10 Ensuring cyber & data security and privacy
Cyber security remains a high priority and every year Bouwinvest assesses its information security with the help of Northwave, a cyber security consultancy organisation. In 2023, 57 out of 58 scores on the DNB (Dutch Central Bank) norm (Good Practice Information Security) were on or above the official target. An assessment of the HR succession planning was not performed in 2023 as the department is undergoing a transformation process, resulting in one lower score. This succession planning will be performed in 2024.
Bouwinvest implemented more advanced, Bouwinvest specific, use-cases within the Security Information and Event Management tooling to have more real-time control over cybersecurity risks. We also performed a red team exercise to access the Bouwinvest ‘crown-jewels’, disable backup systems and simulate a ransomware attack. The attackers were not able to achieve their objectives.
Bouwinvest again ran a company-wide security awareness programme, including phishing tests and videos for employees to train them to recognise phishing attempts. We hereby aim at a minimum of 95% participation and in 2023, 97.4% of Bouwinvest employees took part.
Regarding privacy, the Governance, Risk and Compliance system was enhanced with the register of processing activities and the data breach register. All data breaches are now reported from this system.