4.3  Data security: our impact and strategy

We are committed to providing a secure and safe environment for the (personal) data and information we hold, as well as to protecting the data of our clients, service providers, and other third parties. We regard this information and the associated information systems as valuable assets, fundamentally important to our business operations, that nevertheless pose potential risks due to potential data threats or in dealing with confidential information. To address these potential risks, the information security and data protection practices applied to our information systems are based on globally recognized and accepted security best practices and are certified against the ISO 27001 standard for Information Security Management Systems.

G1 Business conduct

Impact materiality

Financial materiality

Value chain

Positive

Negative

Opportunity

Risk

Data security

At KPMG N.V., securing and protecting data is everybody's responsibility. This is inherent to providing quality services and products, internally and externally. Information security is also a line responsibility of everyone in our workforce, requiring everyone to ensure the appropriate implementation of policies and execution of processes within their area of responsibility.

In an increasingly interconnected digital world, data security is at the heart of protecting business continuity and reputation. Our cyber security strategy is designed to proactively address these evolving threats by establishing key security principles that guide every layer of our operations. These principles empower architects, solution designers, and product owners to make informed decisions that balance risk and opportunity, while safeguarding one of the organization’s most valuable assets: our data. By embedding security into the foundation of our digital architecture, we not only mitigate potential breaches but also ensure that we are resilient in the face of cyber risks.

Our key principles for managing data security risks include making decisions that balance risk with economic opportunity, ensuring transparency in our risk posture, maintaining multiple layers of defense, adhering to a zero-trust and least-privilege approach, and fostering a culture where security is embedded in our employees' mindset. Additionally, our solutions are designed with security at their forefront, operating under the assumption of breach preparedness.

4.3.1  IRO management: Key policies and actions to address data security risks

Protecting sensitive information is not only a regulatory requirement but also a core element of building trust with our clients, external partners, and other stakeholders. In the digital era, as organizations increasingly support their operations with digital systems, managing the risks involved is crucial. An effective risk management process is therefore an important component of a successful information security program. We recognize that data security is a shared responsibility: every member of our organization plays a critical role in protecting our data, supported by clear guidelines, tools, and training programs that empower them to act decisively in the face of potential threats.

This section of our sustainability statement outlines the key policies and actions implemented within our organization to mitigate data security risks, enhance resilience, and ensure that the confidentiality, integrity, and availability of our data remain intact.

Overview of key policies addressing data security risks

Our approach to data security is guided by our Global Quality & Risk Management Manual’s Information Protection Policy Framework, which includes our Global Information Security Policies, Standards, and Guidelines; Acceptable Use Policy; and Information Classification Policy, among others. These have been developed in consultation with stakeholders, including topical experts, and following guidelines from globally recognized standards. Underpinning our data security, these policies apply not only to our core IT team but also to other functions involved in managing data; as such, they are made available through our intranet to all employees and key stakeholders involved in implementing them. They are designed to address potential vulnerabilities across all levels of our operations – from network infrastructure to employee access rights – and are supported by continuous monitoring, training, and incident response plans.

To ensure sufficient information management and align our policies and actions with our business needs and regulatory requirements, KPMG N.V. has a well-defined governance framework for implementing and monitoring our data protection policies, risk management, and compliance measures. Our National IT Security Officer leads the information security program, working closely with Quality & Risk Management and other technology teams within our organization.

Policy name

Key contents

Global Information Security Policies, Standards, and Guidelines

The clauses of our Global Information Security Policies, Standards, and Guidelines are directly associated with ISO 27001:2022 controls and represent the minimum information security baseline for our IT operations. The policy establishes a baseline for the protection of KPMG N.V. and client information and systems. It is published on our intranet and should be read, understood, and applied by KPMG N.V. people with responsibility for IT and information security within our firm, as the affected and implementing stakeholders.

Acceptable Use Policy

Our Acceptable Use Policy establishes the minimum standards for the acceptable and appropriate use of information and technology assets by our people. It also sets out how we should protect KPMG N.V. technology assets in our care.

Anyone in our firm who is authorized to access technology resources must accept responsibility for their actions regarding the use and safeguarding of KPMG N.V. information assets, data, and technology resources, in accordance with the requirements of global KPMG policies. In the case of conflict, local laws and regulations prevail.

Information Classification Policy

The Information Classification Policy addresses the fundamentals of the confidentiality of KPMG N.V. and client information. It describes, at a high level, the classification requirements for this information and provides guidance on how to determine an appropriate level of classification.

Overview of key actions to mitigate data security risks

To safeguard our organization against any information security risks, our policies define several actions we have implemented to strengthen our information security posture. Our key actions include setting up adequate governance and lines of defense; employing comprehensive risk management practices supported by continuous compliance and auditing; and fostering a culture of security awareness through targeted training and awareness programs, thereby empowering employees to recognize and respond to potential data security risks. These actions apply to all our business activities and employees and are embedded in our day-to-day operations, where yearly reviews and updates take place in order to cover changing security risks if they occur.

Lines of defense

We manage risks related to data security using a “three lines of defense” model, designed to provide risk management support and help ensure that threats are identified and addressed before they can negatively impact operations. Our first line of defense (business management and operations) typically owns and manages risks and controls. Our second line of defense (risk and compliance functions) establishes risk and compliance methodologies and frameworks; monitors risks, compliance, and controls in support of management; and typically owns IT and security risk-management processes. Our third line of defense (Internal Audit) provides assurance on the effectiveness of the controls in place to mitigate risk. These stakeholders are actively involved in preventing, mitigating, and managing any information security risks within our organization.

Risk management process

We have established a strong risk management process, guided by the principles outlined in the Risk Management Process document, comprising four key steps: risk identification, risk assessment, risk control and treatment, and risk monitoring and review. In the identification and assessment phases, we evaluate potential threats to our assets, determining their vulnerabilities, impact, and likelihood of occurrence. If a risk surpasses a predefined threshold, it is promptly treated and controlled following our established protocols. We also conduct periodic reviews to monitor identified risks, assess the effectiveness of treatments, and detect new or emerging risks. Furthermore, we perform regular penetration tests and cyber response tests. This ensures that our risk posture remains responsive and up to date.

Compliance and auditing

We have a control framework that helps KPMG N.V. comply with internal and external security requirements and laws. Externally, our ISO 27001:2022 certification covers all services provided; internally, we demonstrate compliance with the Global KPMG Information Security policy in a yearly information protection compliance review.

Training and awareness

Data security is a topic that affects us all, and we recognize that our people in the course of their everyday operations, are the first line of defense in preventing any cyber-attacks. We have implemented a security awareness program to educate and empower our workforce to identify and respond to potential security incidents, whether related to IT, physical assets, or personal safety.

As part of this program, we run frequent phishing awareness campaigns, offer e-learnings, organize a yearly Week of Safety, create awareness through screensavers, and publish (news) messages via various internal channels. By promoting a security-aware culture, we proactively protect KPMG N.V. against cyber attacks, data breaches, physical breaches, and other security-related incidents, minimizing potential harm and ensuring a safer (work) environment.

4.3.2  Metrics, targets, and performance on data security

In 2023/2024, we successfully moved from ISO 27001:2013 to the latest standard, ISO 27001:2022. Because of the changes and additions involved in the new standard, this project resulted in changes to our processes, documentation, and control framework. We carried out a transition audit that resulted in positive compliance with the new requirements for certification. With the implementation of the EU’s Network and Information Security Directive (NIS2) into Dutch law delayed until approximately Q4 2025, we are closely monitoring related developments. Additionally, we recognize that our financial services clients must comply with the Digital Operational Resilience Act (DORA) from January 17, 2025. Depending on the services we provide, we have begun receiving requests from clients to meet specific DORA requirements. We are addressing these requests on a case-by-case basis.