Cyber security

The world of cyber security is constantly evolving and in recent years, the financial services industry and firms within it have seen a significant increase in attempted fraud and cyber activity.

Our Security Strategy for 2020 to 2023, approved by the Board, takes a proactive approach to ensure the Society is prepared to meet the challenges of today and the future. Our strategic roadmap is tracked monthly, with members of the Security and Resilience Senior Management Team, and Senior Leadership team, and when necessary, reported to the monthly Strategy and Finance Board meeting for escalation.

Internal and external testing of our capabilities means our Security Operations Centre, who monitor for threats 24 hours a day, 7 days a week, are prepared to respond and keep our services running and our systems secure.

Along with our monitoring capabilities, we work with the wider financial services industry and the National Cyber Security Centre to share good practice and intelligence on new and evolving cyber threats. We also undertake the Bank of England’s CBEST framework, which delivers intelligence-led cyber security tests that replicate the behaviours of real-world threat actors. For the fourth year in a row, Nationwide continues to be recognised as compliant to the Payment Card Data Industry Data Security Standards (PCI DSS), for Merchant processes, following an external assessment.

From an audit perspective, this year we completed re-certification of ISO 27001, an international standard on managing information security. We also utilise PwC for an annual cybersecurity maturity assessment and external auditors, Ernst and Young, to assess the Security Controls as part of the annual IT and Security Risk Assurance Audit. External attestation is provided on our Cyber Security position to Swift on an annual basis, in addition to our annual commitment to satisfy the security requirements for each of the Payments schemes - Link and BACS.

We’re continually maturing our education and awareness programme to educate our colleagues and develop a strong culture that values security. Upon hire and annually thereafter, all employees must complete core security awareness and data privacy training as well training that’s relevant to their role. This is reinforced with further training and engagement campaigns throughout the year. Our supportive and innovative approach to training colleagues on combating phishing and protecting data through interactive training sessions and escape room experiences has been applauded by external auditors as above that of our peers. We’ve even evidenced colleagues completing mandatory training more than once, they enjoyed it that much.