This Statement is made in accordance with Section 54 of the Modern Slavery Act 2015 (the Act) as it applies to Sophos Limited, a commercial organisation that carries on business in the UK, supplying goods and services and having a total annual turnover of £36 million or more, and all entities in the Sophos Group global structure (together Sophos, or the Group). This peer-reviewed Statement sets out the steps that have been taken during the financial year ending 31 March 2021 to ensure that modern slavery is not taking place in the Sophos Supply Chain and in any part of our own business.
The Statement has been signed by Kris Hagerman, Chief Executive Officer, on behalf of Sophos Group Companies and published on the homepage of the company website at www.sophos.com.
During the fiscal year ending 31 March 2021, the Group continued to prioritise the establishment and implementation of effective systems and controls as set out in the Sophos Modern Slavery Policy (the Policy) adopted in 2016, reflective of Sophos commitment to acting legally, ethically, transparently, and with high integrity in all our business dealings and relationships, particularly in its vendor and third-party partnerships where individuals are employed by them. The Policy sits alongside the existing Sophos Anti-Corruption Policy and the Sophos Whistleblowing Policy and is available here: Sophos Modern Slavery Policy. Further, Sophos’ compliance with the U.K. Modern Slavery Act is a comprehensive platform under which Sophos also meets the broader demands of similar legislation, such as the California Transparency in Supply Chain Act of 2010, certain U.S. federal regulations and The Commonwealth Modern Slavery Act 2018.
Sophos Statement covers the following topics:
- Our Structure and Business Model- Sophos’ product capabilities, partnerships, and global reach.
- Risk Assessment- measurements applied to respond to potential risks in the environments where Modern Slavery may exist.
- Our Governance and Policies- a description of operational policies, actions taken and measurements in place to ensure compliance with the Act.
- Procedures- the actions required of our supply chain and steps undertaken by the business regarding recruitment.
- Training and Awareness- an explanation of the training systems used to promote awareness amongst Sophos employees.
- Monitoring and Performance Review- a description of the steps and indicators used to evaluate risk both through the supply chain and our business.
During the fiscal year ending 31 March 2021, the Group has focused on training, monitoring, and ongoing enforcement of the Group’s systems and processes to maintain high standards and has continually improved Sophos ability to see, understand, and effectively manage the risk of modern slavery in any form.
A. Our Structure and Business Model
Sophos is a leading global provider of cloud-enabled, end-user, and network security solutions, offering organisations end-to-end protection against known and unknown cybersecurity threats through products that are easy to install, configure, update, and maintain. The Group’s products are sold through its relationships with distributors and resellers, more than 59,000 partners around the world. At the end of its FY21 (31 March 2021), Sophos had 3,626 employees worldwide, including an office in the UK, many offices worldwide, and a number of threat assessment labs, Sales, and product development centres around the world, including in Asia Pacific, Europe, the Middle East, and North America.
Sophos saw significant growth in the number of its channel partners and end-users during the fiscal year and the Company’s current approach remains effective. As the business continues to grow however, we will continue to monitor our effectiveness, as discussed later in the Statement, and adjust our approach to ensure it remains proportionate.
The Group’s supply chain in this context consists of many organisations made up of hardware manufacturers and suppliers, logistic fulfilment centres responsible for the distribution of our products, procurement vendors and recruitment and employment agencies from whom Sophos employees may be sourced (each a Supplier and together the Sophos Supply Chain). Sophos also has close working relationships with works councils in a number of overseas jurisdictions representing the interests and rights of its employees.
B. Risk Assessment
We consider that the principal areas in which Sophos faces risks related to slavery include:
- the Sophos Supply Chain and outsourced activities, Suppliers located in overseas jurisdictions;
- Sophos’ own business, including employment, internal policies and particularly recruitment through agencies and third parties.
The formal process for identifying, evaluating, and managing significant risks faced by the Group is overseen by the Board, along with the Company’s Finance, Legal, and Compliance Teams. These Teams provide the business with a risk management framework, upward reporting of significant risks, Company policies, and standard operating procedures.
The potential for non-compliance with the Act is assessed as part of this risk management process. Sophos undertakes this risk assessment with input from external advisers, the assessment criteria applied include business function and geography, together with the principles set out by Transparency International, The Responsible Business Alliance Code of Conduct and the Global coalition against corruption. During the reporting period Sophos has made a declaration to comply with the Responsible Business Alliance Code of Conduct. This Declaration is published on the company website.
Each Supplier is also assessed during the onboarding process and screened with the use of the Dow Jones Adverse media list. Suppliers are required to confirm they will comply with Sophos Modern Slavery Code of Conduct, complete the Slavery and Trafficking Risk Template (STRT) and the Conflict Minerals Reporting Template (CMRT). Current company statistics show a 100% response from its suppliers for completion of the Modern Slavery Code of Conduct, the Slavery and Trafficking Risk Template (STRT), and the Conflict Minerals Reporting Template (CMRT).
Both the STRT and the CMRT assess the Suppliers’ actions under international standards, are certified by each Supplier each time it is submitted, and measure how they screen, prioritize, train, identify and manage risk, report, and have internal policies in place to govern against forced labour and to find appropriate mineral sources used in hardware products. These assessments are required from Suppliers every two years. For clarity, no Supplier is owned by the reporting entity.
The Group takes a two-pronged approach to risk identification: (i) a bottom-up approach at the business function level; and (ii) a top-down approach at the senior leadership team level. All identified risks are assessed against a pre-defined scoring matrix and prioritised accordingly. Any risks identified in the bottom-up approach deemed to be rated as higher risk are escalated in line with pre-defined escalation procedures for further evaluation.
C. Our Governance and Policies
The Board governing the Sophos Group companies has overall responsibility for ensuring the Policy complies with the Company’s legal and ethical obligations, and that all those under the control of the Company comply with the Company’s Modern Slavery Policy.
The Board provides oversight regarding the implementation of the Policy and monitoring of risks and issues raised in connection with it. The Policy recognises the Group’s responsibilities under the Act and applies to the Sophos Supply Chain and to all persons working for us or on our behalf in any capacity, including employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners.
During the period concerned, the Modern Slavery Policy and Modern Slavery Code of Conduct has been revised to incorporate requirements regarding child labour in the workplace, and training has been provided to all employees. These revisions were reviewed and approved by the Sophos Board of Directors. Furthermore, the policy has been submitted for peer review to the United National Global Compact, Child Labour Working Group.i The results of this peer review will take place after this Statement has been submitted. Details of this review and any actions undertaken will be published in the next Statement.
The Conflict Minerals Policy, developed and implemented in 2020, continues to underpin the Sophos commitment to reducing, if not removing, Modern Slavery in our supply chains. Further, Sophos employees in roles with a connection to conflict minerals in the supply chain are responsible for reading, understanding, and enforcing this policy. 100% of staff in Supply Chain, Product Management, Finance and Business Operations departments have completed training about the Conflict Minerals Policy.
Any breach of the Policy by a Sophos Team Member would result in disciplinary action, and potential dismissal for an employee, and the likely termination of our relationship with a Supplier. Any breach of the Policy by a vendor or third-party would result in a termination of the business relationship and further actions, depending on the circumstances.
All those subject to the Policy are encouraged to raise concerns about any issue or suspicion of modern slavery in any part of our business or supply chains or those of any current or potential Suppliers, at the earliest possible stage. The Sophos Whistleblowing Policy provides a mechanism to enable employees and external entities, including those third-parties within the Sophos Supply Chain, to confidentially report matters of concern via the Whistleblowing Web Form or Hotline or directly to their line manager, or designated HR manager. All such matters reported to the Whistleblowing portals are investigated and evaluated until concluded. Sophos’ Compliance Team has responsibility for both adherence to the Modern Slavery Policy and for investigating and evaluating Whistleblower complaints. Where appropriate, such matters may be brought directly to the attention of Sophos’ Senior Management Team and, where appropriate, to the Audit Committee. Consistent with the Company’s Whistleblowing Policy, the Sophos Group is committed to ensuring no one suffers any detrimental treatment as a result of reporting in good faith their suspicion.
Our Suppliers: we take the following actions for each Supplier:
- We inform all our new and renewed Suppliers in writing that we are not prepared to accept any form of exploitation in their business or any part of their supply chain and give them a copy of our policy.
- All Suppliers are required to make an annual Sophos Modern Slavery Code of Conduct declaration stating that they are in full compliance with our policy. This declaration includes the identification of all parties that supply products to our Supplier to ensure extended supply chain information is known by Sophos and integrated into our management control processes;
- Suppliers are required to complete an annual questionnaire regarding their own actions in building and maintaining a socially responsible supply chain. This questionnaire was adapted from the Social Responsibility Alliance (SRA) Slavery and Trafficking Risk Template (STRT). This is a new measure and has increased conversations regarding the subject of bonded labour and employee welfare;
- Suppliers are required to complete the Conflict Minerals Reporting Template (CMRT) a standardised reporting template developed by the Responsible Minerals Initiative (RMI);
- Suppliers have been asked to provide ISO 9001 and OHSAS18001 certification to evidence action they have undertaken in this matter;
- We ensure that we can account for each step of our hardware manufacturing processes and we know who is providing the hardware to us that we resell. This is done by using BOMcheck, an industry wide regulatory compliance tool which is offered by ENVIRON. BOMcheck identifies companies that are part of the Sophos extended supply chain that supply components for our hardware products to our immediate Suppliers. Any anti-corruption or modern slavery changes for a specific Supplier will trigger an immediate review and business investigation, together with identifying specific risk indicators and categories;
- Our standard supply chain contract templates contain anti-slavery provisions which prohibit Suppliers and their employees and sub-suppliers from engaging in modern slavery;
- We conduct regular risk assessments of our Sophos Supply Chain. in cases of high risk, we may request suppliers to provide a ‘Statement of Compliance’ on their actions to prevent slavery and to confirm that any concerns have been satisfactorily and promptly resolved;
- We undertake detailed due diligence when onboarding new Distributors requesting that they have their own Policy regarding Modern Slavery or Human Trafficking, if this is not the case the Distributor is required to agree to comply with Sophos policy. The link to the policy is made available to our Distributors during their onboarding process;
- In cases of high-risk, we may also audit the Supplier and, as appropriate, we require them to take specific measures to ensure that the risk of modern slavery is significantly reduced. If slavery is identified in a business in the Sophos Supply Chain, the Group will require that immediate remedial action be taken and provide appropriate support to achieve the safest outcome for potential victims. The Group expects its Suppliers to engage constructively and responsibly, and to remedy any issues in a timely manner. Should the Supplier ultimately fail to resolve the situation to the Group’s satisfaction, their contract will be terminated;
- Should allegations of slavery in any part of the Sophos Supply Chain emerge, including from whistle blowers, the Group will comprehensively investigate any such allegations, if any slavery is identified, will take immediate action as set out above.
Our Business: we take the following actions within our company:
- We ensure all staff have a written contract of employment and that they have not had to pay any direct or indirect fees to obtain work;
- We ensure staff are legally able to work in the country in which they are recruited;
- We check the names and addresses of our staff (a number of people listing the same address may indicate high shared occupancy, often a factor for those being exploited);
- We provide information to all new recruits on their statutory rights including sick pay, holiday pay and any other benefits to which they may be entitled;
- We invest in the professional development, health, and wellbeing of Sophos staff;
- We pay all Sophos employees in the UK at least the Living Wage (pro rata in the case of part-time employees; vacation students and interns are paid an allowance);
- If, through our recruitment process, we suspect someone is being exploited, our Human Resources Team will follow our reporting procedures;
- We conduct due diligence checks on any recruitment agency that we use to ensure that it is reputable and conducts appropriate checks on all staff that they may supply to us.
E. Training and Awareness
Mandatory training in relation to Modern Slavery, Conflict Minerals, and Whistleblowing is provided to all existing Group employees and new joiners alike and is re-taken on an annual basis. Training is accompanied by an online resource facility which is available to all Group employees. Refreshment of these materials is ongoing. Feedback is encouraged to develop improvement of Policy and future updates the training material for all Sophos employees.
F. Monitoring and Performance Review
Sophos engages an external compliance data provider on an ongoing basis to audit the Sophos Supply Chain and keep it under review. Together with our external compliance data provider the Group monitor the performance of the Policy, together with the Sophos Anti-Corruption and Whistleblowing Policies. The Group maintains a watching brief on the compliance of all Suppliers through live monitoring tools. Any alert raised through this process will be subject to an internal review and where appropriate, a business investigation of the Supplier will be undertaken. During the fiscal year ending 2021, no material alerts were raised by our external compliance data provider concerning any Supplier, including recruitment agencies.
Indicators used to evaluate risk, include managing the risks in our own business.
Every endeavor is made to fully adhere to the requirements of the Modern Slavery Act 2015 in relation to our recruitment, employment, and internal policies. The following measures support this:
- Understanding the Sophos Supply Chain
- We can account for each step of our supply processes and we know who is providing goods and services to us;
- Our level of communication and personal contact with the next link in our supply chain and their understanding of, and compliance with, our expectations.
- Assessment, Code of Conduct and Statement of Compliance
- Number/percentage of new and existing suppliers satisfactorily screened using risk assessment tools and/or self-assessment questionnaires, including risk scoring and categorization;
- Number/percentage of suppliers who have signed our Code of Conduct;
- Number/percentage of suppliers who have provided a satisfactory ‘Statement of Compliance’ on their actions to prevent slavery, when so requested, and any concerns have been satisfactorily and promptly resolved.
- Reports on Concerns
- Number of reported concerns of slavery (including if there were none);
- Any material issues arising from implementation of the Policy were effectively escalated when the need arose;
- All concerns raised as a result of audits or allegations were promptly followed-up and resolved;
- How we responded to concerns raised or to issues found by screenings, assessments, or audits and how we worked with suppliers to implement corrective action plans.
- Training and Awareness
- Number/percentage of relevant staff trained, informed, or completed mandatory training.
Sophos makes responsible sourcing decisions, develops plans to avoid brand damage, and complies with regulatory demands within the below legislation:
- Modern Slavery Acto 2015, United Kingdom
- California Transparency in Supply Chains Act
- United States Federal Acquisition Regulations
- Trade Facilitation and Trade Enforcement Act of 2015
- The Commonwealth Modern Slavery Act 2018, Australia.
To ensure Sophos’ actions expressed in its Modern Slavery Statement met all requirements laid out the Act, the company participated in a peer review facilitated by a trade association within its industry segment.ii Feedback from the reviews support Sophos in meeting these requirements, as well as providing further information about Sophos’ actions that reduce and remove modern slavery in its supply chain.
All Suppliers reviewed were validated down to the family tree level. This indicates the number of entities that are contained in every Supplier’s corporate structure.
The Group’s position and efforts essential to manage its compliance with the Act continues to evolve. However, existing processes are in place to ensure that its efforts are kept under regular and effective review and that its performance will be routinely and robustly measured.
This Statement is made pursuant to section 54(1) of the Act.