10th Jun 2016 14:00
Sophos Group plc
Annual Report 2016 and Notice of 2016 Annual General Meeting
Following the announcement on 26 May 2016 of its preliminary results for the year-ended 31 March 2016, Sophos Group plc (the "Company") announces that it has published its Annual Report 2016.
The Company also announces that it will hold its Annual General Meeting at 3.00pm on Wednesday 14 September 2016 at The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP.
Copies of the Annual Report 2016 and the Notice of the 2016 Annual General Meeting are available to view on the Company's website at https://investors.sophos.com. They have also been submitted to the National Storage Mechanism and will shortly be available for inspection at http://www.morningstar.co.uk/uk/NSM
Copies of those documents, together with a form of proxy for use in connection with the 2016 Annual General Meeting, are being posted to the Company's shareholders today.
D Ari Buchler, Company Secretary
10 June 2016
Appendix
The additional information set out below, which is extracted from the Annual Report 2016, is included in compliance with Disclosure and Transparency Rule 6.3.5. This information should be read in conjunction with the Annual Report 2016 as a whole:
Principal Risks and Risk Management
Principal risks are identified through a business-wide risk assessment process, along with an evaluation of the strategy and operating environment of the Group. The risk review process encompasses the identification, management and monitoring of risks in each business area. This process includes an assessment of the risks to determine the likelihood of occurrence, the potential impact and the adequacy of mitigation or controls already in place.
A full review is then undertaken by the Risk and Compliance Committee, who evaluate the principal risks of the Group with reference to its strategy and operating environment. The Audit and Risk Committee monitors these processes, reviewing the Group's Consolidated Risk Register and reporting material risks to the Board.
The Directors consider the following matters to be the principal risks and uncertainties (in no specific order) affecting the Group:
How it impacts us | What we are doing | |
Recruitment and retention of key personnel | The ongoing success of the Group is dependent on attracting and retaining high quality employees at all levels in the business who can effectively implement the Group's strategy.
Failure to attract, retain or develop high quality employees across the business could limit the Group's ability to deliver its business plan commitments. | Making Sophos a great place to work is central to the Group's strategy.
Sophos is committed to a strong recruitment process supported by robust remuneration programs which are benchmarked appropriately. Additionally, Sophos has a commitment to all levels of training throughout the organisation.
Reward schemes are continuously evaluated to drive and reward performance and ensure the retention of key talent.
Annual employee engagement surveys enable progress of our people actions to be monitored, areas of improvement identified and necessary actions performed.
|
Defects or vulnerabilities in products or services | The Group's products and services are complex, and as such they have contained and may in the future contain design or manufacturing defects or errors that are not detected until after their commercial release and deployment by end customers. These defects could cause the Group's products or services to be vulnerable to security attacks, cause them to fail to help security networks, temporarily interrupt end customers' networking traffic, fail to prevent or detect viruses or similar threats. Further, due to the evolving nature of threats and the continual emergence of new threats, the Group may fail to identify and update its threat intelligence or other virus databases in time to protect end customers' networks and devices.
As a result, actual or perceived defects or vulnerabilities in the Group's products or services, the failure of the Group's products or services to prevent a security threat, could harm the Group's reputation and divert the Group's resources.
| The Group is committed to extensive test cycles and quality procedures, which are subject to continuous improvement.
Sophos employs a combination of internal and external quality reviews and testing of products, including source code reviews, public and private third party efficacy testing, and various forms of penetration testing. We encourage a healthy collaboration with the security research community, as described in our Responsible Disclosure Policy: https://www.sophos.com/security.
Further, we protect the privacy and security of our customers worldwide through our pledge to never engineer backdoors into our products as described here: https://www.sophos.com/nobackdoors |
False detection of threats | The Group's products may falsely detect threats or malware that do not actually exist in applications or content based on the Group's classification of application type, virus, malware, vulnerability exploits, data or URL categories (known as "false positives"). These false positives, while inherent in the Group's industry, may impair the perceived reliability of the Group's products and may therefore adversely impact market acceptance of the Group's products.
If the Group's products restrict important files or applications based on falsely identifying them as malware (or some other item that could be restricted), this could adversely affect end customers' systems and cause material system failures. Any such false identification of important files or applications could result in negative publicity, damage to the Group's reputation, loss of end customers and sales, increased costs to remedy any problem and risk of litigation, any of which could have a material adverse effect on the Group's financial condition and operating results.
| Sophos is committed to investment in its world class security research labs facility with emphasis placed on staff training, testing and quality procedures.
Moreover, there is a continuous proactive focus on improvement of processes to enable early detection of a false positive event, as well as applying a 'lessons learnt' approach through root cause analysis.
Sophos acknowledges the inherent risk associated with a false positive incident within the industry and is committed to ensuring there are mitigating processes in place to manage any incident, large or small, in order to minimise the impact on our customers. |
IT security and cyber risk | As a provider of IT security products, the Group is a high profile target and the Group's networks and products may have vulnerabilities that have from time to time been, and may in the future be, targeted by attacks specifically designed to disrupt the Group's business and harm the Group's reputation.
If an actual or perceived breach of security occurs in the Group's internal systems, it could adversely affect the market perception of the Group's products. In addition, a security breach could affect the Group's ability to operate its business, including the Group's ability to provide support services to end customers.
| Sophos has a dedicated Cyber Security Team which is focused on investigation and mitigation of risks related to cyber-attack. The Group is focused on day-to-day active monitoring processes to identify and deal with IT security incidents, and also implements continual improvements in the IT security technology, education and awareness and policies that combine in the overall security posture of Sophos. |
Product portfolio management | Sophos has an extensive number of products, enhanced further by acquired technologies. The extent of investment in each product needs to be managed and prioritised, taking into account the expected future prospects. Additionally, consideration must be given to the ability to adequately support the entire product range.
Failure to manage the product portfolio adequately could result in inappropriate investment focus in relation to research and innovation in product development. This could result in products that do not meet the requirements of customers or partners and the risk they will look to alternative solutions, leading to the potential loss of both new and existing revenue streams.
Additionally, insufficient focus on key research and development projects may damage the long-term growth prospects of the Group. | Sophos continues to focus on and improve the interaction between Product Management, Product Development, Sales and Marketing and all Support functions in an integrated product development approach.
Internal processes are run to identify opportunities for standardisation and consistency across products lines. This helps to eliminate redundancy, reduce development and support cost and improve partner and customer experience through a more predictable and coherent product portfolio.
Additionally, Sophos customers and the partner community continue to be an invaluable resource in guiding portfolio management decisions. They provide immediate and constant feedback on how well Sophos is meeting their requirements and what improvements Sophos can make to its current offering, as well as opportunities for portfolio consolidation or expansion.
During the year-ended 31 March 2016, the Group strengthened its product portfolio through the acquisition of Reflexion Networks Inc and SurfRight BV.
|
Disruption to day to day Group operations | Sophos is at risk of disruption to its day to day operations from a disaster incident, which may seriously impact IT systems or access to office space.
A failure in the operation of the Group's key systems or infrastructure on which the Group relies could cause a failure of service to our customers and negatively impact the Sophos brand.
| Sophos has made significant investments in the technology and infrastructure of the Group to ensure it continues to support the growth of the organisation.
Additionally, incident management procedures and escalation processes are in place as well as maintaining security, business continuity and disaster recovery plans. Ongoing updates and testing of these plans is underway. |
The full Annual Report contains the following statements regarding responsibility for the financial statements and management report/ business review included therein.
Statement of Directors' Responsibilities in respect of the Annual Report and the Financial Statements
The Directors are responsible for preparing the Annual Report and the group and parent company financial statements in accordance with applicable law and regulations.
Company law requires the Directors to prepare group and parent company financial statements for each financial year. Under that law they are required to prepare the group financial statements in accordance with IFRSs as adopted by the EU and applicable law and have elected to prepare the parent company financial statements in accordance with UK Accounting Standards, including FRS 102, the Financial Reporting Standard applicable in the UK and Republic of Ireland.
Under company law the Directors must not approve the financial statements unless they are satisfied that they give a true and fair view of the state of affairs of the group and parent company and of their profit or loss for that period. In preparing each of the group and parent company financial statements, the Directors are required to:
• select suitable accounting policies and then apply them consistently;
• make judgements and estimates that are reasonable and prudent;
• for the group financial statements, state whether they have been prepared in accordance with IFRSs as adopted by the EU; and
• for the parent company financial statements, state whether applicable UK Accounting Standards have been followed, subject to any material departures disclosed and explained in the financial statements.
The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the parent company's transactions and disclose with reasonable accuracy at any time the financial position of the parent company and enable them to ensure that its financial statements comply with the Companies Act 2006. They have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the group and to prevent and detect fraud and other irregularities.
Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors' Report, Directors' Remuneration Report and Corporate Governance Statement that complies with that law and those regulations.
The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the company's website.
Legislation in the UK governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions.
Responsibility statement of the Directors in respect of the Annual Financial Report
We confirm that to the best of our knowledge:
• the financial statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the company and the undertakings included in the consolidation taken as a whole; and
• the strategic report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face.
By order of the Board
D Ari Buchler, Company Secretary
25 May 2016
Neither the contents of the Company's website nor the contents of any website accessible from hyperlinks on this announcement (or any other website) is incorporated into, or forms part of, this announcement.
Related Shares:
Sophos Group