Popular
BlogNEW
CompaniesNEW
Finance
Technology
Banking
Information Technology
Oil and Energy
Internet
Mining and Metals
Communications
Real Estate
Biotechnology
Automotive
Medical
Retail
Energy
Annual Integrated Report slide image

Annual Integrated Report

86 National and international action guidelines To ensure the highest security standards, we adhere to industry- leading protocols. Our operations are currently aligned with the following: . ⚫ the Brazilian Central Bank's cyber security resolution ⚫ the NIST-CSF cyber security framework, which is regarded as the most up-to-date and pragmatic on the market ISO-27001, which outlines best practices for information security management ⚫ the global corporate cyber security policies issued by the Santander Group's headquarter Based on these references, we have established best practices in a global security program, which is monitored by independent units within the organization. On a local level, the operations of these units are subject to our Corporate Governance practices. Its composition includes the Operational Risks and Audit departments, which serve as the second and third lines of defense, respectively. As a regulated and publicly traded company, our security processes are also reviewed by independent auditors and the Brazilian Central Bank itself. Internal structure Our primary defense structure is Cyber Security & Anti-Fraud, which centralizes technology risk management. This hub comprises the Cyber Security, Fraud Prevention, and GRC (Governance, Risk and Compliance) units. We are also supported by the Security Operations Center, which is based at the Santander Group's headquarters in Madrid. This division is responsible for formulating monitoring actions for all Santander units. Additionally, we have a local cyber security operation entirely dedicated to security practices and disciplines. Its activities encompass technical architecture, data center infrastructure security, system development, and incident response. Awareness and training Every year, we organize training sessions and awareness strategies so that cyber risk management and information security are ingrained in the daily routines of our employees, interns, and customers. In 2022 alone, our online communications, featuring valuable insights for customers on how to protect themselves against digital scams and attacks, garnered over 73 million impressions across more than 15 channels. We constantly invest in security and technology solutions, refining training and awareness initiatives for employees, customers, and society at large. See below some of the initiatives undertaken last year. • Launch of Cyber Defenders, a biannual awareness pathway for executives, aimed at decentralizing cyber security knowledge within the organization. . Pathway guidance for teams whose activities have a high degree of criticality, such as Swift payment operators, IT developers, etc. • Security campaigns on social media for customers and society, featuring influencers • Launch of Cyber Heroes for customers, a quick, free, and accessible course offering tips against fraud and scams • Release of the Security Champions Program, a Cyber Security training initiative for the entire FIRST team, with a focus on secure development • Periodic phishing tests for employees, with the goal of equipping them with the skills to recognize cyber attacks • Revamping of our security website, featuring exclusive content on safeguarding oneself against scams. Security-focused initiatives We devised fresh initiatives throughout 2022 to reinforce the security of our protocols. The following are a few of them: → Facial Biometrics: we deployed this technology, which enables robust authentication, to provide our customers with the convenience of conducting risk transactions via electronic channels. → Information leakage prevention: we strengthened our efforts in this field through the implementation of an information classification process, as well as the establishment of rules for information protection and compliance with local and global regulations → Supplier Cyber Security Risk Management: we assessed the maturity of preventive controls (detection and response) implemented by companies providing the Bank with critical services. In addition, specific assessments focusing on the handling of emerging threats, such as ransomware, and the monitoring of improvement plans have been conducted. General Data Protection Law ("LGPD") The General Data Protection Law ("LGPD"), which has been in effect since 2020, sets forth regulations for the processing of personal data, including by private companies. We acknowledge the importance of this matter and accord it high priority. Our LGPD compliance program is spearheaded by a specialized division dedicated to data protection and privacy, encompassing all data processing activities involving the personal information of our customers, former customers, and employees. This team is responsible for all governance processes pertaining to the subject matter and invests in technologies and processes that increase transparency to data subjects and enhance data security against cyber threats. Additionally, this department works to optimize internal processes that promote compliance with privacy concepts across all our operations. In addition to structuring mechanisms that ensure compliance with the rights of data subjects as provided for in the LGPD, we have strengthened our culture regarding this matter by establishing a robust governance framework that encompasses all levels of the organization, including affiliated companies. Annual Integrated Report Table of Contents [2-6; 2-23] Material topic: Culture, Conduct, and Responsible SUPPLIER RELATIONSHIP Introduction | Value Creation | Economic Performance | Environmental | Social | Governance | Appendices Supplier management and control 1 Pre-Engagement Our engagement with suppliers involves a rigorous assessment process at all stages, including competition, approval, and contract duration. To this end, we adhere to the guiding principles of the United Nations Global Compact as a foundation for our approach. One of the internal instruments used to ensure that these commitments are met is the Supplier Code of Conduct, which governs all principles that must be respected in our business relationships. We also follow the PRSAC, the Outsourcing and Third-Party Agreements Corporate Framework, the Supplier Approval Policy, as well as anti-corruption and money laundering prevention regulations. ― We categorize the range of services that a supplier can provide us based on their inherent risk level critical, high, medium, low, and risk-free and strive to ascertain this risk prior to the procurement/renewal procedure, utilizing a risk assessment calculator. - In this process, we evaluate the service's characteristics, data access and/or processing, level of data confidentiality, and system accessibility, among other factors. Within our organizational structure, the service manager is primarily responsible for ensuring compliance with all requirements specified in the key supplier management and control processes, as depicted in the adjacent figure: *Learn more about the Supplier Code of Conduct and the PRSAC on our website [308-1, 414-1] Procurement requirements The procurement process for all our suppliers contains contractual provisions that stipulate: ⚫ good social and environmental practices ⚫ defense of human rights (such as preventing child and forced labor) ⚫ guidelines against moral and sexual harassment and combating corruption ⚫ legal, fiscal, tax, and reputational suitability For the approval of suppliers deemed relevant, we undertake more thorough assessments of their inherent risks, which encompass factors such as business continuity, cyber security, physical security, facilities, and data protection. At the end of 2022, we had active contracts with 1,802 suppliers, of which 6% were regarded as more relevant, based on their activities and predefined risk criteria. Our suppliers engage in a range of activities, including call center, debt collection, telemarketing, business process outsourcing ("BPO") for real estate and financial credit, secure transportation of valuables, and document archiving. 5 Risk Assessment 2 Negotiation 6 Monitoring Company Approval 31 4 Formalization -7 | Termination/ Renewal In 2022, we expanded our engagement with suppliers regarding ESG issues. We launched a series of initiatives aimed at promoting engagement, awareness, and communication, including webinars on climate change. These efforts are designed to assist our partners in their transition to a low- carbon economy, while considering the risks and opportunities arising from the social, environmental, and climate impacts of their businesses. Furthermore, as part of a pilot project, we assessed 89 significant suppliers and administered an ESG criteria questionnaire. Out of the total, 46% achieved the desired minimum level of compliance, while the remaining suppliers were provided with recommendations for developing an action plan for implementation in 2023. Monitoring We conduct regular monitoring of our suppliers, during which we evaluate a variety of factors, such as the labor, tax, fiscal, and reputational situation, significant events related to operational risks, involvement with forced labor, and penalties imposed by the public authorities. Our Supplier Forum is responsible for deliberating on each case and overseeing the implementation of any action plans related to identified opportunities for improvement. Additionally, this body is tasked with ensuring the implementation of the Corporate Outsourcing Framework and Third-Party Agreements, as well as policies and regulations of regulatory agencies. Diversity and inclusion Since 2020, newly drafted contracts and amendments have incorporated a specific clause designed to reinforce the respect and promotion of diversity and inclusion, as well as the commitment to train all service providers. We have also produced an e-book on this subject, consolidating fundamental concepts and behaviors that are minimally required by Santander and its affiliates. Climate management Since 2017, when we joined the CDP Supply Chain, we have invited our suppliers to provide information pertaining to their climate management. In 2022, 34% of them reported emissions data, as well as the risks and opportunities associated with this subject matter for their respective businesses. Santander 87
View entire presentation

Product

HomeSearchAccount

Categories

Finance PresentationsTechnology PresentationsBanking PresentationsInformation Technology PresentationsOil and Energy PresentationsInternet PresentationsMining and Metals PresentationsCommunications PresentationsReal Estate PresentationsBiotechnology PresentationsAutomotive PresentationsMedical PresentationsRetail PresentationsEnergy Presentations

Company

InsightsContactSupport

Legal

Terms of ServicePrivacy Policy

Connect

TwitterLinkedInInstagramYouTube