1. About this Policy
1.1 It is Sophos policy wherever we operate in the world to conduct our business in an honest and ethical manner. The Company takes a zero-tolerance approach to, Corruption, Bribery and associated crimes, or unethical behaviour. We are committed to acting professionally, fairly and with integrity in all our business dealings and relationships. This is the Company’s Anti-Corruption Policy (the “Policy”).
1.2 Sophos Group Limited and Sophos Holdings, LLC and their respective subsidiaries (collectively, the “Company” or “Sophos”) upholds all laws relevant to countering bribery and corruption in the jurisdictions we operate in. We are specifically bound by, but not limited to, the laws of the UK in our compliance with Anti-Corruption legal and ethical requirements. This includes the Bribery Act 20101, which is binding on all our overseas subsidiaries and our UK-incorporated companies, and the laws of the United States, including the Foreign Corrupt Practices Act 19772. Further, Sophos adheres to the Code of Conduct of the Responsible Business Alliance, specifically Section D., Ethics (Sections 1-Business Integrity, 2-No Improper Advantage, 3-Disclosure of Information, 5-Fair Business, Advertising, and Competition), in its administration of this Policy.
1.3 Corruption and Bribery are serious offences. Individuals who are convicted may be imprisoned for up to ten years and fined. If Sophos, as a corporation, is convicted of an offence, it could face an unlimited fine, be excluded from tendering for public contracts and suffer serious damage to its reputation.
We therefore take our legal responsibilities very seriously and any employee who breaches this policy will face disciplinary action, which may result in dismissal for gross misconduct. Any non-employee who breaches this policy may have their contract terminated with immediate effect.
This policy covers the following elements of Corruption:
(a) Bribery
(b) Cybercrime
(c) Conflicts of Interest
(d) Nepotism
(d) Extortion
(e) Fraud
(f) Theft
The prevention, detection and reporting of corruption is the responsibility of everyone at Sophos and the entities under its control. All employees – and those persons performing services on our behalf – are required to avoid any activity, which may be in breach of this Policy. If you believe or suspect a breach of this policy has occurred or that it may occur, you can raise an alert using the “Speak Out” web page, alternatively you can notify compliance@sophos.com as soon as possible.
This policy does not form part of any employee's contract of employment. The Company will publish internal guidelines that explain and support this policy.
2. WHO MUST COMPLY WITH THIS POLICY?
Everyone. This includes all persons working for Sophos or who perform services on Sophos behalf in any capacity, employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, sales agents, contractors, external consultants, any third-party representatives and business partners.
3. WHAT IS CORRUPTION?
3.1 Corruption is any form of dishonesty or criminal offense undertaken by a person or organization entrusted with a position of authority, to acquire illicit benefit or abuse power for one's personal, private gain. Corruption may include many activities including bribery and embezzlement
3.2 Bribery is offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial) directly or indirectly (e.g. through a third party) and irrespective of location(s) in violation of applicable law, as an inducement or reward for a person(s) acting or refraining from acting in relation to the performance of their duties. Bribes can take the form of money, gifts, loans, fees, hospitality, services, discounts, the award of a contract or any other advantage or benefit which leads to the award or retention of a contract or similar business advantage for Sophos
3.3 All forms of Corruption and Bribery are strictly prohibited. Sophos will not tolerate any form of Corruption or Bribery, either within our business activities or within the business activities of those who perform services on our behalf. If you are unsure about whether an act constitutes Corruption & Bribery raise it with your manager, Speak out Via the the “Speak Out” Web Page or email compliance@sophos.com .
(a) give, offer, solicit any payment, gift, hospitality or other benefit in the expectation that a business advantage will be received in return or to reward any business advantage already received;
(b) accept any offer from a third party that you know, or suspect is made with the expectation that we will provide a business advantage to them or anyone else;
(c) give or offer any payment (sometimes called a facilitation payment) to a government official in any country to facilitate or speed up a routine or necessary procedure;
(d) threaten or retaliate against another person who has refused to commit a bribery offence or who has raised concerns about possible Corruption or Bribery under this policy.
4. GIFTS AND HOSPITALITY
4.1 You can give or accept reasonable and appropriate gifts and hospitality for legitimate purposes such as building relationships, maintaining our image or reputation, or marketing our products and services.
4.2 You may not give or receive a gift or hospitality if it is:
(a) cash;
(b) given in secret;
(c) not reasonable or proportionate, e.g., it is unduly lavish or extravagant;
(d) deemed to be conceived as an inducement or reward for any preferential treatment, e.g., during contractual negotiations or a tender process;
(e) given or received with the intention of causing (or be reasonably capable of causing) the recipient to perform their functions improperly;
(f) to influence a public official in the performance of their functions or with the intention of obtaining or retaining business or a business advantage;
(g) a reward for the obtaining or retention of business or a business advantage, even where the value of the gift is below the threshold described below; or
(h) can be perceived as a conflict of interest.
4.3 Gifts must be:
(a) of an appropriate type and value depending on the circumstances and the reason for the gift; and
(b) made in the name of Sophos and must comply with any relevant local laws.
4.4 Corporate branded items of nominal value, items of nominal value designed for free giveaway at trade fairs and equivalent (e.g., pencils, note pads, umbrellas), and working lunches and refreshments provided during meetings at a company site may be given or received at any time and do not need to be recorded.
4.5 Unless approval has been granted by the Compliance Department, the value of gifts or hospitality given or received must not exceed the thresholds set out below or such lower threshold permitted by local law:
|
|
Gift |
Hospitality (per head) |
|
Maximum value per instance |
US$50 £38 GBP €44 EUR |
$200 USD ($100 USD for restaurants or catering, including alcohol) £140 GBP (£70 GBP for restaurants or catering, including alcohol) €175 EUR (€90 EUR for restaurants or catering, including alcohol) |
|
Maximum value provided to the same individual over a 12-month period |
$200 USD £140 GBP €175 EUR |
$800 USD ($400 USD for restaurants or catering, including alcohol) £560 GBP (£280 GBP for restaurants or catering, including alcohol) €700 EUR (€350 EUR for restaurants or catering, including alcohol) |
4.6 Any gifts or hospitality offered to or received from public officials of more than a nominal value must be in accordance with the local regulations and approved in advance by the Compliance Department. Alternatively contact the Compliance Department, compliance@sophos.com.
5. SALES INCENTIVES
5.1 Any sales (SPIFFs) and marketing incentives (MDFs) for channel partners must be transparent, reasonable and in accordance with the guidelines issued by the Compliance and Legal Departments and follow the defined process models.
6. SPONSORSHIPS AND DONATIONS
6.1 Sophos may support charitable causes, but not in the expectation of any reward or influence in return. All requests for sponsorship or charitable donations must be screened by compliance@sophos.com in advance of the donation or sponsorship. For further information contact the Compliance Department, compliance@sophos.com.
7. RECORDKEEPING
7.1 Sophos declare and keep a written record of all hospitality or gifts given or received in the Sophos Group Anti Bribery and Corruption Register this is maintained by the Compliance Department. Information will be held for a period not exceeding 2 years from creation. All Sophos employees must submit all expense claims relating to hospitality, gifts or payments given to or received from third parties, in accordance with Sophos expenses policy recording the reason for such expenditure.
7.2 All accounts, invoices, and other records relating to dealings with third parties including suppliers, customers and partners should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.
8. DUE DILIGENCE – DEALING WITH THIRD PARTIES
8.1 All applications for the appointment or engagement of any third party acting on behalf of or in partnership with Sophos must be submitted via Vendor review. Appropriate due diligence will be conducted on all third parties before entering into agreements with them. For further guidance on the due diligence, including corruption and bribery issues contact the Compliance Department, compliance@sophos.com.
8.2 Sophos must have a written contract with all third parties with whom we do business, which includes the contractual protections that should be sought, including termination rights if the third-party breaches anti-bribery laws and/or the terms of this policy.
9. CONFLICT OF INTERESTS
9.1 A conflict of interest is a situation that occurs when the business, financial, political, or personal interests could interfere or give the appearance of interference with the judgement of an individual(s) in carrying out their duties on behalf of Sophos. Sophos directors, managers and employees who work for or have an equity stake in a Sophos customer, partner, supplier, competitor or any similar arrangement must disclose their connection without disclosing their interests, such arrangement may not be acceptable. Directors, employees and third parties (working on behalf of Sophos) have an obligation to act in the best interests of Sophos and in accordance with this Anti-Corruption Policy. For further guidance please refer to the Sophos Company Handbook
9.2 Conflicts of interests may create problems as they can:
(a) inhibit free discussion,
(b) result in decisions or actions that are not in the interests of Sophos,
(c) contribute to non-competitive (anti-trust) or criminal actions undermining the reputation of Sophos through unethical and improper behavior, and
(d) create a perception of wrongdoing through inappropriate provision of gifts or hospitality based upon a real or potential reciprocal business relationship.
9.3 In recruitment, previous history of employment in public service or with an existing vendor, supplier, or customer must be evaluated and advised to Compliance before onboarding. For example, this Policy requires that neither a conflict of interest nor the breaking of government rules for the employment of former public servants or those holding political or legislative office.
10. DECLARATION OF INTERESTS
10.1 Directors, employees and third parties are obliged to declare their interests where there may be a potential conflict of interests in accordance with the Sophos “Declaration of interests” form, which lists the types of interest that should be declared. If any changes occur, it is the individual’s personal responsibility to update their declaration of interests at the earliest opportunity. Further:
(a) if an individual is unsure what to declare, or whether a personal declaration needs to be updated employees must discuss the issue with VP Compliance, a Director or with the Company Secretary, for confidential guidance; and
(b) interests will be recorded in the Sophos “Register of Interests”, which will be maintained by Compliance and reviewed on a regular basis. Declarations will be processed and retained in accordance with the Sophos General Data Protection policy.
10.2 You should declare your interest at the earliest opportunity and should offer to withdraw from any subsequent Sophos business matter/discussion.
10.3 Where an individual has a conflict of interest (e.g. A Sophos sales manager is related to a customer’s procurement manager), they must not be involved in managing or monitoring a contract in which they have an interest. Monitoring arrangements for such contracts will include provisions for an independent audit and termination of the contract if the relationship is unsatisfactory.
10.4 An undeclared material conflict of interests may be grounds for disciplinary action or dismissal.
11. NEPOTISM
Nepotism is a form of discrimination in which family members or friends are hired for reasons that do not necessarily have anything to do with their experience, knowledge or skills.
Employees will not offer, employ, infer or favour employment for a close family member or friend without going through the Sophos recruitment and selection process.
All Sophos employees, contractors, vendors, and anyone else working on behalf of the Company are expected not to commit other crimes prohibited by law, such as theft, fraud, extortion, and cybercrime. Further, it is this Company's policy and expectation that all will take appropriate measures to protect themselves and the Company from any such crimes.
12. HOW TO RAISE A CONCERN
12.1 The prevention, detection and reporting of a breach of this policy is the responsibility of all. If you are offered a bribe, are asked to make one or if you suspect corruption or other breach of this policy has occurred or may occur, you must notify your manager, you can raise an alert using the “Speak Out” web page, alternatively you can notify compliance@sophos.com as soon as possible
13. TRAINING AND COMMUNICATION
13.1 Anti-Corruption and Bribery training is provided to new employees as part of their onboarding process, and on an annual basis afterward. All Sophos employees should ensure that they receive relevant training on how to implement and adhere to this policy. Training is provided through Sophos Eloomi.
13.2 Sophos will communicate this policy to third parties who perform services on our behalf, including contractors, consultants and business partners. We will seek to include contractual obligations in our agreements with third parties, which oblige them to agree to comply with this policy (or an equivalent policy of their own). In certain circumstances, it may be appropriate for training to be provided to third parties.
14. MONITORING AND REVIEW
14.1 Sophos has conducted a detailed assessment of, and engages in ongoing monitoring of, corruption risks both within the Sophos group and in relation to persons who perform services on its behalf.
14.2 The Compliance Department will regularly review the implementation of this policy in respect of its suitability, adequacy and effectiveness, and make improvements where appropriate. Issues of concern will be reported to the appropriate persons in line with company hierarchy.