Environmental, Social and Governance
Macquarie’s purpose ‘Empowering people to innovate and invest for a better future’ represents why we exist and what we do. We believe that by empowering people – our colleagues, clients, communities, shareholders and partners – we will achieve our shared potential.
Macquarie’s high standards for conduct are underpinned by What We Stand For, and our long-held principles of Opportunity, Accountability and Integrity.
We are committed to conducting our business in accordance with all applicable laws and regulations and in a way that enhances our reputation in the market. We are committed to ensuring our products and services are marketed appropriately and that clients are fairly treated.
Business conduct and ethics are addressed within our existing risk management framework by establishing and maintaining an effective risk culture that drives good conduct. This is supported by a framework of policies, controls, processes and reporting mechanisms, in particular to manage compliance, legal, reputation and operational risks.
Macquarie acknowledges the inherent cyber risks associated with employing technology platforms to support our business activities. The cyber threat landscape includes financially motivated actors, nation states and hacktivists who strive to access systems and data from anywhere in the world. We seek to function within a controlled environment that reduces the likelihood of cyber incidents occurring, while ensuring that our security capabilities and incident response measures can effectively mitigate the impact of potential incidents.
Macquarie manages cyber and information security risk through Macquarie’s operational risk management framework. Macquarie has no appetite for operational risk incidents that threaten Macquarie’s viability, have a material impact on Macquarie’s earnings, or that cause significant damage to Macquarie’s reputation, staff, clients, counterparties or the markets or communities in which Macquarie operates.
We continuously monitor for changes in the threat landscape, assess their potential impact on Macquarie, implement controls to mitigate the threats identified and manage our residual risks in accordance with our risk appetite.
Macquarie is aligned to the United States of America’s National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and regularly performs assessments to ensure cybersecurity capabilities are implemented that are appropriate for Macquarie’s size and threats faced.
Macquarie endeavours to comply with cybersecurity regulations and laws in the countries in which it operates, which include the Australian Prudential Regulation Authority’s CPS 234 Prudential Standard on Information Security and the New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. In addition, Macquarie complies with data protection requirements in each jurisdiction that are applied through privacy regulations and laws.
Macquarie has dedicated specialised teams who design, implement, monitor, and assess Macquarie’s cybersecurity controls. These teams implement policies and procedures to:
Macquarie’s operational risk management process includes the assessment of current and emerging risks and internal and relevant external incidents.
Macquarie follows the ‘three lines of defence’ model where the business, the first line, owns the risk and is responsible for designing and operating appropriate controls and periodically assuring the effective design and operation of controls. The Risk Management Group (RMG) are an independent team, who are line two, that provides tools and guidance to ensure the risk management framework is effective and consistently applied across each business. Internal Audit are the third line who provide independent assurance to the Board Audit Committee (BAC) that the Operational Risk Management Framework is operating effectively, including business implementation and RMG’s oversight of line one.
The Macquarie Group Privacy Policy sets out why we need to collect personal information, how we collect it, what we do with it, how it is stored and who we might share it with. It also describes how individuals can access or correct information about themselves and how to ask further questions or make a complaint. The policy is administered by a dedicated privacy and data function and is supported by privacy and data training and awareness activities.
Macquarie has processes in places to investigate data breaches involving personal information and will notify clients, customers, regulators, and other appropriate stakeholders of a data breach where we are required to do so under local legislation or as is otherwise appropriate in the circumstances. Where notification is required, we will do so promptly and in accordance with the time period for notification provided for under local legislation, for example within 72 hours in jurisdictions governed by the General Data Protection Regulation.
To find out more about what we have done over the last year, refer to the Macquarie Group ESG Report.