with our values and code of conduct. Trading partners are any third party with whom the Group has a business relationship with or with whom a business relationship is being considered or is in the process of being finalised.

 

Implementation

Each subsidiary within Discovery must have processes and procedures in place to align its operations with the spirit and purpose of this policy. A subsidiary within Discovery may elect to place reliance on the processes and procedures of another subsidiary. Despite placing reliance on another subsidiary or outsourcing, accountability for compliance with this policy remains that of the relevant subsidiary within Discovery.

 


A subsidiary within Discovery may elect to have its own policy considering its nature, scale and complexity, and the legislation under which it operates. Such a policy must be consistent with this policy and the Board of Discovery Limited (Board) must approve any deviation from this policy by any of its directly held subsidiaries unless the deviation is necessary to facilitate compliance with legislative and regulatory requirements. In the latter instance, the approval is automatically granted if the board of directors of a subsidiary has communicated the need for such a deviation to the Board.

In respect of indirectly held subsidiaries of Discovery Limited, the board of the relevant intermediate holding company must approve any deviation from this policy by any of its directly or indirectly held subsidiaries.

The policy owner is responsible for ensuring the policy is approved by the relevant Board committee.

 

Our approach

4.1   POLICY PRINCIPLE S

Cybersecurity is defined as the protection of information assets from the consequences of cybersecurity incidents by addressing threats to information processed, stored, and transported by inter-networked information systems. A cyber incident is defined as a cyber-event that adversely affects the cybersecurity of an information system and/or the information that the system processes, stores, or transmits, or which violates the security policies, security procedures and/or acceptable use policies of the payment institution, whether resulting from malicious activity or not. A cyber event is defined as any observable occurrence in an information system. Cyber-events sometimes provide an indication that a cyber-incident is occurring.

A privacy incident is defined as any reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person or party.

 

4.2   ROLES AND RESPONSIB I L ITI E S

Crisis Management team (CMT) – The CMT is the central team for the coordination of the process and response. To guide the overall response and plan tactical next steps, the CMT is responsible for collecting information from the Information Technology (IT) team, Legal team, Communications team, and other groups to inform its decisions. The chair of the CMT will coordinate and report to the Discovery executive team and potentially Board of Directors (BoD) to ensure everyone is kept up to date with the incident response process.

Forensics team If required, the CMT will call on third-party forensics experts to provide forensic services.

Legal team Comprising both internal and external legal counsel, the Legal team’s role is to provide the CMT with legal advice, including ensuring that legal privilege is maintained, and providing guidance on interaction with a cyber insurance party when necessary.

Privacy team – The Group Privacy team manages data privacy incidents. Depending on the nature of the compromise, notifications will be prepared by this team to notify the relevant stakeholders, including the chair of the Group Risk and Compliance Committee (GRCC), affected data subjects and the applicable authorities, such as the Information Regulator of South Africa.

Group Compliance team – The Group Compliance team will be able to assist with categorising the privacy incident and provide guidance in reporting it to the authorities and impacted data subjects.

Group Risk Management team - Provide independent advisory and oversight on key matters that breach the risk appetite at Group level, including an advisory roles on incidents and breaches and related mitigating actions.

Central coordinator of cyber insurance cover: Ensure the cyber insurance process is invoked, if necessary, as per agreed terms. Determine if a business continuity plan needs to be invoked in conjunction with the Group Risk Management team.

Group Forensics team – The Group Forensics team has a mandate to investigate internal employees and can assist with the investigation. Especially if an employee caused the cyber security privacy incident or was involved in orchestrating the incident.

Communications/Public Relations team Comprising of internal and external communications advisors, the Communication Team’s role is to protect the company’s brand and advise on messaging, tone, and priority stakeholder engagements.

 

Additional responsibilities may be co-opted to the CMT as required for example:

 

Human Resources team - Notify employees of a data breach - depending on the nature of the incident and what information was divulged. Help manage the consequences of an employee infraction, which may have led to a breach. Communicate internally if employee information has been divulged.

When the Crisis Management team is activated, all relevant employees should be alerted that any incident-related questions or communications should be directed to the CMT, which will ensure that all communications materials are reviewed and approved. Alignment of content and messaging throughout the incident is aimed at mitigating legal and reputational damage.

4.1   GENERAL REQUIREM ENT S

·        A Cybersecurity and Privacy Incident Response Guide and applicable playbooks are available and provide comprehensive steps on the identification, detection, investigation, and recovery procedures for cybersecurity and privacy incidents. The Cybersecurity and Privacy Incident Response Guide must be approved by the Group Chief Information Security Officer (GCISO) and communicated to the relevant stakeholders involved in the Cybersecurity and Privacy Incident Response Process. The Group Chief Privacy Officer (GCPO) must communicate the Cybersecurity and Privacy Incident Response Guide to the relevant stakeholders from a privacy perspective.

·        An Incident Response Team (IRT) must be established. The IRT must be made up of representatives of Privacy, Security and all applicable business functions, including, where applicable but not limited to information technology, legal, human resources, law enforcement liaison, and public relations .

·        The IRT must be aware of their role and responsibilities related to cybersecurity and privacy incidents.

·        Cybersecurity and privacy incidents must be responded to in accordance with the documented incident response procedures.

·        Cybersecurity and privacy incident response procedures must be reviewed when required, and any updates must be communicated to the appropriate parties.

·        Management responsibilities and procedures must be established to ensure a quick, effective, and orderly response to cybersecurity and privacy incidents.

·        The IRT must be assembled to carry out incident response tests or testing the incident response process in relation to cybersecurity and privacy incidents.

·        The GCISO and GCPO must ensure that relevant parties, such as the media, Discovery’s clients, responsible authorities in terms of which the institution is licensed or registered, law enforcement, or other relevant third parties, are informed, as required.

4.1   PROCESS

4.1.1   IDENTIFIC AT I ON

 

The timely identification of cybersecurity and privacy related events and incidents is crucial in enabling Discovery to take the necessary actions to respond appropriately to any such cybersecurity or privacy-related incident.

·       Employees and contractors using Discovery information and information assets are required to note and report any observed or suspected information security weaknesses in systems or services.

·       Employees are responsible for reporting known or suspected cybersecurity or privacy-related events and incidents as soon as they become aware of such events and incidents.

·       Employees and contractors must be aware of the channels to report suspected or actual incidents.

·       Cyber and privacy awareness training must be rolled out to ensure that employees are aware.

·       All known or suspected cybersecurity-related or privacy incidents must be reported to Information Governance and Security.

·       A Security Incident Event Management (SIEM) system must be implemented and maintained to assist in identifying events/incidents through the appropriate methods of log collection and correlation.

·       Cybersecurity and privacy incidents must be appropriately recorded and documented from identification to closure.

·       Cybersecurity and privacy incidents must be assessed by the relevant teams, and the incidents must be given an appropriate classification level.

·       All cybersecurity and privacy incidents must be classified according to their level of severity, as defined by the Cybersecurity and Privacy Incident Response Team in the Cybersecurity and Privacy Incident Response Guide.

 

 

COLLECT I ON OF EVIDENCE

 

In the event of an incident, the related data must be identified, collected, and preserved. If data must be presented in a court of law, then a full forensic chain of custody must be maintained.

 

4.1.1   HANDLING AND RESPONSE

 

Cybersecurity and privacy-related incidents must be managed and coordinated by a cross-functional team depending on the level of the incident to ensure appropriate handling, response, and communication. All logged incidents must be addressed without undue delay.

A Cybersecurity and Privacy Incident Response Guide must be developed and maintained that contains the process and procedures to follow in the event of an incident. All significant cybersecurity and privacy incidents must be managed and coordinated by the IRT and in accordance with the process and procedures set out in the Cybersecurity and Privacy Incident Response Guide.

Cybersecurity and privacy incidents must be responded to in accordance with the documented procedures. Escalation procedures must be in place to ensure effective and efficient handling and response of an incident.

RECOVERY

 

A cybersecurity or privacy related incident could cause a disruption in business operations or services, and Discovery must take the necessary actions to recover operational status as soon as feasible. Recovery procedures must be developed to handle, contain, and reduce losses from incidents while returning to normal operations as soon as feasible. In the event of loss of operations due to any incident, then business continuity and/or disaster recovery must be initiated to restore operations to normal as per the business continuity plan.

 

4.1.1   POST-INC ID ENT  REVIEW

 

To enhance practices that minimise the occurrence of similar future incidents, Discovery must learn from incidents by performing a post-incident review.

Post-incident review processes must be established to determine the root cause of any cybersecurity or privacy incident. A post-incident report must be compiled and must include recommendations for any remediation of control weakness for all cybersecurity and privacy incidents to strengthen and improve the security posture.

The post-incident report must be compiled in accordance with the Cybersecurity and Privacy Incident Response Guide, and in accordance with requirements as well as within a period determined by the IRT. Discovery must define and apply procedures for the identification, collection, acquisition, and preservation of information that can serve as evidence (for the purpose of disciplinary or legal action).

COMMUNIC AT I ON

 

All key stakeholders, as determined by the CMT, must be kept informed of the progress during the handling of any incident. The CMT must determine when such communication will take place, based on the classification of the incident. Interaction and all forms of communication (including social media) with the public and any third parties in relation to any cybersecurity or privacy incident may only be made through the CMT. This is to ensure that accurate and consistent information is provided to stakeholders. Reporting vital information of cybersecurity and privacy incidents to regulatory bodies lies with the Group Chief Compliance Officer and Group Chief Privacy Officer, after consultation with Discovery Legal, if required.

 

Attestations

Each subsidiary and/or individual as identified by the policy owner must attest to the adherence of this policy.

Compliance with this policy

Our policies support our values and reflect what is important to us. We take breaches of our policies seriously. Depending on the severity of the breach, consequences may range from a warning to termination of employment.

Any breach of or non-compliance with this policy must be communicated to the policy owner as soon as reasonably practical. The policy owner, with input from key stakeholders, will consider the appropriate action(s) required. All instances of non-compliance with this policy will be included within the regular risk and compliance reporting processes and reported to the relevant board or committee.

 

   EXCEPTION S (DISPENSATIONS OR RISK ACCEPTANCE)

Any application for policy exception (dispensation or risk acceptance) must follow the dispensation review or risk acceptance process.