6. Notice of meetings
6.1 Meetings of the Committee shall be summoned by the Secretary of the Committee
at the request of any of its members or the Director of Global Governance.
6.2 Unless otherwise agreed, notice of each meeting (confirming the venue, time and
date, together with an agenda of items to be discussed) shall be forwarded to each
member of the Committee, any other person required to attend and all other non-
executive directors no later than five working days before the date of the meeting
(where reasonably practicable). Supporting papers shall be sent to Committee
members and to other attendees, as appropriate, at the same time.
7. Minutes of meetings
7.1 The Secretary of the Committee shall minute the proceedings of Committee
meetings, including recording the names of those present and in attendance.
7.2 Draft minutes of Committee meetings shall be circulated promptly to all members
of the Committee and, once agreed, to all other members of the Board, unless it
would be inappropriate to do so.
8. AGM
The Chair of the Committee shall attend the AGM prepared to respond to any shareholder
questions on the Committee's activities.
9. Duties
The Committee shall:
9.1 Oversee and advise the Board on the current cyber and data security risk
landscape and exposure of the Group and future cyber and data security risk
strategies, providing oversight of, but not limited to:
• Cyber security
• Global data protection legislation and regulation
• System and data security and integrity
• IT disaster recovery
• IT change management
9.2 Be appraised of, and review the effectiveness of the Group’s ability to identify,
monitor and manage new cyber and data security risks;
9.3 Regularly review the cyber risk posed by third parties including outsourced IT
providers and other third-party partners;
9.4 Review at least annually the adequacy of the Group’s cyber security breach
response plan, through:
• Planned response exercises
• Providing challenge to lessons learned
• Sponsor and support corrective actions, where deemed appropriate
9.5 Have oversight of, and review reports related to any cyber or IT security incidents,
the status of risk profiles and the adequacy and status of lessons learned and
proposed actions;
9.6 Have oversight of, and review reports related to data security incidents and