Sophos Whistleblowing Policy

THE SOPHOS WHISTLEBLOWING POLICY

Sophos Group Limited and Sophos Holdings, LLC and their respective subsidiaries, (collectively, the “Company” or “Sophos”) embraces and adopts the Sophos Whistleblowing Policy (the “Policy”), which promotes, encourages, and provides the means for employees, vendors, suppliers, and customers to come forward with credible information about suspected wrongdoing, illegal conduct, violations of Sophos policies, or violations of Sophos contracts, all for the purpose of creating transparency and a responsible corporate environment. In doing so, this Policy also provides that the Company will protect any reporting individual from retaliation.

POLICY OBJECTIVE:

The Company encourages Sophos employees to report suspected wrongdoing as soon as possible. All reported concerns will be taken seriously, will be tracked individually, and investigated appropriately. Each concern will be brought to a conclusion. In all instances, the confidentiality of each reporting individual will be respected.

BACKGROUND

Whistleblowing is an essential element necessary to foster a work environment of openness, accountability, trust, and productivity. For this reason, whistleblowing is encouraged. Further, whistleblowers often take on high personal risk. Protecting whistleblowers from unfair treatment, including retaliation, discrimination or disadvantage, emboldens one to report wrongdoing and increases the likelihood that wrongdoing is reported, uncovered, and brought to an end. For these reasons, persons in possession of whistleblowing information must report it. 

The Company is committed to dealing responsibly and professionally with all genuine concerns. We expect all Sophos employees to maintain high standards of behavior in accordance with the Sophos Values. Further, Sophos adheres to the Code of Conduct of the Responsible Business Alliance, specifically Section D. Ethics (Section 6-Protection of Identity and Non-Retaliation) and Section E. Management Systems (Section 8-Worker Feedback, Participation, and Grievance) in its administration of this Policy.

WHAT IS WHISTLEBLOWING?

Whistleblowing occurs when an individual or individuals (the Whistleblower) pass along information about wrongdoing.  For a matter to be a whistleblowing concern, an individual who makes a disclosure must reasonably believe two things:

  1. The first is that the reporting individual reasonably believes that the disclosure shows past, present or likely future wrongdoing, which properly falls within one or more of the following categories:
    • Criminal offence
    • Failure to comply with the law
    • Endangering one’s health and safety
    • Damage to the environment
    • Failure to comply with Sophos corporate policies, including anti-slavery, anti-bribery, Global Trade Compliance Policy, the use of data, and other policies identified by the Company
    • Covering up the wrongdoing in any of the above categories
  2. The second is that they are acting in the public interest.

Any other issues which are not covered by the categories above should be reported through the appropriate internal channel (e.g., HR, Compliance, Line Manager).

WHEN TO REPORT A CONCERN?

Any person, including Sophos employees, who have information that comprises Whistleblowing information described in the preceding paragraph (What is Whistleblowing, 1 & 2), must report that information. Sophos encourages participation in the Whistleblowing requirements in the spirit of transparency and high standards of corporate conduct and Sophos Values. Even so, this Policy is not voluntary.    

HOW TO REPORT A CONCERN?

There are three ways you can report a concern:

  • In person: you can speak with your line manager about your concerns. They will support you to complete the “Open Door Reporting Form” or visit the web portal and support you to raise your concern this way.
  • Online: Visit the Sophos Speak Out web portal at Sophos.ethicspoint.com and complete the form online.  This alert will be sent to the incident management site where it will be reviewed and allocated for a response or investigation.
  • Call the Hotline: Visit the Sophos Speak Out web portal and enter the country you are located in. This will provide you with the toll-free number to call. (Each country has its own number, entering the country where you are located does not identify you if you  wish to remain anonymous).

What happens next?

  • Within seven (7) days of the alert being made a response will be sent to acknowledge the receipt of the alert. Those making the alert are encouraged to visits the “follow up” pages to check for communication, if a person has elected to remain anonymous this will be the only way effective communication can take place.
  • The case will be reviewed and assigned for investigation. The person assigned the case will maintain contact with the alerter to ensure clear communication about the progress of the case.
  • In line with the EU Whistleblowing Directive (section 67) cases are expected to be resolved within 3 months ( 6 months for exceptional cases).

We encourage employees to raise whistleblowing matters directly to their line manager, human resources via the “Speak Out ” reporting page at Sophos.ethicspoint.com.

This policy covers all employees, officers, consultants, contractors, casual workers and agency workers.

REFERENCES: