Anti-corruption and Bribery Policy

1. About this Policy

1.1 Sophos strives to conduct its business worldwide in an honest and ethical manner. Sophos takes a zero-tolerance approach to corruption, bribery, and associated crimes or unethical behavior. We are committed to acting professionally, fairly, and with integrity in all our business dealings and relationships. This is the Sophos Anti-Corruption Policy (the “Policy”).

1.2 The Sophos Group (including Sophos Intermediate I Limited (UK) and its subsidiaries (collectively, the “Company” or “Sophos”)) upholds all laws relevant to countering corruption in the jurisdictions where it operates, conducts sales, or engages third-party suppliers or vendors. We are specifically bound by anti-corruption laws and ethical requirements, including but not limited to, the UK Bribery Act 20101, which is binding on all our UK-incorporated companies as well as their respective subsidiaries, the UK Criminal Finances Act 20173 (CFA), and the U.S. the Foreign Corrupt Practices Act 19772. Further, Sophos adheres to the Code of Conduct of the Responsible Business Alliance, specifically Section D., Ethics (Sections 1-Business Integrity, 2-No Improper Advantage, 3-Disclosure of Information, 5-Fair Business, Advertising, and Competition), in its administration of this Policy.

1.3 Corruption includes acts that are serious offenses. Individuals who are convicted may be imprisoned for up to ten years and fined. If Sophos, as an entity, is convicted of an offense, it could face an unlimited fine, be excluded from tendering for public contracts, and suffer serious damage to its reputation.

We take our legal responsibilities very seriously and any employee who breaches this policy will face disciplinary action, which may result in dismissal for gross misconduct. Any non-employee who breaches this policy may have their contract terminated with immediate effect.

This Policy covers the following acts of corruption:

  1. bribery
  2. cybercrime
  3. conflicts of interest
  4. nepotism
  5. extortion
  6. fraud
  7. theft
  8. tax evasion

To prevent possible corruption, this Policy also covers the due diligence required when anyone engages in:

  1. gifting and hospitality
  2. sales incentives (SPIFFs)
  3. sponsorships and donations
  4. recordkeeping

You must report conduct that violates or may violate this Policy. The prevention, detection, and

[1]UK Bribery Act of 2010

[2]U.S. Federal Corrupt Practices Act

[3]UK Criminal Offenses Act 2017

reporting of corruption is the responsibility of everyone at Sophos and the entities under its control. All employees and those persons performing services on our behalf are required to avoid any activity, which may be in breach of this Policy. If you believe a violation of this Policy has occurred, if you are asked to take action that would violate this Policy, or if you suspect a violation of this Policy may occur, you are required to take any one of these actions as soon as possible:

  1. notify your manager;
  2. raise an alert using the “Speak Out” web page, including the ability to report the matter anonymously; or
  3. notify the Compliance Department at compliance@sophos.com.

This Policy does not form part of any employee's contract of employment. The Company will publish internal guidelines via the HUB that explain and support this Policy.

2. WHO MUST COMPLY WITH THIS POLICY?

Everyone. This includes all people working for Sophos or who perform services on Sophos behalf in any capacity, employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, sales agents, contractors, external consultants, third-party representatives, and business partners.

3. WHAT IS CORRUPTION?

3.1 Corruption is any form of dishonesty or criminal offense undertaken by a person or organization entrusted with a position of authority to acquire illicit benefit or abuse power for one's personal or private gain. Corruption may include many activities including bribery, embezzlement, extortion, fraud, and theft.

3.2 Bribery is offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial) directly or indirectly (e.g. through a third party) and irrespective of location(s) in violation of applicable law, as an inducement or reward for a person(s) acting or refraining from acting in relation to the performance of their duties. Bribes can take the form of money, gifts, loans, fees, hospitality, services, discounts, the award of a contract or any other advantage or benefit which leads to the award or retention of a contract or similar business advantage for Sophos.

3.3 Specifically, you must not:

  1. give, offer, solicit any payment, gift, hospitality, or other benefit with the expectation that a business advantage will be received in return or to reward any business advantage that has already been received;
  2. accept any offer from a third party that you know, or suspect, is made with the expectation that the Company will provide a business advantage to them or anyone else;
  3. give or offer any payment (sometimes called a facilitation payment) to a government official in any country to facilitate or speed up a routine or necessary procedure;
  4. threaten or retaliate against another person who has refused to commit a bribery offense or who has raised concerns about possible corruption or bribery under this policy (see also Sophos Whistleblowing Policy); or
  5. engage in any conduct commonly or legally known as extortion, fraud, or theft or any acts that are related to or would collectively comprise extortion, fraud, or theft.

4. GIFTS AND HOSPITALITY

4.1 You can give or accept reasonable and appropriate gifts and hospitality for legitimate purposes such as building relationships, maintaining Sophos image or reputation, or marketing Sophos products and services.

4.2 You may not give or receive a gift or hospitality if it is:

  1. cash;
  2. given in secret;
  3. not reasonable or proportionate (e.g., it is unduly lavish or extravagant);
  4. deemed to be conceived as an inducement or reward for any preferential treatment (e.g., during contractual negotiations or a tender process);
  5. given or received with the intention of causing (or be reasonably capable of causing) the recipient to perform their functions improperly;
  6. to influence a public official in the performance of their duties or with the intention of obtaining or retaining business or a business advantage;
  7. a reward for obtaining or retaining business or a business advantage, even where the value of the gift is below the threshold described below; or
  8. can be perceived as a conflict of interest.

4.3 Gifts must be:

  1. of an appropriate type and value depending on the circumstances and the reason for the gift; and
  2. made in the name of Sophos and must comply with any relevant local laws.

4.4 Corporate branded items of nominal value, items of nominal value designed for free giveaway at trade fairs and equivalent (e.g., pencils, note pads, umbrellas), and working lunches and refreshments provided during meetings at a company site may be given or received at any time and do not need to be recorded.

4.5 Unless approval has been granted by the Compliance Department, the value of gifts or hospitality given or received must not exceed the thresholds set out below or such lower threshold permitted by local law:

 

Gift

Hospitality (per person)

Maximum value per instance

$50 USD
£38 GBP
€44 EUR

$200 USD ($100 USD for restaurants or catering, including alcohol)
£140 GBP (£70 GBP for restaurants or catering, including alcohol)
€175 EUR (€90 EUR for restaurants or catering, including alcohol)

Maximum value provided to the same individual over a 12-month period

$200 USD
£140 GBP
€175 EUR

$800 USD ($400 USD for restaurants or catering, including alcohol)
£560 GBP (£280 GBP for restaurants or catering, including alcohol)
€700 EUR (€350 EUR for restaurants or catering, including alcohol)

 

4.6 Any gifts or hospitality offered to or received from public officials of more than a nominal value must be in accordance with the local regulations and approved in advance by the Compliance Department. Further information is located here.

5. SALES INCENTIVES

5.1 Any sales (SPIFFs) and marketing incentives (MDFs) for channel partners must be transparent, reasonable, and in accordance with the guidelines issued by the Compliance and Legal Departments.

6. SPONSORSHIPS AND DONATIONS

6.1 Sophos may support charitable causes, but not with the expectation of any reward or influence in return. All requests for sponsorship or charitable donations must be screened by the Compliance Department (compliance@sophos.com) in advance of the donation or sponsorship. Further information is located here.

7. RECORDKEEPING

7.1 Sophos will declare and keep a written record of all hospitality or gifts given or received in the Sophos Group Anti-Corruption Register maintained by the Compliance Department. Information will be held for a period not exceeding 2 years from creation. All Sophos employees must submit all expense claims relating to hospitality, gifts, or payments given to or received from third parties, in accordance with Sophos expenses policy, including recording the reason for such expenditure.

7.2 All accounts, invoices, and other records relating to dealings with third parties including suppliers, customers, and partners should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.

8. DUE DILIGENCE – DEALING WITH THIRD PARTIES

8.1 All applications for the appointment or engagement of any third party acting on behalf of or in partnership with Sophos must be submitted through vendor review. Appropriate due diligence will be conducted on all third parties before entering into agreements with them. Further information regarding vendor due diligence, including corruption and bribery issues is located here. Alternatively contact the Compliance Department (compliance@sophos.com).

8.2 Sophos must have a written contract with each third-party with whom we do business, with contractual protections, including termination rights if the third-party breaches anti-corruption laws or the terms of this policy.

9. CONFLICT OF INTERESTS AND DECLARATION OF INTERESTS

9.1 A conflict of interest occurs when business, financial, political, or personal interests could interfere or give the appearance of interference with the judgement of an individual(s) in carrying out their duties on behalf of Sophos. Sophos directors, managers, and employees who work for or have an equity stake in a Sophos customer, partner, supplier, competitor, or any similar arrangement must disclose their connection. Without disclosure of these interests, such arrangement may not be acceptable. Directors, employees, and third parties (working on behalf of Sophos) have an obligation to act in the best interests of Sophos and in accordance with this Policy. For further guidance please refer to the Sophos Code of Conduct.

9.2 Conflicts of interests may create problems because they can:

  1. inhibit free discussion;
  2. result in decisions or actions that are not in the interests of Sophos;
  3. contribute to non-competitive (anti-trust) or criminal actions undermining the reputation of Sophos through unethical and improper behavior; and
  4. create a perception of wrongdoing through inappropriate provision of gifts or hospitality based upon an actual or potential reciprocal business relationship.

9.3 In recruitment, previous history of employment in public service or with an existing vendor, supplier, or customer must be evaluated by the Compliance Department before onboarding. For example, this Policy requires neither a conflict of interest nor the violation of government rules for the Company to employ former public servants or those holding political or legislative office.

9.4 Directors, employees, and third parties are obliged to declare their interests where there may be potential conflicts of interest in accordance with the Sophos “Declaration of interests” form, which sets forth the types of interest that should be declared. If any changes occur, it is the individual’s personal responsibility to update their declaration of interests at the earliest opportunity.

Further:

  1. if an individual is unsure what to declare, or whether a personal declaration needs to be updated the individual must discuss the issue with the VP Compliance, a Director, or the Chief Legal Officer to obtain confidential guidance; and
  2. (interests will be recorded in the Sophos “Register of Interests”, which will be maintained by the Compliance Department and reviewed on a regular basis. Declarations will be processed and retained in accordance with the Sophos Global Privacy Policy.

9.5 You should declare your interest at the earliest opportunity and should offer to withdraw from any subsequent Sophos business matter/discussion.

9.6 Where an individual has a conflict of interest (e.g. a Sophos sales manager is related to a customer’s procurement manager), they must not be involved in managing or monitoring a contract in which they have an interest. Monitoring arrangements for such contracts will include provisions for an independent audit and termination of the contract if the relationship is unsatisfactory.

9.7 An undeclared material conflict of interests may be grounds for disciplinary action or dismissal.

10. NEPOTISM

10.1 Nepotism is a form of discrimination in which family members or friends are hired for reasons other than their experience, knowledge, or skills. Employees will not offer, employ, infer, or favor employment of a close family member or friend without going through the Sophos recruitment and selection process.

10.2 All Sophos employees, contractors, vendors, and anyone else working on behalf of Sophos are expected not to commit crimes prohibited by law, such as theft, fraud, extortion, and cybercrime. Further, it is this Company's policy and expectation that employees will take appropriate measures to protect themselves and the Company from any such crimes.

11. TAX EVASION

11.1 Under the UK Criminal Finances Act 2017 (CFA), a separate criminal offence is automatically committed by a company (or other legal entity) when tax evasion is facilitated by a person acting as an "associated person" to that company. For the offense to be made out, the associated person must deliberately and dishonestly take action to facilitate the tax evasion by the taxpayer. If the associated person accidentally, ignorantly, or negligently facilitates the tax evasion, then a corporate offense will not have been committed.

11.2 However, the company itself does not have to act deliberately or dishonestly to have facilitated tax evasion. An associated person who has acted deliberately and dishonestly creates liability for the company. This means that, at Sophos, we must diligently guide our employees, workers, agents, and service providers toward honest, transparent, and diligent acts of integrity when responding to tax authorities and prevent and otherwise dissuade the facilitation of tax evasion. Otherwise, Sophos could face criminal sanctions, including an unlimited fine, exclusion from tendering for public contracts, and damage to its reputation.

11.3 Definitions

  1. Tax evasion means the offense of cheating the public revenue or fraudulently evading UK tax, and is a criminal offense. The offense requires an element of fraud, which means there must be deliberate action or omission with dishonest intent.
  2. Foreign tax evasion means evading tax in a foreign country if conduct is an offense in that country and would be a criminal offence if committed in the UK. As with tax evasion, the element of fraud means there must be deliberate action or omission with dishonest intent.
  3. Tax evasion facilitation means being knowingly concerned in, or taking steps with a view to, the fraudulent evasion of tax (whether UK tax or tax in a foreign country) by another person, or aiding, abetting, counselling, or procuring the commission of that offense. Tax evasion facilitation is a criminal offense, where it is done deliberately and dishonestly.

11.4 All forms of tax evasion are strictly prohibited. Sophos will not tolerate any form of tax evasion, either within our business activities or within the business activities of those who perform services on our behalf, including vendors, suppliers, contingent workers, contract employees, or other third parties.

11.4. Specifically, you must always:

  1. act with honesty, integrity, transparency, and thorough diligence when providing information, documentation, or other data to any tax authority for any reason;
  2. act with honesty, integrity, transparency, and thorough diligence when providing information, documentation, or other data to any tax authority on behalf of another person or on behalf of any other legal entity;
  3. obtain written authorization from the Sophos Tax Department to have the properly designated authority to provide any information, documentation, or other data to any tax authority on behalf of Sophos or any Sophos legal entity; and
  4. review and affirmatively acknowledge during each year of your employment or work with Sophos your understanding of and adherence to the Sophos Code of Conduct in the Sophos Employee Handbook, including its values and principles (Section 1) and its general behavioral expectations (Section 2), which may be found here.

12. WHEN TO RAISE A CONCERN

12.1 You must report conduct that violates or may violate this Policy. The prevention, detection and reporting of a breach of this policy is the responsibility of everyone. If you are aware that a violation has occurred, if you are asked to make a violation, or if you suspect that a violation may be occurring, you are required to take any one of these actions as soon as possible:

  1. notify your manager;
  2. raise an alert using the “Speak Out” web page, including the ability to report the matter anonymously; or
  3. notify the Compliance Department at compliance@sophos.com.

13. TRAINING AND COMMUNICATION

13.1 Anti-Corruption training is provided to new employees as part of their onboarding process, and on an annual basis afterward. All Sophos employees should ensure that they receive relevant training on how to comply with this Policy. Training is provided through the Sophos Eloomi platform.

13.2 Sophos will communicate this Policy to third parties who perform services on our behalf, including contractors, consultants, and business partners. We will seek to include contractual obligations in our agreements with third parties, which oblige them to agree to comply with this Policy (or an equivalent policy of their own). In certain circumstances, it may be appropriate for training to be provided to third parties.

14. MONITORING AND REVIEW

14.1 Sophos has conducted a detailed assessment of, and engages in ongoing monitoring of, corruption risks both within the Sophos Group and in relation to persons who perform services on its behalf.

14.2 The Compliance Department will regularly review the implementation of this Policy in respect of its suitability, adequacy, and effectiveness, and make improvements where appropriate, including the writing and updating of standard operating procedures to execute the requirements of this Policy. Issues of concern will be reported to the appropriate persons in line with the Company hierarchy.