Item 16K. Cybersecurity

Risk management and strategy

Infosys maintains an integrated Enterprise Risk Management (ERM) framework that is implemented across the organization by the risk management office. Our ERM framework is developed with reference to the Committee of Sponsoring Organizations (COSO) and the International Organization for Standardization (ISO) 31000 and is tailored to suit our unique business requirements. Our ERM framework is designed to encompass all of the Company’s risks, such as strategic, operational, legal and compliance risks. The ERM function enables the achievement of the Company’s strategic objectives by identifying, analyzing, assessing, mitigating, monitoring, and governing any risks, vulnerabilities, or potential threat to these objectives. While this is the key driver, our values, culture, and commitment to stakeholders – employees, customers, investors, regulatory bodies, partners, and the community around us – are the foundation for our ERM framework. Our efforts to ensure the systematic and proactive identification of risks, and mitigation thereof, enables our organization to boost performance with effective and timely decision-making. Risks to the strategic goals are identified through a mix of top-down and bottom-up approaches and are included in a multi-layer risk register. Infosys’s ERM framework has defined organization-wide risk assessment guidelines and has set up an eight-layer governance structure, covering categories of risks. Risks identified in different functions including cybersecurity risks are presented at appropriate councils in the governance structure. Our ERM framework includes processes to escalate critical risks or cross-functional risks at each level to the next level in the ERM governance structure. ERM is also involved in defining the guidelines for incident management process at Infosys. Cybersecurity is one of the key enterprise risks monitored by the ERM and periodic updates on the risks and mitigations are provided as per the governance structure guidelines.

Infosys Cyber Risk Management (CRM) is a comprehensive program designed to identify, analyze, prioritize, treat, and monitor cyber risks and vulnerabilities across the enterprise. Our cyber risk assessment framework aligns with ISO 31000, ISO 27001, and ISO 27005 standards, in a manner designed to ensure a robust and standardized approach. Our CRM processes are seamlessly integrated with Infosys’s Enterprise Risk Management (ERM) framework, promoting consistency and thoroughness throughout the risk management lifecycle. This integration facilitates cross-functional risk analysis and streamlined reporting to the management. Infosys’s CRM focuses on safeguarding information, information processing assets, and facilities of Infosys and all its subsidiaries, thereby ensuring the continuity of our business operations. Our vulnerability management program is built on a remediation strategy that emphasizes threat-based prioritization, vulnerability aging analysis, and continuous tracking. Additionally, Infosys’s third-party security risk management program is designed to effectively manage potential security risks and vulnerabilities at every stage of supplier engagement. This program incorporates strong governance processes, continuous monitoring of security metrics, threat intelligence tracking, and periodic risk assessments.

Multiple committees and sub-councils, ranging from the board level to the departmental functional level, have been established to ensure focused governance and continuous monitoring of cyber risks across all levels of the organization.

Due to the constantly evolving and increasingly complex nature of cybersecurity risks, timely detection and defense are crucial to bolster our internal risk management processes. In this regard, Infosys collaborates periodically with third-party security consultants. These engagements include cybersecurity maturity assessments, gap analysis, evaluations of security controls and processes, and table-top exercises. These experts, who are well-versed in the latest cyber trends and threat landscapes, provide valuable recommendations and guidance to address and mitigate risks. Observations from these engagements are reviewed with the senior management to determine appropriate actions to address any identified findings.

Infosys Cybersecurity integrates a robust strategy with a comprehensive framework and a strong governance program to ensure optimal protection. The primary objective of Infosys's cybersecurity strategy is to ensure business continuity by minimizing disruptions, besides ensuring continual improvement in the security compliance posture. This is achieved through an effective and continuous threat landscape monitoring system and management of cyber events leveraging advanced tools, technology, processes, and domain expertise. Infosys believes in nurturing a security-first mindset and upholding an effective security culture in the organization, thus complementing its cybersecurity objectives and mitigating enterprise risks. The cybersecurity program is designed to ensure that necessary controls and processes are consistently implemented, monitored, measured, and improved to address cyber risks across all cybersecurity domains. There is a focus on embracing technological innovation, secure by design principles, strengthening the cyber resilient core, and ensuring robust governance.

Infosys Management plays a vital role in managing material risks from cybersecurity threats. A full time Chief Information Security Officer (CISO) has the overall responsibility for the Infosys cybersecurity program. From driving thought leadership and security culture to enabling enterprise security and improving the security posture, our CISO and his team known as Information Security Group (ISG) are committed to fortifying the cyber security cause. CISO and ISG are responsible for identifying, detecting, assessing, and mitigating potential risks and threats related to information technology systems, network, and data and ensuring that necessary cybersecurity policies, processes and practices are established and implemented. CISO orchestrates close collaboration between multiple teams within the ISG such as the Cyber Defense Centre, Technical Operations, Business Security, and Risk Management, and reviews various areas including the cyber threat landscape, security incidents and risks, cybersecurity metrics, and technology implementations, and helps in making key decisions and strategic improvements.

Infosys has established a Risk Management Committee (RMC) at the Board level, composed exclusively of independent directors. This committee assists the Board in fulfilling its corporate governance responsibilities, particularly in the identification, evaluation, and mitigation of strategic, operational, and external environment risks. The RMC holds overall responsibility for monitoring, evaluating, and approving the Enterprise Risk Management (ERM) framework and associated practices of the company. Under the RMC, the Board has constituted a Cybersecurity Risk Subcommittee (Subcommittee), which includes four independent directors. The Subcommittee's objective is to assess cybersecurity-related risks and evaluate the company's preparedness to mitigate and respond to such risks.

A high-level working group, the Information Security Council (ISC), has been established to govern and oversee the Information Security Management System at Infosys. The ISC serves as the primary governing body for information security at Infosys, focusing on the establishment, direction, and monitoring of the information security governance framework. It reports to both the Operational Risk Council and the Legal & Compliance Risk Council.