The loss or inappropriate use of data and systems could result in material loss of business, substantial legal liability, regulatory enforcement actions and significant harm to our reputation. 

Our approach

We continually enhance and invest in our security infrastructure, practices and culture across the business.

Experian’s Global Security Office (GSO) establishes and governs global security requirements designed to safeguard against threats, comply with relevant regulations, align with industry standards and fulfil contractual requirements.

Our security approach has three tiers: applying tools and processes to prevent threats from entering our environment; detecting if a threat enters our environment; and mitigating threats by minimising the potential for information to be extracted from our environment. Threat-informed defence helps us shape, assess, prioritise and measure the effectiveness of our approach.

We have controls in place to mitigate the risk of loss or inappropriate use of data and systems, with layers of protection for our data assets, and our Development, Security and Operations (DevSecOps) teams build security considerations into our products throughout their lifecycle.

We continually review, adapt and improve our information security programme, tools, expertise and processes to respond to evolving threats and align with external standards. We conduct periodic risk assessments, and our operations are subject to external cyber security audits annually. We seek and receive third-party assurance through: certifications of key business areas and systems with standards, including ISO 27001 and Payment Card Industry Data Security Standard (PCI-DSS); external accreditations of our security programmes, such as annual SOC2 reviews of system and organisational controls; and regional or country-specific certifications and accreditations.

We interact with law enforcement authorities and others in our industry to gather intelligence to help our security teams stay abreast of evolving cyber threats. We also share our knowledge where appropriate to help other businesses and consumers keep their data safe, including through our annual Data Breach Industry Forecast on emerging threats.

Our Cyber Fusion Centre identifies and responds to suspicious or malicious activity, with teams located globally to provide continuous coverage. If a threat is identified, our incident response team follows defined response procedures with support from our in-house forensic team and external experts, as needed. Depending on the severity of an incident, escalation procedures may include notifications and disclosures to meet applicable regulatory and contractual requirements.

Data breaches may occur when a vulnerability in the environment is exploited. We use a defence-in-depth approach – the deployment of layered countermeasures to achieve security objectives – to protect, detect, respond and recover from attacks. We conduct simulated exercises to train our cyber security teams and senior leaders how to respond in the event of a breach and to identify opportunities for improvement.

In the event of a reportable breach, we would disclose information about the incident and commit to contacting any affected data subjects in a timely way. We do not publicly disclose vulnerabilities, lapses or other characteristics of our technology environment that could be used by a threat actor to do harm.

We conduct simulated exercises to prepare our cyber security teams and senior leaders on how to respond in the event of a breach and to identify opportunities for improvement. Business continuity and disaster recovery plans are reviewed and tested annually to help ensure ongoing operational resilience. Experian’s Business Continuity Management System is certified to ISO 22301, with certifications covering the following locations: Sofia (Bulgaria), Hyderabad (India), Kuala Lumpur (Malaysia), and Infrastructure Services, Nottingham (UK).

Security governance

The Global Chief Information Security Officer (CISO) has overall responsibility for Experian’s global security strategy, and the senior management team is responsible for setting direction and managing day-to-day operations.

Board-level oversight is reinforced by including information security as a standing item for scheduled Audit Committee meetings and the CISO reports to the Committee at each meeting.

Multiple committees are responsible for identifying and managing risk, and for overseeing implementation of our Three Lines of Defence model for risk management (outlined in the Risk Management section of our Annual Report).

The Security and Continuity Steering Committee (SCSC) monitors the emerging threat environment and oversees management of global information security, physical security, and security continuity risks consistent with Experian’s risk appetite, strategies and objectives. The SCSC is chaired by the Chief Executive Officer, and the Chief Financial Officer is deputy chair.

Significant security matters are escalated to the Executive Risk Management Committee and reported to the Audit Committee and the Board as appropriate.

Managing third-party risk

We extend our information security standards to our suppliers and partners through the terms of our contracts. We provide them with access to our data and systems only where necessary and in line with our information security requirements.

We complete risk assessments and due diligence on all high-risk third parties before they begin working with us and apply tiered security requirements and controls according to their level of risk. We follow up to ensure any necessary remediation actions are completed before services commence. Thereafter, we conduct further assessments as part of our third-party risk management framework to ensure third party controls are sustained throughout the term of the engagement.

Experian’s governance of mergers and acquisitions includes due diligence to identify potential security risks and remediation actions as part of the acquisition process. Follow-up assessments of security risks are conducted by second and third lines of defence as part of the integration of the acquired business into the Experian environment.

Our information security culture

We make clear that everyone at Experian must take personal responsibility for security, and senior leaders are highly engaged.

Our security policies and standards, informed by industry frameworks, set clear requirements for all employees and contingent workers who have access to Experian systems (‘users’). Users must complete mandatory information security training when they first start working with us, and annually thereafter. We monitor training completion rates throughout the year.

We routinely refresh our training and run campaigns to raise awareness of evolving risks and specific topics such as using generative AI (GenAI) securely, defending against phishing/vishing or other types of social engineering, and protecting data through proper classification and handling. We also provide additional training for people working in higher-risk areas, such as product and software development, or roles most likely to be targeted by phishing/vishing attacks.