1. Sophos Values and Guiding Principles
When highly talented people work together in an environment where they can do the best work of their careers, amazing and successful companies are built.
The Sophos Values and Guiding Principles provide a guide to what we mean when we say “Team Sophos”: What’s it like to work here? What’s the Sophos culture? They capture who we are as a company and how we operate, reflecting in part who we are today and what we aspire to become.
The Sophos Values and Guiding Principles help guide us to build a truly great company: one that makes a positive difference for our customers and partners, that does important work in the world, that is successful for our investors and stakeholders, and that we are all proud to be part of.
Our values are the foundation of who we are and how we operate, including:
- What Sophos stands for
- How we operate when we’re at our best
- The attributes of our very best employees
Our Values
- Simplicity
- We strive to remove unnecessary complexity from all processes and workflows across our business.
- Our intuitive products provide IT professionals with exactly what they need to do their jobs efficiently and effectively.
- Empowerment
- We support and enable people to do great work.
- We trust people to take ownership, to take smart risks, and to deliver results.
- We encourage people to take action, to seek knowledge, and to question actions inconsistent with our mission, values, or principles.
- Passion
- We care intensely about our success and our impact.
- We maintain high standards and continuously strive to improve.
- We inspire others.
- Innovation
- We stay at the forefront and advance the boundaries of what is possible.
- If we fail, we do it quickly, learn, share the lessons learned, and move forward.
- We always seek better approaches to what we do.
- Authenticity
- We are genuine, transparent, and honest.
- We admit our mistakes and strive to remain self-aware.
- We say what we think, even if it might be difficult.
Our Guiding Principles
Our guiding principles provide additional detail on how we operate and how we apply our values.
- The quality of our people is our greatest asset
- Hiring and retaining great people is a manager’s most important responsibility
- Effective teams can achieve far beyond what individuals can accomplish alone
- Sophos cultivates talent and pays for performance
- Effective communication realizes the full potential of our geographically- dispersed global team
- Success in our industry requires a fast-paced working style
- Diversity, combined with excellence, builds a better Sophos
- We care about the health and wellbeing of our employees, the communities in which we do business, and a sustainable environment
- We are uniquely positioned and qualified to make the world a safer place
2. General Behavioural Expectations
This Code of Conduct (the “Code”) applies to all our directors, employees, contractors, temporary staff, and partners, wherever they are located.
Applying high standards of ethical behavior and compliance with laws and regulations are essential components to living the Sophos Values and assuring the long-term success of our business. Our Code sets out the ethical principles and standards that guide our actions and the way we conduct business. Every person working for or with Sophos is expected to:
- treat others with dignity and respect;
- act with honesty and integrity, avoiding actual or apparent conflicts of interest in personal and professional relationships;
- promptly report any transaction that could be expected to give rise to a violation of this Code or a conflict of interest;
- become familiar and comply with Company policies;
- produce, full, fair, accurate, timely, and understandable disclosure in reports and documents;
- comply with applicable governmental laws, rules, and regulations; and proactively promote ethical behavior by other Company officers and employees.
If you are a leader, manager, or supervisor, you have a further responsibility to:
- lead by example and display ethical behavior;
- ensure your team members understand and follow the Code; and
- create an environment in which your team members feel confident about raising concerns.
The Code is not intended to cover every conceivable situation. Our Code is not a substitute for good judgment. Certain matters addressed in the Code are covered by more specific Company policies or business practices, which continue to apply. As a global enterprise with offices around the world, our business must be conducted in compliance with applicable laws and regulations of all countries in which we do business. You should always follow the highest applicable standard in deciding how to act.
You are expected to use common sense and good judgment to make ethical decisions based on the Sophos Values and the principles set forth in this Code. If you are in doubt, ask yourself these questions:
- Is it consistent with our Code of Conduct?
- Am I personally comfortable with the situation?
- Would I be happy to read about this in the news?
If you are unsure on how to address an issue, you should ask for help. (See Speak Out below for more information.)
3. Finding help and raising concerns
Speak Out!
If you have questions or concerns, you should “Speak Out.” There are three ways you can raise a concern:
Speak with your line manager or your HR representative about your concerns. They have a responsibility to support you as you raise legitimate concerns.
Share information directly with HR, anonymously if preferred, by using the ‘Notify HR’ form on Sophos Hub.
Call the “Speak Out” Hotline. This line is run by a third-party provider. Your call will be managed by a trained person who will help you raise your concern and ensure this concern is then sent to be investigated. You can find the hotline number for your region at the EthicsPoint web page.
Access the EthicsPoint web page, at sophos.ethicspoint.com where you can complete the reporting form about your concern.
However you choose to raise a concern, your confidentiality will be protected where possible. Your concerns will be taken seriously and investigated. Anyone who reports their concerns in good faith will be protected and will not be penalized.
Any act or threat of retaliation against someone who raises a concern in good faith is a serious breach of our Code and must be reported. Any such retaliation will result in disciplinary action against the retaliator, up to and including termination of employment.
For further information visit our Whistleblowing Policy.
4. Conflicts of Interests
We must each act in the best interests of the Company and put the best interests of the Company at the forefront of any work-related activity or decision while scrupulously avoiding conflicts of interest. You must use your best judgment in determining whether a conflict of interest exists or could appear to exist and then avoid any conduct, activity, relationship, or other situation that could create or cause a conflict of interest. Identifying, declaring and managing conflicts of interest is an important part of showing you are impartial and acting with integrity when undertaking your responsibilities and duties.
What is a conflict of interest?
A conflict of interest is a situation where your personal or private interests could, or be seen to, improperly affect the impartiality of business judgment in your role at Sophos.
A conflict of interest can be actual, perceived, or potential.
Actual conflict of interest:
An actual conflict of interest involves a direct conflict between your official duties/responsibilities and a competing interest or obligation, whether personal or involving a third party.
Potential conflict of interest:
A potential conflict of interest arises where you have an interest or obligation, whether personal or involving a third party, that could conflict with your official duties/responsibilities in the future.
Perceived conflict of interest:
A perceived conflict of interest occurs where it could reasonably be perceived, or give the appearance, that a competing interest could improperly influence the performance of your duties.
Some examples of conflicts of interest are:
- Competing and Dual Employment. We may not serve as an employee, officer, or director of any supplier/vendor, customer, or competitor of the Company without disclosure to and prior written approval of the Company. While dual employment (including self-employment) may not necessarily constitute a conflict of interest, disclosure to and written approval of Company is required in all instances where an actual or perceived conflict of interest could exist. This is particularly important where there is the development or use of intellectual property, but you must also be mindful of potential conflicts which could exist in employment in a role or company that is not competitive with the business of the Company. For example, working a significant number of hours in an unrelated alternative role may impact your health and productivity in your role at Sophos.
- Employment/supervision of friends and family members. We must not supervise, review, or influence the performance evaluation or compensation of a family member or someone with whom we are having a romantic relationship.
- Gifting and Hospitality. We support the reasonable and proportionate giving and receiving of hospitality as part of a normal business relationship. However, we prohibit the giving or receiving of any gifts or hospitality that are extravagant or lack transparency or a legitimate purpose.
- Corporate Opportunities. Business opportunities and information that we encounter during our work for Sophos belong to Sophos. We must pursue those opportunities and use that information for the best interests of the Company.
- Other Matters. We must not permit any situation in which, without proper authorization, we are required or tempted to disclose or use for our personal benefit any trade secret, confidential or proprietary information, or intellectual property of the Company, our partners, or our customers.
If you know of a position where personal and Sophos business interests come into conflict (actual potential, or perceived), you are required to disclose the conflict to the Company for review, and if possible, mitigation.
The Company reserves the right to determine when actual or potential conflicts of interest exist, and then take any action needed to prevent or mitigate this conflict. This may include you having to divest the conflicting interest or return the benefit or gain received, realigning your duties and responsibilities, or disciplinary action.
At the end of the day, you must ask yourself “is the thing I’m getting or giving okay? Could it be misinterpreted?” To help you decide whether you are facing a conflict of interest, imagine you are explaining your actions to friends or a colleague then consider whether you would feel comfortable with your actions.
If you are not sure, seek advice. See “Finding help and raising concerns” above or contact Compliance@sophos.com.
5. Anti-bribery and Corruption
At Sophos, we are truthful and transparent in our interactions with third parties, including our suppliers, partners, and customers, and do not influence their decisions through improper payments.
The difference between bribery and corruption is that bribery is the making of illegal payment, or bribes, to persons in official positions as a means of influencing their decisions while corruption is the act of corrupting or of impairing integrity or moral principle.
Wherever Sophos operates, we conduct our business in an honest and ethical manner. We take a zero-tolerance approach to bribery, corruption and associated crime or unethical behavior. We are committed to acting professionally, fairly, and with integrity in all our business dealings and relationships.
Sophos will not tolerate any form of bribery, either within our business activities or within the business activities of those who perform services on our behalf. If you are unsure about whether an act constitutes bribery, discuss it with your manager, raise a concern via the “Speak Out” hotline via www.sophos.ethicspoint.com, or email compliance@sophos.com.
Facilitation payments
Facilitation payments are unofficial payments made to public officials in order to secure or expedite the performance of a routine or necessary action. Sometimes referred to as 'grease' payments, they are usually made to obtain something to which the commercial organization is already legally entitled – for example, getting goods released from customs.
Facilitation payments are illegal. Sophos Anti-Bribery and Corruption Policy states that you must not provide a “facilitation payment.” The matter should be reported to your local Legal team as soon as possible. It is also important to understand the level of pressure placed on an employee. You should never refuse to make a payment if faced with a threat of, or fear of, violence or loss of liberty. The safety of our employees is of primary concern in all our operations both at home and abroad.
For further information visit our Sophos Anti-Bribery and Corruption Policy.
6. Modern Slavery
Sophos is committed to ensuring that its supply chain is free from modern slavery.
Modern slavery is a crime and a violation of fundamental human rights. It takes various forms, such as slavery, servitude, forced and compulsory labor, and human trafficking, all of which have in common the deprivation of a person's liberty by another in order to exploit them for personal or commercial gain.
We have a zero-tolerance approach to modern slavery and we are committed to acting ethically, transparently, and with integrity in all of our business dealings and relationships, and to implementing and enforcing effective systems and controls to ensure modern slavery is not taking place anywhere in our own business or in any of our supply chains.
The prevention, detection, and reporting of modern slavery in any part of our business or supply chains is the responsibility of all those working for us or under our control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.
See “Finding help and raising concerns” above for ways to raise concerns or contact Compliance@sophos.com.
For further information, read the Sophos Modern Slavery Policy.
7. Data Privacy
Sophos obtains, holds and processes personal data and individual identifying information. It is essential that this personal data is kept secure and in compliance with the numerous laws around the world that regulate its collection, processing, transfer, disclosure, storage, and use.
If you handle personal data, you must familiarize yourself with the applicable laws and safeguard the information appropriately. Consider if the information related to you – how would you want it protected?
For further privacy information, visit the legal pages of Sophos.com.
8. Confidential Information, Information Security, and Insider Dealing
Sophos creates, collects, stores, and manages confidential information, some of which belongs to or relates to third parties. Examples of confidential information include pricing and cost information, sales data, financial results, customer lists, marketing plans, and other trade secrets, non-public financial information, business proposals, formulas, and intellectual property. We should consider all non-public information to be confidential.
As an IT security company, the security of that confidential information is paramount, and our behavior must reflect that. Furthermore, we have a legal obligation to ensure that such information is kept confidential and is protected appropriately.
If confidential information is stolen or misused, Sophos may be open to significant reputational, competitive, operational, legal and/or financial risk.
Insider Trading
Trading using “inside information” is a misuse of confidential information and is a criminal offense in the U.K., U.S., and many other countries. “Inside information” is information about a company that is not publicly available, which is likely to have a non-trivial effect on the company’s share price and which an investor would be likely to use as part of their investment decision.
Some of the steps we should take to protect confidential information are:
- Ensure strict compliance with the Sophos Governing Cyber Security Policy and Global IT Acceptable Use Policy and all non-disclosure/confidentiality obligations in your employment agreement or similar agreements
- Make sure all confidential information, whether electronically stored or on paper, is kept secure
- Before disclosing any confidential information, ensure that a Non-Disclosure Agreement or other agreement is in place so that confidentiality of the information is maintained by the recipient
- Avoid discussion of confidential information in public places where the conversation may be overheard
- Do not buy or sell Sophos shares (or those of any other listed company) if you are in possession of inside information
- Do not ask other people to trade on your behalf or pass on any inside information that you to others
If you have any query about buying or selling Sophos shares, you should contact shares@sophos.com.
Just as you are expected to safeguard the confidential information of Sophos and its business partners, you must not use third parties’ confidential information at Sophos if you do not have permission to do so.
9. Reporting and Accounting
The company requires accurate, complete, and timely recording of all company information.
The collection of this company information is guided by a rigorous system of financial, operational, and compliance controls.
From these records we will prepare financial statements on a regular basis in line with applicable law and technical and professional standards.
The financial statements are used for both internal decision making and for communicating with external stakeholders, i.e. shareholders, tax authorities, and other government agencies.
You must:
- Ensure you comply in all aspects with company policy.
- Ensure that you always act within your delegated authority levels
- Not allow yourself to be influenced, or influence others, to do anything which might compromise the integrity of company information, nor must you make any deliberately false or misleading entry into any company record.
- Report any suspicion of fraud via the Speak Out hotline or web portal
10. Communications and Social Media
Sophos is using the power of social media to help connect with, educate, and create loyal customers, partners, and prospects. When you represent Sophos, you must ensure that you put your best foot forward at all times. You must:
- Remember that anything you say online is permanent, so always think before you post
- If you have any personal social profiles that mention your affiliation with Sophos, make it known that your statements are your own opinion, not those of the company. Regardless, as an employee of Sophos, we do expect you to conduct yourself in a manner that does not bring Sophos into disrepute.
Under no circumstances are any Sophos-branded social accounts to be opened without explicit permission from the corporate social media team.
If you have any questions or requests, please contact: socialmedia@sophos.com.