Sustainability governance
We incorporate robust governance structures designed to ensure our sustainability efforts align with best practices and are accountable.
This includes:
- Ethical conduct: A focus on ethical business practices enables operations to comply with international and local regulations, and underpins us maintaining high standards.
- Sustainability oversight: Sustainability initiatives are integrated into the overall business strategy, with oversight by the Board and executive leadership.
We commit to transparency in reporting by publishing our sustainability report detailing our progress across our sustainability pillars. As part of this commitment, our auditors EY have performed limited assurance over the statements and figures in this report. Refer to page 115 for their statement of assurance.
Our material topics
Governance is a core function for Santos. We promote a culture of ethical and responsible conduct in line with our values and legal obligations to support long-term success.
Our approach
Governance and business ethics
Our corporate governance framework underpins effective decision-making and operational integrity.
Our Code of Conduct sets clear expectations for ethical behaviour, guiding how we interact, make decisions and perform daily work. All employees and contractors are required to adhere to these standards, and we offer mandatory training across all global locations. We report on breaches related to our Code of Conduct.
Reportable misconduct
Santos is committed to providing a safe environment for reporting misconduct. Our Reporting Misconduct (Whistleblower) Procedure allows stakeholders to report concerns such as misconduct, fraud or corruption through various channels, including anonymously and through an external confidential 24-hour hotline. All reports are investigated, as appropriate, under our internal processes. Training is provided to those who work for and with us as well as to our Board Directors, in line with Australian whistleblower laws.
Read more on risks and opportunities, our process and due diligence and our actions and performance in the 2024 Annual Report.
Santos is committed to upholding internationally recognised human rights, guided by the UN International Bill of Rights and the UN Guiding Principles on Business and Human Rights.
Our approach
Human Rights Framework
Santos is committed to upholding internationally recognised human rights, guided by the UN International Bill of Rights and the UN Guiding Principles on Business and Human Rights. We also work to align with the Voluntary Principles for Security and Human Rights, integrating these into our policies and practices, including our Human Rights and Modern Slavery Policy.
Our Human Rights Framework supports these commitments and guides our processes to address key risks. We recognise the role of governments in protecting human rights and work collaboratively to align our operations with these responsibilities.
Read more on risks and opportunities, our process and due diligence and our actions and performance in the 2024 Annual Report.
Important topics
Our approach
Santos is obligated to comply with the Australian Security of Critical Infrastructure Act (2018) and related amendments for Australian assets, and similar international regulations for non-Australian assets. To comply with these obligations Santos has enacted a cyber risk management framework based on the Australian Energy Sector Cyber Security Framework (AESCSF). The AESCSF leverages the National Institute of Standards and Technology (NIST) cyber security framework which guides Santos’ overall Risk Management Framework to manage cyber security threats.
Santos adheres to the Australian Privacy Act (1988) and similar international legislation in locations where we operate. Privacy policies are available on the Santos website, and a register of Personal Identifiable Information is kept within the company. Please refer to santos.com/privacy for further information on how this is protected.
Establishing individual responsibilities for information security for the entire workforce
Santos ensure that all staff understand their responsibilities for information security through mandatory cyber security induction for all employees and contractors. This is augmented by ongoing staff cyber awareness training (such as targeted training for at-risk teams, password strength guidance and phishing awareness).
All staff are required to adhere to the Santos Management System (SMS) which sets the mandatory requirements for how the business operates. It comprises of policies, standards and procedures for the entire business. Cyber security requirements are captured within the SMS.
Establishing Information requirements for third parties
Santos ensures all third parties are aware of their information security responsibilities via the ‘Supplier Data Protection Requirements’ document on the Procurement section of the corporate website.
This document outlines key information security requirements for third parties.
Information Security Governance
The company Chief Information Officer (CIO) is responsible for information security and is directly supported by a dedicated Information Security Manager.
A Board-level Audit and Risk Committee is in place to oversee cyber security risks and compliance, with regular reports on cyber security posture, risk status and cyber programs provided to the Committee.
An assurance calendar is in place and published to the Committee showing timing of annual cyber security activities, including internal and external audits, penetration testing and training schedules.
Information Security Management
The company has an information security management program published within the SMS which covers the following topics:
- Information Security Management
- Cyber Security Risk Management
- Data & Information Management
- Supplier Data Protection
- Acceptable Use
- System Acquisition and Disposal
- Identity and Access Management
- Personally Identifiable Information Management
- Software Acquisition
- Disaster Recovery
Our policy, process and due diligence
The AESCSF framework provides for both preventative and responsive controls to protect information held by Santos, including Personal Identifiable Information (PII). All systems (including those holding PII) and data are protected by leading industry-standard cyber security products and practices, with no notifiable or material cyber or information breaches occurring in the last 12 months.
Santos is a participant of, and contributor to, the Australian Government’s Critical Infrastructure Information Exchange forum, and meets regularly with regulatory officials, law enforcement and peers to exchange intelligence on emerging threats and trends.
Assessment of cyber security posture and controls is performed throughout the year, with annual benchmarking of performance through both internal and external audits, penetration testing and other evaluations.
Key programs and initiatives include:
- Santos maintains a robust and dynamic program of both capital and operationally funded security improvement initiatives. These initiatives focus on the continuous enhancement of existing cyber security controls to address evolving threats and ensure compliance with regulatory requirements.
- Our program emphasises regular updates to current systems, ensuring they remain aligned with the latest industry standards and technologies. Additionally, we conduct frequent audits, readiness assessments, and incident response simulations to evaluate and strengthen our ability to counteract potential threats effectively.
- To stay ahead of emerging cyber security risks, Santos is committed to the proactive adoption and integration of new technologies, tools, and systems designed to enhance our defensive capabilities. This approach ensures that we not only meet today’s challenges but also anticipate and prepare for the evolving cyber security landscape.