1.0 The Sophos Whistleblowing Policy
1.1 The Sophos Group Companies, including Sophos Intermediate I Limited UK and its respective subsidiaries, (collectively, the “Company” or “Sophos”) embraces and adopts the Sophos Whistleblowing Policy (the “Policy”), which promotes, encourages, requires, and provides the means for employees, vendors, suppliers, and customers to come forward with credible information about suspected wrongdoing, illegal conduct, or violations of Sophos policies, Sophos contracts, or the Sophos Code of Conduct for the purpose of creating a transparent and responsible corporate environment. This Policy provides that the Company will investigate credible reports, will act on credible information, and will protect any reporting individual from retaliation.
2.0 Policy Objective
2.1 Sophos employees have a duty to report suspected wrongdoing when it occurs or when the employee first learns about it. All reported concerns will be treated as confidential information, will be taken seriously, will be tracked to conclusion, will be investigated appropriately, and where appropriate will result in appropriate remedial action. In all instances, the confidentiality of each whistleblowing report and the identity of the individual employee who provided the report will be protected.
3.0 Policy Background
3.1 Whistleblowing is encouraged because it is necessary to create transparency in a work environment, which promotes honesty, accountability, trust, and productivity. Equally important, whistleblowing is required when a Sophos employee has information about wrongdoing because employees are expected to act in the best interests of the Company and to adhere to the Sophos Code of Conduct.
3.2 Understandably, whistleblowers often take on high personal risk when making a report. Protecting whistleblowers from unfair treatment, including retaliation, discrimination, or disadvantage, encourages the reporting of wrongdoing and increases the likelihood that wrongdoing is uncovered and ended. For these reasons, people in possession of information regarding suspected wrongdoing must report it and their confidentiality will be protected.
3.3 The Company is committed to dealing responsibly and professionally with all genuine concerns. We expect all Sophos employees to maintain high standards of behavior in accordance with the Sophos Values. Further, Sophos adheres to the Code of Conduct of the Responsible Business Alliance, specifically Section D. Ethics (Section 6-Protection of Identity and Non-Retaliation) and Section E. Management Systems (Section 8-Worker Feedback, Participation, and Grievance) in its administration of this Policy. Further, this Policy complies with the EU Whistleblowing Directive (2019/1937) (23 October 2019) and will be updated from time-to-time to remain consistent with this Directive.
4.0 What is Whistleblowing
4.1 Whistleblowing occurs when an individual or individuals (the whistleblower) report(s) information about wrongdoing. For a matter to be a whistleblowing concern, an individual who makes a whistleblowing report must reasonably believe two things:
First, the reporting individual has credible information that shows past, present, or likely future wrongdoing, which may fall within one or more of the following categories:
- criminal offense
- failure to comply with the law or regulations
- endangering one’s health
- endangering one’s safety
- damage to the environment
- failure to comply with Sophos corporate policies, including anti-slavery, anti-corruption, Global Trade Compliance Policy, Global Privacy Policy, the Sophos Code of Conduct, the Sophos Group Privacy Notice, and other policies identified by the Company
- covering up the wrongdoing in any of the above categories
Second, the reporting individual is acting in the best interest of the Company.
Wrongdoing need not fit into any of the above categories to be a proper subject for a whistleblowing report. Any individual who reasonably believes that a matter should be the subject of a whistleblowing report should file a report. All reports are investigated, and the whistleblower will be protected from retaliation, even if the subject of the report is not an actionable matter.
5.0 Who is a Whistleblower
5.1 A whistleblower is any individual who has credible information about suspected wrongdoing, potential violation of the law, or potential violation of Company polices, including unethical behavior.
5.2 Whistleblowers can be employees or third parties. Typically, whistleblowers are individuals who are Company employees because they may be involved in Company functions that may require this reporting. However, the Sophos Whistleblowing Policy embraces all individuals who may have knowledge of matters that require reporting, including third parties, such as Sophos vendors, suppliers, customers, and end users.
6.0 When to Act as a Whistleblower
6.1 Any individual, including Sophos employees, who has credible information that comprises suspected wrongdoing, potential violation of the law, or potential violation of Company policies must report that information. Sophos encourages whistleblowing in the spirit of transparency.
6.2 Sophos employees must report conduct that violates or may violate the law or Company Policy. This Policy is not voluntary. The high standards of the Sophos Code of Conduct and Sophos Values, as expressed in the Sophos Employee Handbook, require whistleblowing reporting when an employee has credible information as described.
7.0 How to Report as a Whistleblower
7.1 An individual considering a whistleblowing report may provide their information in one of two ways:
- In person: you can speak with your line manager about your concerns. They will help you to complete the “Speak Out Reporting Form” or visit the web portal [insert link] and help you to raise your concern this way.
- Online: Visit the Sophos Speak Out web portal and complete the form online. A notification will be sent to the Compliance Team who will review and assign for a response, investigation, or action, where appropriate. When whistleblowing reports are filed online, the reporting individual may elect to remain anonymous, which will be protected by the reporting means (the OneTrust reporting portal) and the Compliance Team investigating the report.
8.0 How Whistleblowing Reports Are Managed
8.1 Within seven (7) days after the whistleblowing report is made, a response will be sent to acknowledge its receipt to the reporting individual. The reporting individual is encouraged to visit the OneTrust Whistleblower and Ethics page where the whistleblowing report was submitted to check for communication, updates, status, additional information, and ask questions. If a reporting individual has elected to remain anonymous, this will be the only means of communication regarding the report.
8.2 The report will be reviewed and assigned for investigation. The person assigned to the case will maintain contact with the reporting individual to ensure clear communication regarding progress. Limited people are involved in the investigation and are held to the strictest confidentiality regarding the matter. These individuals have oversight from senior management.
8.3 In line with the EU Whistleblowing Directive (Section 67) reported matters are expected to be resolved within 3 months (or 6 months for exceptional cases).
8.4 A personal meeting with the reporting individual may be scheduled if requested by the reporting individual.
8.5 Relevant FAQs regarding Whistleblowing Reporters:
Who will see my report?
Reports are managed by the Compliance Team and the General Counsel. Whistleblowing reports that are filed online anonymously cannot and will not reveal the identity of the reporting individual.
Who should report?
In the spirit of transparency, Sophos employees are encouraged to raise whistleblowing matters directly to their line manager, Human Resources via Notify HR or via the “Speak Out” reporting page. If a Sophos employee has credible information that comprises a whistleblowing matter (e.g., What is Whistleblowing, as above), they are required to submit a whistleblowing report.
Further, this Policy covers all employees, officers, consultants, contractors, casual workers, agency workers, and third parties who do business with Sophos, such as Sophos customers, vendors, suppliers, and end users.
What happens to my report after the matter has been concluded?
All reports are maintained by the Compliance Team through the “Speak Out” database via OneTrust for 12 months after resolution. All personal information, if any, is protected consistently with the Sophos Global Privacy Policy and the Sophos Whistleblowing and Data Processing Confidentiality Notice.
What if I have questions?
Sophos “Speak Out” FAQs (Frequently Asked Questions) are available here. Also, a reporting individual may ask questions via the Speak Out portal when a report is submitted.
9.0 How Whistleblowers Are Protected
9.1 It is Sophos policy to protect the identity, role, position, and function of an employee who files a whistleblowing report. Reporting individuals who choose to file anonymous whistleblowing reports will not be asked for their identity and neither the means of reporting nor the nature of the investigation will reveal their identity as the matter proceeds.
9.2 As a matter of law, reporting individuals may not be the subject of disciplinary action or termination, when the reporting individual provides a whistleblowing report in good faith with credible information about suspected wrongdoing, as described. Reporting individuals are also protected from discharge, demotion, suspension, threats, intimidation, harassment, or hostile work environment.
9.3 Conversely, it is Sophos Policy to encourage transparency through whistleblowing reporting by creating a work environment that supports employees who provide credible information about suspected wrongdoing.