The Group Chief Information Security Officer (CISO) reports to the Chief Information Officer, a member of the Executive Team. The CISO is a member of key cybersecurity governance forums and is responsible for leading and managing the cybersecurity function, setting the cybersecurity strategy and direction, and overseeing the implementation, operation and execution of the cybersecurity policies, standards, controls, and capabilities, including for third parties who are engaged to manage Westpac’s information assets.

We have implemented a range of cybersecurity processes, technologies, and controls to facilitate our efforts to assess, identify, and manage such risks, including regular network and endpoint monitoring, access controls, vulnerability assessments, penetration testing, annual information security training for employees, and tabletop cybersecurity incident response exercises.

We have an Incident Response Plan which guides the actions we are to take in the event of a suspected or confirmed cybersecurity incident. The plan includes processes to triage, investigate, contain, and remediate the incident. The plan is designed to contain and minimise the impact of a cybersecurity incident on our customers. We also maintain a Business Continuity Plan, which provides procedures for maintaining the continuity of critical business processes in the event of business interruption, including any that involve cybersecurity incidents which may significantly impact our operations.

Our cybersecurity team is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity threats through their management of, and participation in, the strategy processes.

The CISO and the cybersecurity team have relevant expertise and experience in various aspects of cybersecurity, such as strategy, governance, risk management, threat intelligence, incident response, security operations, architecture, engineering, testing and awareness. The CISO has extensive experience in information technology and cybersecurity. The cybersecurity team consists of qualified and competent professionals who have diverse backgrounds and skills in cybersecurity. The cybersecurity team regularly participates in training, education, and development programs to enhance their knowledge and skills to keep up with the evolving cybersecurity landscape.

The CISO escalates key cybersecurity risk and control issues, as appropriate, to the Technology Risk Committee (TRC) or to the appropriate Line of Business and Divisional Committees. The TRC, a senior management committee, oversees the technology function and technology risk management. The TRC reports to the Group Executive Risk Committee (GRISKCO), the executive management committee responsible for overseeing the group's strategy, performance, and risk management.