The integrity, reliability and security of information in all its forms are critical to our company’s daily operations. Inaccurate, incomplete or unavailable information, external intrusions on information systems, or unauthorized access to information can damage and disrupt our business and have financial and reputation implications. Customers trust us with personal information so that we can meet their needs in different areas of our business, such as in our pharmacies, through our e-commerce platforms, loyalty program and more. We also have an obligation to protect the information entrusted to us by our teammates.
Fiscal 2023 Performance Highlights
of corporate office teammates completed Supplementary Phishing Training
of corporate office teammates completed Security Awareness Fundamentals
Our Approach
Our business strategy (see About Us) is enabled by an ambitious digital transformation program.
This increased investment in and use of digital tools means we also face increased risk of cyberattack—which is why in fiscal 2023 we continued to update and accelerate our three-year cyber security roadmap to make sure we are keeping pace with both our evolving business initiatives and external threats. We plan to achieve ISO27K information security management certification by 2025. Our cyber security approach is all about having many layers of protection for devices, transactions, data and people, complemented by rigorous, round-the-clock monitoring.
We operate extensive and complex information technology systems that are vital to the successful operation of our business strategies. Our systems include advanced endpoint detection, response protection and monitoring, cloud security controls, threat hunting, threat intelligence, vulnerability management, and 24/7 monitoring. In addition, all projects undergo security risk assessments such as threat risk assessment, vendor risk assessment and compliance impact assessment. We ensure that due diligence is carried out for all new and existing critical supplier partners.
We place a strong focus on teammate awareness and training and on policies to govern the acceptable use of corporate devices and assets. Our Cyber Security Employee Awareness and Training program provides our team members with the knowledge to ensure they make informed decisions to protect our business from cyber-related threats. Training is provided through our learning management system and through monthly targeted phishing campaigns, mandated modules, regular teammate communications on relevant cyber security topics and digital signage.
Our corporate Privacy Policy is available to the public on our corporate websites. It’s all part of our plan to protect our business and customers.
2022 Cyber Incident
On November 7, 2022, we notified our stakeholder community by news release that the company had been affected by a significant network issue. We engaged global cyber security forensic teams to undertake an investigation and reported the incident to the appropriate regulatory and policing bodies. As a result of this ongoing work, on December 15, 2022 we publicly confirmed that the Company had been impacted by a Cyber Event. The process to identify what data was impacted was extremely complex, and in March, 2023 we notified those who were potentially impacted. We did this out of an abundance of caution, and in compliance with our regulatory obligations. Through those notifications, we communicated that we had seen no evidence that personal data was accessed or removed from our servers, that transparency matters deeply to us, and that we regret that this event occurred. Cyber security is and has always been a priority for us. We take the protection of personal information as critically important.