Sustainability Report 2024 Changing the way the world experiences property
Introduction Contents 1 About REA Group 2 ESG recognitions, awards and certifications 3 2024 highlights 4 CEO’s message 5 Materiality assessment 6 Key ESG metrics 8 Governance 9 Responsible and ethical business practices 12 Data privacy and cyber security 18 Innovation and technology 21 Risk and resilience 23 Social 24 Diversity, equity and inclusion 30 Talent attraction and retention 33 Culture and values 35 Community investment 38 Experience and satisfaction – customer and consumer 40 Product quality and service 42 Housing affordability advocacy and industry leadership 44 Environment 45 Climate change 51 REA Group’s climate-related disclosures 54 Independent Limited Assurance Report Acknowledgement of country Since 1995, REA Group has operated on the Traditional lands of the Wurundjeri Woiwurrung peoples, who have been the custodians since time immemorial. As the business has grown and established offices around Australia, we’re grateful to the Traditional Owners of all the lands we operate on, and we honour their enduring connection to lands, waters and communities. We extend our respect to all Aboriginal and Torres Strait Islander cultures and to Elders past and present.
Sustainability Report 2024 | REA Group Ltd 1 SOCIAL ENVIRONMENT GOVERNANCE INTRODUCTION In Australia, REA Group holds minority investments in Simpology Pty Ltd, a leading provider of mortgage application and e-lodgement solutions for the broking and lending industries, and Arealytics, a commercial real estate information and technology provider. Internationally, REA Group holds a controlling interest in REA India Pte. Ltd., operator of established brands Housing.com and PropTiger.com, and has a strategic investment in Easiloan, a digital home loan processing platform in India. In FY24 the Group also held a 20% minority shareholding in Move, Inc., operator of realtor.com in the US, and a 17.2% shareholding in the PropertyGuru Group, which runs leading property sites in Malaysia, Singapore, Thailand and Vietnam. Acquisitions On 5 July 2023, REA Group obtained 100% ownership of CampaignAgent, following our initial 27% acquisition in 2021. On 18 June 2024, REA Group acquired 100% ownership of Realtair Pty Ltd. We initially invested in Realtair in 2020 and held a 37% stake prior to this acquisition. ⋅ www.rea-group.com REA Group Ltd ACN 068 349 066 (ASX:REA) is a multinational digital advertising business specialising in property. Headquartered in Richmond in Victoria, Australia, the company employs more than 3,400 people with a purpose to change the way the world experiences property. About REA Group REA Group Ltd and its subsidiaries (‘REA Group’ or ‘REA’) operates Australia’s leading residential and commercial property websites – realestate.com.au and realcommercial.com.au – as well as Flatmates.com.au, the leading website dedicated to share property, and property research website property.com.au. The Group owns Mortgage Choice Pty Ltd, an Australian mortgage broking franchise; PropTrack Pty Ltd, a leading provider of property data services; CampaignAgent Pty Ltd, Australia’s leading provider of property vendor funding solutions; and Realtair Pty Ltd, a digital platform providing end-to-end technology solutions for the real estate transaction process.
Introduction ESG Recognitions, Awards and Certifications REA Group Ltd | Sustainability Report 2024 2 Top Graduate Employer 2024 We ranked among Australia’s Top Graduate Employers (small program) by the Australian Association of Graduate Employers. Aggregator of the Year In May 2024, Mortgage Choice was named Aggregator of the Year for the second year in a row at the Mortgage Business Online Awards. Great Place to Work Australia™ REA Group Australia has retained a top five ranking as one of Australia’s Best Workplace™ in the large company category for four consecutive years. In FY24, we also ranked among the top five for Australia’s Best Workplaces™ in Technology and were recognised in the Best Workplaces™ for Women list. FTSE Russell We were included as a constituent in the FTSE4Good Developed Index for the fourth consecutive year. Climate Active Carbon Neutral certification We were certified carbon neutral by Climate Active for the fourth consecutive year. MSCI ESG Rating We maintained our ‘Leader’ AA MSCI rating for the third consecutive year. Dow Jones Sustainability Indices We were included in the Australia and Asia Pacific Dow Jones Sustainability Indices (DJSI) for the second consecutive year. CDP We voluntarily contributed to CDP for the fifth consecutive year. In FY24 our score rose from Disclosure to Awareness for the first time. Great Place to Work India™ We ranked among India’s Top 5 Best Places to WorkTM 2024 for the second consecutive year.
2024 highlights Reconciliation Action Plan We published REA’s first Reflect Reconciliation Action Plan (RAP) following endorsement from Reconciliation Australia. The RAP focuses on four pillars: Relationships, Respect, Opportunities and Governance, with 13 actions to support progress. Consumer Privacy Centre REA launched a Consumer Privacy Centre that simplifies our Privacy Policy and provides clear, user-friendly explanations of our data practices. Social procurement REA is driving social and economic empowerment by partnering with diverse businesses, including Indigenous suppliers and social enterprises. In FY24, we spent $639,000 with Indigenous suppliers and $10,700 with social enterprises. Climate risk REA commenced a quantitative climate scenario analysis in preparation for the new Australian Sustainability Reporting Standards (ASRS) and continued to assess climate-related risks and opportunities across our Australian and Indian businesses. REA culture REA achieved an 88% Employee Engagement score in FY24, a 1% increase from FY23 and our equal-highest score. Additionally, our participation in the globally benchmarked Human Synergistics Organisational Culture Inventory revealed improvements in 11 out of 12 cultural factors, enhancing our understanding of REA’s highperformance culture. Consumer experience Our flagship site, realestate.com.au, is Australia’s number one address in property with 10.8 million unique visitors on average each month. Source: Ipsos iris Online Audience Measurement Service, Jul 2023 - Jun 2024 (average), P14+, PC/laptop/smartphone/tablets, text only, Homes and Property Category, Brand Group, Realestate.com.au, Audience (000’s). Sustainability Report 2024 | REA Group Ltd 3 SOCIAL ENVIRONMENT GOVERNANCE INTRODUCTION Climate sentiment REA continued to focus on climate awareness campaigns to educate and empower employees on sustainable choices that contribute to emissions reduction. This resulted in 87% of employees positively acknowledging REA Group’s commitment to climate responsibility in the 2023 Employee Engagement survey. Scope 1 & 2 carbon emissions REA achieved a 29% year-on-year (YoY) reduction in Scope 1 and 2 greenhouse gas (GHG) emissions, marking a 74% reduction since our FY20 baseline and tracking ahead of our science-based target of a 42% reduction by 2030. REA’s total carbon emissions increased 18.6% YoY, primarily driven by additional travel required to support global investments. Home energy insights PropTrack partnered with Origin Energy to publish the Australian Home Energy Report. This report combines data and insights to help homeowners make informed decisions to reduce their environmental impact and energy costs.
REA Group is committed to a sustainable future and our Environmental, Social and Governance (ESG) goals are embedded within our strategic agenda. Responsible and sustainable business practices underpin everything we do, contributing to our growth and the value we deliver to our customers, consumers and the community. We are proud to share our ESG milestones from the past year in this report, as well as our plans for our continued commitment for the years ahead. In FY24, REA was again recognised as an ESG leader in the interactive media and services industry receiving a Morgan Stanley Capital International (MSCI) rating of AA for the third consecutive year. REA was also included in the Australia and Asia Pacific Dow Jones Sustainability Indices (DJSI) for the second consecutive year, and we were listed as a constituent company in the FTSE4Good Index for the fourth consecutive year. From an environmental perspective, Climate Active certified REA Group carbon neutral for FY23 emissions. This was our fourth consecutive carbon neutral certification. Pleasingly, in FY24, we continued tracking ahead of our science-based target of a 42% reduction from our FY20 baseline in Scope 1 and 2 greenhouse gas (GHG) emissions by 2030. As we drive future growth, additional travel is required to support the Group’s global investments which has resulted in an 18.6% YoY increase in our carbon emissions. We remain focused on decarbonising our operations into the future. The passion of our people and their commitment to living REA’s values, make our business a great place to work every day. Our team drives our unique culture, and we were delighted to achieve an 88% Employee Engagement score in FY24, a 1% increase on the prior year, and our equal-highest score to date. We also surveyed our people through Human Synergistics Organisational Culture Inventory (OCI) to gain a deeper understanding of our high-performance culture and our strengths, and to identify opportunities for growth. We were pleased to see improvements in 11 out of the 12 organisational culture factors measured. In May we published our Reflect Reconciliation Action Plan (RAP), following endorsement from Reconciliation Australia. Focusing on the four pillars of Relationships, Respect, Opportunities, and Governance the launch of our first RAP was a significant milestone and lays the foundation for our future reconciliation initiatives. REA prides itself on effective governance, upholding the highest standards to ensure the long-term sustainable performance of our business. Supporting increasing community concerns around consumer privacy and ensuring transparency in the use of data, in FY24 we launched a new Consumer Privacy Centre that simplifies our Privacy Policy and aims to provide clear, user-friendly explanations of our data practices. As we move into FY25, I am looking forward to the many ESG growth opportunities we have in train continuing to progress, and new initiatives coming to life. With a clear business strategy and a focus on sustainable and responsible practices, REA is strongly positioned for continued future growth. Owen Wilson Chief Executive Officer REA Group Ltd | Sustainability Report 2024 4 Introduction CEO’s message Owen Wilson Chief Executive Officer REA Group
Identifying the most critical Environment, Social and Governance (ESG) topics, issues and opportunities for REA and its stakeholders. Materiality assessment REA’s approach to materiality aligns with our business priorities and stakeholders interests, and focuses on the most relevant environmental, social and governance issues to drive long-term value creation and enhance stakeholder trust. REA periodically reviews and assesses materiality assessment findings to ensure continued relevance. A detailed explanation of the materiality determination process is available on page 4 of our FY22 Sustainability Report. A comprehensive materiality assessment and review will be undertaken in FY25. This FY24 Sustainability Report highlights 11 key material topics, detailed on the following page, along with their corresponding Sustainable Development Goals (SDGs). This report has been prepared with reference to the Global Reporting Initiative (GRI) Standards (2021). For disclosure of our alignment with the GRI Standards, we have developed a reference index in our 2024 ESG Databook, available on the social impact section of REA Group’s corporate website. Please direct any enquiries to sustainability@rea-group.com. Materiality assessment Importance to stakeholders Importance to REA Group IMPORTANT MATERIAL HIGHLY MATERIAL 90 90 80 80 70 70 60 60 50 50 40 40 30 Executive remuneration Responsible and sustainable procurement Responsible marketing New markets Online safety Diversity, equity and inclusion Culture and values Climate risk Responsible and ethical business practices Housing a ordability advocacy and industry leadership Product quality and service Innovation and technology Talent a raction and retention Experience and satisfaction (customer and consumer) Data privacy and cyber security Risk and resilience Indigenous engagement Economic changes Community partnerships and programs Workplace health, safety and wellbeing Sustainable property features Regulatory environment and public policy Human rights Employee engagement more less more Sustainability Report 2024 | REA Group Ltd 5 SOCIAL ENVIRONMENT GOVERNANCE INTRODUCTION
REA Group Ltd | Sustainability Report 2024 6 Material topic Topic definition Metric* FY24 FY23 Status SDG Responsible & ethical business practices Implementing and maintaining best-practice policies to guide business decisions and drive ethical practice from the top down. Taxes paid, collected and remitted** $412.2m $375m The number of whistleblower complaints related to modern slavery risks** 0 0 Completion rate of ethical procurement training by REA’s procurement team 100% 100% Data privacy & cyber security Empowering and supporting customers and consumers to manage their personal data and maintain their privacy. Ensuring our policies, procedures and information systems effectively manage cyber security risks and vulnerabilities. Ensuring customer and employee data is confidential and secure, and not accessed or utilised inappropriately. Developers who completed secure code training 100% 98% Employee completion of cybersecurity refresher training (included as a module of annual compliance refresher training) 99.9% 100% Malicious mobile apps removed 14 45 Fake websites removed 33 34 Innovation & technology Championing and investing in innovation, while pioneering digital and technological innovations to stay ahead of the market. Encouraging the adoption of our culture, which is underpinned by our values and critical to our effective day-to-day operations. Teams and innovation ideas developed at REAio Hackathons n/a*** 92 n/a Risk & resilience Ensuring practices and processes remain flexible to adapt to drastic change, including social upheaval, pandemics and disruptive technology. Employee completion rate of annual compliance refresher training 99.9% 100% Diversity, equity & inclusion Implementing actions and strategies to achieve and maintain a diverse, equitable and inclusive workplace. Employees who identify as Women in Technology 32.6% 31.6% Employees who identify as female (Aus & Ind) %** 34.7% 32.6% Employees in Australia who identify as female % 50.0% 49.0% Employees in India who identify as female %** 17.6% 17.3% Introduction Key ESG metrics * Excludes REA India unless otherwise indicated. ** Includes REA India. *** Hackathons were paused for redesign in FY24.
Sustainability Report 2024 | REA Group Ltd 7 SOCIAL ENVIRONMENT GOVERNANCE INTRODUCTION Material topic Topic definition Metric* FY24 FY23 Status SDG Talent attraction & retention Managing current and future talent needs through attraction, retention, training and development. Internal recruitment rate 45% 47% Graduate hires 10 14 Voluntary attrition 9% 11.3% Culture & values Encouraging the adoption of our culture, which is underpinned by our values and critical to our effective day-to-day operations. Employee Engagement survey participation 83% 83% Employee Engagement score 88% 87% Experience & satisfaction (customer & consumer) Ensuring customer and consumer experiences are effortless and enjoyable. Designing products and services to adapt to evolving needs. Achieved minimum customer sentiment score Achieved minimum consumer sentiment score Product quality & service Ensuring product and service quality meets (and exceeds) industry standards and changing customer expectations. realestate.com.au app uptime 99.9% 99.9% Housing affordability advocacy and industry leadership Using our position as industry leaders to support training, development and innovation across the property sector. We also aim to achieve positive environmental, social and economic outcomes, including advocating for housing affordability. Annual contribution to Anglicare Rental Affordability Snapshot Submissions to government on housing affordabilityrelated policy Climate change Adapting to and mitigating climate change while managing climaterelated risks. Managing and reducing REA’s environmental impact, as well as assessing how environmental changes may impact REA and our customers. Carbon footprint ** 10,696.6 tCO2e 9,015.4 tCO2e Scope 1 & 2** 437.9 tCO2e 617.1 tCO2e Scope 3** 10,258.7 tCO2e 8,398.3 tCO2e Carbon neutral certification** In Progress Maintained Climate scenario analysis conducted Yes Yes * Excludes REA India unless otherwise indicated. ** Includes REA India.
Good governance is essential to protecting and enhancing the long-term performance and sustainability of our company. It also supports the interests of our shareholders, employees, customers, consumers and the broader community. 8 Governance REA Group Ltd | Sustainability Report 2024 Governance
9 Sustainability Report 2024 | REA Group Ltd SOCIAL ENVIRONMENT INTRODUCTION GOVERNANCE Establishing and upholding effective policies that guide business decisions, and promote ethical practices across REA. Modern slavery REA Group is committed to acting ethically and with integrity in all our business operations. We recognise that addressing and preventing modern slavery is crucial for sustainable business practices and the protection of vulnerable individuals and communities. All REA employees in Australia and India are required to complete modern slavery training each year as part of REA’s compliance refresher training. Additionally, REA’s central procurement team must complete ethical procurement and supply training. The REA Group Modern Slavery Statement, available on our website, details the policies and processes to manage modern slavery risks in Australia and India. Supplier due diligence Supplier due diligence is essential in mitigating REA’s supplier risk. In FY24, REA Australia onboarded 345 new suppliers using the OneTrust due diligence tool, which provides transparent oversight and streamlines governance processes. All new suppliers undergo comprehensive screening, including assessments in: › Modern slavery › Cyber security › Workplace health & safety (WHS) › Financial viability › Privacy impact › Global sanctions We continuously adapt our due diligence processes to keep pace with REA’s evolving operations and technological advancements. In FY24, this included requirements specific to AI technologies of both our existing and new suppliers to ensure comprehensive understanding of data management practices. We also designed specific methodologies for offshore service providers related to our review processes and ongoing governance. Responsible and ethical business practices Supplier governance Supplier governance is vital for REA to maintain competitiveness, mitigate risks and foster successful partnerships. Whether sourcing materials, services or technology solutions, the way we manage our suppliers can significantly impact our overall business performance. This year we completed a review to define and identify our Tier 1 suppliers. We determined that Tier 1 suppliers fall into one or more of the following categories and will have a formal governance framework in place: › Offshore managed service › Outsourced solution › Core function (customer or internal) › Global arrangement leveraging related party relationships › Procurement strategic decision In FY24, the Procurement team provided oversight and governance management for 35 Tier 1 suppliers. It used OneTrust to track governance and identify any issues, which were escalated to the Executive Risk Committee (ERC). Supplier Code of Conduct Our Supplier Code of Conduct outlines the standards and behaviour REA expects from our suppliers: › Workers’ rights and human rights › Business integrity › Privacy › Environment › Health & safety Supplier Code of Conduct This Code sets out the standards of behaviour REA expects suppliers to meet when doing business with us. REA expects suppliers to read, understand and comply with these standards and to ensure that any authorised sub-contractors comply with the minimum standards set out in this Code. This Code is effective from 1 July 2019.
10 Governance REA Group Ltd | Sustainability Report 2024 Sustainable procurement In FY24, we integrated ESGrelated questions into our Request For Proposal (RFP) and Supplier Onboarding forms to gain deeper insights into new and potential partners. These questions cover: › Environment policy, sustainability or ESG reporting › Emissions reduction targets › Measurement and disclosure of Scope 1, 2 and 3 emissions annually › Measurement and/or set targets for diversity and gender equality › Reconciliation Action Plans for those with a domestic presence Social procurement REA aims to create value beyond procuring goods and services by supporting diverse businesses and driving social and economic empowerment. This involves collaborating with social enterprises and Indigenous businesses as part of our procurement processes. We continue to partner with Supply Nation, Australia’s largest national directory of Indigenous businesses, as part of our Reconciliation Action Plan (RAP). In FY24, we spent $639,000 with Indigenous suppliers, including five Tier 1 suppliers. We have connected with Indigenous businesses for services such as office refurbishment, design and office supplies. In February 2024, REA partnered with Social Traders to expand our engagement and support of social enterprises. Social Traders provides certification, support and advocacy to help social businesses succeed and amplify their impact. In FY24, we engaged three social enterprises through Social Traders with a total social spend of $10,700. We look forward to growing our engagement with both Supply Nation and Social Traders in FY25. Tax transparency In FY24, REA paid, collected and remitted a total of $412.2 million in taxes. Our sixth Voluntary Tax Transparency Report highlights REA Group’s adherence to all tax regulations and endorsement of the Board of Taxation’s Voluntary Tax Transparency Code (TTC). Legal compliance training REA Australia’s legal team conducts mandatory annual training sessions for all Australian employees. These sessions cover essential topics such as privacy and consumer laws, as well as recent case law relevant to our operations. Responsible and ethical business practices continued Updated Securities Trading policy REA’s Securities Trading Policy was updated in FY24 to enhance clarity, tighten some controls, and promote good governance. Among other things, this update reinforces the prohibition on insider trading, and introduces stricter approval processes for certain employees. These changes aim to protect both REA and our employees from legal risks, and uphold market integrity. Whistleblower Policy REA Australia’s Whistleblower Policy facilitates the confidential reporting of concerns, with protection from retaliation. In FY24, we delivered an internal campaign to raise awareness of whistleblowing among employees. REA India has a local Whistleblower Policy and hotline for employees, contractors and suppliers of the REA India business. Conflicts of interest The detailed internal Managing Conflicts of Interest Policy applies to everyone involved with REA Group, including directors, employees, contractors, consultants and visitors, and specifies requirements for disclosure. Our publicly accessible REA Code of Conduct & Ethical Business Behaviour also outlines REA’s expected standards.
11 Sustainability Report 2024 | REA Group Ltd SOCIAL ENVIRONMENT INTRODUCTION GOVERNANCE Enhanced broker tools In FY24, Mortgage Choice improved tools and documents to streamline processes, assist with compliance, and simplify and enhance the customer experience. These enhancements included the following: › Updates to Loan Choices Document, combining the Preliminary Assessment and the Loan Choices Document into a single document, making it clearer and easier for consumers to understand › The direct integration of living expenses from Broker Platform to Apply Online to reduce manual rekeying of data into Apply Online › Enhancements to the Lending Toolkit to reduce manual re-keying of data into Apply Online › Increased document vaulting capacity to make it easier for brokers to upload all required documents › The introduction of the Funding Summary Estimate Tool, enabling brokers to create up to four funding scenarios for clients, with automatic Lenders Mortgage Insurance (LMI) Australian credit licences CampaignAgent provides financial services to vendors in the real estate sector, predominantly vendor paid advertising and access relating to a vendor’s equity between unconditional sale and settlement of a property. CampaignAgent provides these services through an Australian credit licence. Mortgage Choice provides mortgage and finance broking services through two credit licences. Both licences are covered under the Australian Financial Complaints Authority (AFCA)’s external dispute resolution scheme. Mortgage Choice and its broker network (authorised representatives) are members of the Mortgage & Finance Association of Australia (MFAA). As a member, Mortgage Choice subscribes to the MFAA Code of Practice, which outlines professional standards aimed at promoting ethical and fair business practices in the provision of finance to consumers. Acting in the best interests of customers Mortgage Choice brokers can access over 35 lenders and thousands of loans through our Broker Platform. This system captures customer needs and financial details, allowing brokers to model various lending scenarios. The integrated File Manager automates workflows and document collection, helping to ensure regulatory compliance and excellent customer service. Broker monitoring framework The Broker Monitoring and Advice team uses a range of methods to regularly monitor the Mortgage Choice network. This is done through a mix of pre-submission, quarterly, annual and thematic reviews using data-driven and risk-based metrics to ensure our brokers are delivering high-quality advice to customers. › Training: • Individual: Addresses monitoring outcomes, upskilling brokers directly • Group: Uses real-life scenarios and trends to teach best practices › Performance Monitoring: Tracks lender reviews, customer complaints and potential compliance breaches, and provides detailed reporting to the Australian Securities and Investments Commission (ASIC) In FY24, we expanded our compliance management and team collaboration tool to include investigations management. These enhancements are designed to streamline the review process, improve reporting and boost team productivity while ensuring compliance with ASIC regulations. Broker customer relationship management (CRM) platform In 2024, Mortgage Choice introduced an internal CRM to capture interactions with franchise owners and brokers. The CRM helps our teams provide more targeted support and safely deliver services.
Privacy at REA Societal concern around the protection of personal information continues to grow, and REA is committed to maintaining the security and privacy of its customers and consumers through increased transparency, choice and control. Privacy Centre In FY24, REA invested in dedicated Privacy Squads to enhance our consumer privacy experience and align with the evolving expectations of our users. As part of our commitment to transparency, we launched a public-facing Privacy Centre, serving as a central hub that includes a simplified Privacy Policy and clear, user-friendly explanations of our data practices. We have also empowered our users with greater control over their data by progressively rolling out more pointers and explainers, ensuring they feel secure when providing their personal information to us. We empower and support our customers and consumers to manage their personal data and maintain their privacy. We are committed to effectively managing cyber security risks through robust policies, procedures and information systems, to protect the confidentiality and security of consumer, customer and employee data. In anticipation of upcoming regulatory changes, we have strengthened our capabilities and begun developing our privacy-by-design target state architecture. This proactive approach is designed to ensure that our systems and processes will be compliant with future regulations and reinforces our commitment to safeguarding user data. REA Group’s Privacy Policy REA Group’s Privacy Policy explains the data we collect, its usage, storage and disclosure, and how we maximise the control users have over their own personal information data. 12 Governance REA Group Ltd | Sustainability Report 2024 Empowering and supporting customers and consumers to manage their personal data and maintain their privacy. Data privacy and cyber security
Privacy awareness at REA In support of these privacy initiatives, we enhanced our internal training and compliance programs with an external roadshow. The roadshow aimed to educate our external customers on the implications of forthcoming privacy changes, underscoring REA’s dedication to maintaining the highest standards of data privacy and security. We also staged an internal REA Privacy Awareness Week, during which we raised awareness of user privacy among our product and technology teams through informative blog posts and webinars. Our annual compliance refresher training, mandatory for all employees (excluding contingent workers), includes a module on ‘ensuring data privacy’. In FY24, we achieved a 99.9% completion rate. Program Propel Increasing internal demand and heightened external expectations are driving the need for enterprise-wide changes in data management and enhanced consumer experiences. Program Propel, a multi-year initiative, unites teams across REA to advance our data management, privacy and security capabilities. This effort aims to improve data accessibility and protection, enhancing experiences for our teams, customers and consumers. One of Program Propel’s key streams focuses on product security. This includes evolving our Application Security (AppSec) team to provide direct support, improve system health, reduce patching times, and establish a network of security champions across the business. Cyber security Building cyber resilience REA stays alert to potential cyber threats, recognising the ongoing importance of cyber security in the post-pandemic era as organisations continue to encounter security incidents in both customer-facing and internal settings. We are increasing our investment to reinforce our security strategy, emphasising our delivery and execution capabilities. Our Application Security team and our network of security champions are expanding, enhancing the health of our critical systems through close collaboration with product teams. Cyber security is a regular agenda item for our ERC and Audit, Risk & Compliance Committee. Additionally, our Cyber Security team collaborates with product managers and technology teams to enable proactive monitoring of REA systems for vulnerabilities, helping us to better mitigate malicious activities and threats. In FY24, we uplifted our cyber security maturity in several areas, including: › Automating our Security Operations capabilities › Improving our endpoint software management controls › Delivering secure remote access for our hybrid offshore teams › Deploying next-generation AI capabilities in our cyber defence platforms › Engaging our Board and Executive leaders in a ransomware crisis management scenario 13 Sustainability Report 2024 | REA Group Ltd SOCIAL ENVIRONMENT INTRODUCTION GOVERNANCE
Cyber security strategy and policy REA’s cyber security strategy remains consistent and has been independently assessed. It focuses on five priority areas: 1. Visibility of assets and threats 2. Good technology hygiene 3. Broad adoption of key security controls 4. Promotion of a risk-aware culture 5. Data protection These cyber security priority areas are supported by our objectives for FY24, which guide decision making for our security roadmap and aim to: › Improve the security health of our critical systems › Deliver world-class security products and services › Increase staff awareness of cyber security threats REA’s Cyber Security Policy is publicly available on our corporate website. Product Security Health Checks We prioritise upfront security integration in products and technology, rather than postdevelopment integration. Our Product Security Health Check (PSHC), aligned with the NIST (National Institute of Standards and Technology) Cyber Security Framework (CSF), is built into our product development lifecycle and enables assessment by product managers. Teams use PSHC story cards in their product delivery roadmaps to meet cyber security policy requirements and avoid unnecessary delays. Ensuring our suppliers meet our security needs REA’s Cyber Security, Procurement, Legal, and Risk team are key stakeholders in REA’s supplier governance framework. This framework ensures our suppliers meet REA’s risk appetite and the expectations of our consumers and customers through our enhanced due diligence process, aligned with the NIST CSF. Industry collaboration Collaborating with industry peers is essential in enhancing REA’s threat intelligence and security strategy. Our partnerships with various Australian organisations, such as the Australian Cyber Security Centre and the Tech Council of Australia, are crucial in these efforts. In FY24, we strengthened community engagement by sponsoring Bsides Melbourne, a not-for-profit event with the goal of making a positive impact on the security community through networking, sharing and collaborating. REA is deeply engaged in Australia’s digital security landscape. We participate in the Tech Council of Australia’s cybersecurity working group, which aligns with the federal government’s 2023-2030 Australian Cyber Security Strategy. Additionally, our Security team members contribute to the broader profession through roles in various external platforms, including: › Executive advisory boards for cybersecurity and technology › Review boards for conference papers › Conference presentations and industry forums › Talent development initiatives › Real Estate Institute events › Professional development days for mortgage brokers Digital risk management Digital risk management is essential to proactively identify, assess and mitigate potential threats and vulnerabilities to REA and our customers. During FY24, REA took down 14 malicious mobile apps and 33 fake websites related to phishing, social media and brand abuse. This was achieved by leveraging a combination of certificate transparency monitoring and phishing takedown services from a leading digital risk management partner. REA maintains a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy for our outbound marketing campaigns, providing confidence that messages originate from REA Group and are digitally signed by us. 14 Governance REA Group Ltd | Sustainability Report 2024 Data privacy and cyber security continued
Responsible disclosure REA values the security research community. The Responsible Disclosure Policy on our corporate website guides safe vulnerability reporting. While we don’t offer rewards, we recognise contributors in our Responsible Vulnerability Disclosure Program Hall of Fame. In FY24, we acknowledged five responsible disclosures. Driving a security-aware property industry We promote cyber security awareness in the property industry, and we foster a collaborative culture for industry protection and consumer privacy. We encourage customers to use the realestate.com.au Customer Marketing Centre to access the Small Business Security Guide, which will help them safeguard their business against cyber threats. In FY24, we further enhanced our cyber security protection for real estate agents through the rollout of passwordless login for our Ignite platform. REA continues to strengthen cyber security across the Mortgage Choice franchisee broker network, by offering managed security services through our trusted security partners. Data governance and ethics Data powers all REA’s market-facing experiences. Our data governance and management approach ensures we have the policies, frameworks, standards, practices and supporting technology solutions that allow us to be innovative, objective and fair in the use of that data. This enables us to realise the value of our data assets for our consumers, our customers and ourselves in our decision making. We adhere to our Data Ethics policy and align with the Australian AI Ethics Principles to enact safe and considered testing and implementation. Our investment in our Enterprise Privacy Program further enhances our data management, security and privacy capabilities and practices. Our data ethics statement has remained consistent and centres around five core principles: Legal and secure Our collection, storage and use of data adheres to the law and aligns with our security, privacy and data handling policies. Transparent We ensure openness and transparency about what data we collect, store and use, including honesty about value exchanges. We aim to provide consumers with control over their data and ensure that data materialisation and outputs are explainable and auditable. Accounted for All data will have an owner who knows where the data is, what it is used for, where it flows from and to, and who is engaged when our business seeks to use it. Fairness Our use of data should not involve or result in unfair discrimination against individuals, communities or groups. Considered We actively choose the data we use, collect and store. Data will be disposed of or anonymised in line with our legal and secure principle unless we wish to retain it. Secure Passwordless Login for our Ignite Application Ignite is REA’s tailor-made reporting tool for real estate agents, designed to maximise their investment with realestate.com.au. It allows customers to: › Easily access reports on demand › Make smart marketing decisions, faster › Maximise every lead Previously, Ignite customers used a multifactor authentication process to log in. The introduction of passwordless login adds additional protection while making the login process simpler for our customers. 15 Sustainability Report 2024 | REA Group Ltd SOCIAL ENVIRONMENT INTRODUCTION GOVERNANCE
Empowering people to make good security decisions REA Australia empowers our teams and customers to tackle security risks as a strategic priority. Through REA University, our learning and development platform, we ensure continuous security education across the following areas: › Secure code training with Open Worldwide Application Security Project (OWASP) Top 10 best practices › A network of security champions promoting good practices with specialised training › 100% of developers completed secure code training in FY24 › A Small Business Security Guide for property managers available from our Customer Marketing Centre › Security onboarding › LinkedIn Learning micro-courses in security › Participation in Safer Internet Day 2024, emphasising secure app and device use and regular privacy reviews › Promotion of online safety and abuse reporting resources from eSafety.gov.au › Protection for employees and their families through free 1Password for Families accounts › Monthly Security Guild showcases, including: • “Capture the Flag” hacking competitions • Demonstrations of security vulnerabilities • Cybercrime awareness sessions › Phishing Awareness initiatives where employees share phishing examples they’ve encountered HIGH-RISK EMPLOYEES DEVELOPERS CUSTOMERS ALL EMPLOYEES TECH COMMUNITY › Self-service training on email compromise and fake invoicing scams › Enhanced multi-factor authentication with biometric login › Sessions introducing new tech employees to the security team 16 Governance REA Group Ltd | Sustainability Report 2024 Data privacy and cyber security continued
AI abuse › The rapid development of generative AI has enabled more realistic cyber attacks that are not easily distinguishable as fake. However, AI isn’t just for attackers; several security products now incorporate AI to improve detections. We are fighting AI with AI, improving the effectiveness of our security workforce while bolstering our cyber defences. New social engineering attacks › We are seeing an increase in social engineering attacks from native English-speaking cyber criminal groups using intrusion techniques that are indistinguishable from legitimate users. We expect to see an uptick in targeted social engineering directed towards highlevel access users (e.g. those who control system defences) as more groups adopt the same tactics. We continue to expand our phishing awareness program for employees, targeting high-risk communities where appropriate. Data privacy and cyber security at REA India In FY24, REA India significantly enhanced its cybersecurity position by focusing on automation-driven threat and risk management. We developed new processes to meet evolving technological and business needs and initiated compliance with the new Digital Personal Data Protection regulations, emphasising privacy-by-design. Enhanced threat detection capabilities across all systems improved proactive risk mitigation. These initiatives strengthened the security framework and promoted continuous cybersecurity improvement, demonstrating REA India’s commitment to protecting digital assets and ensuring data privacy in a complex digital environment. Preparing REA Group against future threats Our security strategy is designed to proactively prepare us for cyber attacks. REA continuously evolves our security program to stay aligned with future work practices and the everchanging threat landscape. Regulation and legislation › Regulation is crucial for safeguarding digital assets, and REA makes substantial investments in technology, people and administrative efforts to comply and protect our business from cyber threats. Our participation in the Tech Council of Australia’s cybersecurity working group provides ongoing advice and guidance, supporting the federal government’s 2023-2030 Australian Cyber Security Strategy. Third and fourth party breaches › Related-party breaches are expected to rise as organisations mature their defences, potentially affecting their trusted partners. The interconnected nature of modern supply chains and business dependencies makes it harder to assess and mitigate these risks. To tackle this, we have implemented a zero-trust platform to connect us to the partners who provide our augmented workforce on a global scale. 17 Sustainability Report 2024 | REA Group Ltd SOCIAL ENVIRONMENT INTRODUCTION GOVERNANCE
Our technology strategy Technology is central to REA achieving its strategic priorities, and we continuously monitor trends to innovate and advance. Our teams deliver products across multiple markets and customer segments, relying on robust platforms for fast delivery. Our technology strategy focuses on: Consumers and customers of the future: We create hyper-personalised experiences using rich knowledge and behavioural insights to engage consumers, customers and brokers. Evolution of technology platforms: By simplifying our tech landscape and investing in cloud-based solutions, we accelerate delivery and reduce maintenance. Driving data: Leveraging our proprietary data assets with AI and Machine Learning technology enables us to provide market-leading products and real-time interactions. Digital trust and safety: Investing in data, cyber and privacy strengthens brand trust, loyalty, and the willingness of consumers to share their data. Our future-ready tech community: Supporting and evolving our workforce facilitates greater productivity and increased industry recognition. Championing and investing in digital and technological innovations to ensure REA stays ahead of the market. Innovation and technology Trend monitoring We continue to monitor key technology trends to adjust our approach where necessary and to plan ahead. Consumer expectations around privacy are evolving rapidly, necessitating enhanced security measures now and into the future. Emerging Augmented Reality (AR) and Visual Reality (VR) technologies are revolutionising user experiences and will shape our future digital offerings. The exponential increase in data creation and storage presents both opportunities and challenges for data management. We continually monitor cybersecurity threats, which are becoming more sophisticated and frequent and require increasingly robust and proactive defences. Additionally, the growing complexity and sprawl of technology infrastructures demands attention to platform engineering and cognitive load management. Workforce preferences are also shifting, with an increasing focus on tools that facilitate hybrid work environments, which REA endorses. These trends are all critical to informing and evolving our strategic direction. 18 Governance REA Group Ltd | Sustainability Report 2024
Artificial intelligence (AI) REA continues to leverage Machine Learning and AI to power products while also exploring opportunities with generative AI. Our internal generative AI forum has identified four broad categories that will enhance REA’s experiences and increase speed to market, which are: › Product and data enhancement › Developer productivity › Workforce productivity › Gen AI capabilities in third-party SaaS platforms In FY24, REA used AI to enhance our property experience and add value for our customers, consumers and employees. Products and services using AI include the Premiere+ Listing Strength Check, PropTrack’s Automated Valuation Model (AVM), seller lead enrichment and CampaignAgent’s auto approval. Internal tools using AI include Zoom, Miro, Enterprise Generative AI chat and GitHub Copilot for our developer community. REA strives for value-driven AI within safe guardrails and has adopted Australia’s AI Ethics Principles. Roomvo Roomvo is an innovative AI-powered renovation tool developed to allow users to digitally preview home improvements. It aids decision making and transforms the way property owners plan their home updates. Property.com.au Property.com.au has established itself as one of Australia’s most comprehensive property research destinations, and in FY24 15 new site experiences were delivered to improve seller confidence and generate customer value. Key additions include a new logged-in membership experience offering property owners data and insights, and expanded search and map functionality for comprehensive property exploration. Audience to Property.com.au grew by 167% YoY in Q41, elevating it from the sixth to the third most-visited Australian property website, with total minutes on site increasing by 163% YoY in Q41. 1 (IPSOS Q4 FY23 vs Q4 FY24) 19 Sustainability Report 2024 | REA Group Ltd SOCIAL ENVIRONMENT INTRODUCTION GOVERNANCE
Innovation and technology continued Innovation through collaboration Innovation is fundamental to REA’s business; it’s a core part of our values and drives our success. We foster innovation through key events, recognising that collaboration is essential for sparking new ideas and solutions: › Tech Kick-Off (TKO): Our annual gathering of REA’s Tech, UX, Design and Product teams to strategise, celebrate, inspire and learn, TKO promotes peer learning and collaborative innovation. › Listopalooza 2023: In FY24, our Consumer team engaged staff in a creative adventure that saw them gather 154 innovative ideas across buy, rent and sell journeys to redefine our core experience. › REA India hackathon: At the FY24 “Code Safari”, 16 teams used ChatGPT, Copilot and Gemini to create over 2,300 new test cases, accelerating development and setting new standards for test case creation. › Cremorne Digital Hub “Wicked Innovations” community hackathon: REA participated in this event, which brought together digital organisations to brainstorm innovative solutions that positively impact the local community. REA placed second in the challenge. Reimaging REA Australia hackathons After 42 hackathon events over 14 years, the focus for FY24 was to redesign the hackathon format to inspire fresh creativity and collaboration. No hackathons took place in FY24 as the tech team worked on the new format. In FY25, an incubator event will be introduced alongside Hackdays to support bigger and bolder ideas coming to life. Housing.com platform enhancement In FY24, REA India upgraded its Housing.com apps and backend services. This resulted in a 40% speed improvement for both Android and iOS apps, enhancing the user experience and reducing negative feedback. Migrating core services resulted in streamlined operations, expanded platform compatibility and improved recruitment efficiency. These upgrades demonstrate REA India’s commitment to exceptional user experiences and operational excellence. Steve Maidment In FY24, REA welcomed Steve Maidment as our new Chief Technology Officer. Steve brings over 20 years of technology leadership experience and will drive our innovation and digital capabilities, marking an exciting chapter in our commitment to technological excellence. 20 Governance REA Group Ltd | Sustainability Report 2024
Ensuring practices and processes remain flexible to adapt to drastic change, including social upheaval, pandemics and disruptive technology. Risk and resilience Risk at REA At REA, effective risk management is about taking appropriate risks at the right time, for the right return, while doing the right thing. This is achieved through adherence to our established risk management standards and guidelines. REA is committed to maintaining a consistent and integrated approach to risk throughout our processes and culture, driven by the regularly reviewed and updated REA Risk Management Framework (RMF), which is aligned with best practices and industry and community standards. 21 Sustainability Report 2024 | REA Group Ltd SOCIAL ENVIRONMENT INTRODUCTION GOVERNANCE
Material risk categories REA’s RMF identifies key categories of material risk to which the Group has the most significant exposure, including Strategic Risk, Operational Risk, Compliance Risk, Regulatory Risk and Credit Risk. Following the acquisition of CampaignAgent, REA introduced a sixth material risk category, Balance Sheet and Liquidity Risk (effective from 1 July 2024), reflecting the risks associated with funding and pricing a lending book. Additionally, the definition of Credit Risk has expanded beyond traditional exposure to trade credit risk to now include unsecured credit. New to REA’s RMF is the concept of Emerging Risks, addressing future risks not yet fully understood or quantified. REA’s Risk Management Policy requires emerging risks relevant to our business to be monitored and continuously reassessed via the ERC. This approach aims to ensure our smoother adaptation and response to these risks when our understanding of them or their materiality increases, thereby building stakeholder confidence. Risk culture and compliance In FY24, REA introduced the concept of risk culture, categorising it as ‘maturing’, ‘developing’, or ‘needs improvement’, based on an overall score. Achieving a ‘maturing’ score by 30 June 2024 was a significant goal, which required widespread understanding of risk culture, consistent monitoring of supportive behaviours, and embedding these behaviours firmly into business practices. In June 2024, we successfully met this objective. Our ‘Living by our Code’ mandatory compliance refresher training reflects REA’s focus on maintaining the highest level of business ethics and integrity. The training is refreshed annually to keep the content relevant and applicable to all employees. In FY24, REA Australia added the completion of the annual compliance training to the new ‘Minimum Standards’ requirements for employee participation in our Short-Term Incentive Program (STIP). In FY24, we achieved a 99.9% completion rate. Our Code of Conduct and Doing Business Ethically and with Integrity Policy sets the tone for our compliance culture. We provide these documents to employees during their onboarding compliance training and they are readily available to all staff on our intranet. Business resilience Business continuity and resilience are critical for REA and we conduct business continuity management activities such as activity analyses, planning and exercises to safeguard critical activities. Key programs in FY24 included: › Crisis Response Team and Board exercises focused on cyber “ransomware” scenarios › System Recovery Plan testing to ensure consistent reporting of critical system test results › Emergency mass communication exercises and business continuity plans addressing critical loss scenarios Risk and resilience continued Risk governance Effective risk governance at REA is underpinned by our RMF, which comprises several important elements: 1. Identifying and analysing the main risks facing the Group 2. Evaluating those risks – making judgements about whether they are acceptable 3. Implementing and documenting appropriately designed controls to manage these risks 4. Testing of controls to ensure they are appropriately designed and operating effectively 5. Planning for business interruptions and crises; and 6. Ongoing monitoring, consultation, communication, and review The ERC oversees the implementation of REA’s RMF, ensuring management fulfils its risk management responsibilities and that risks are operating within the Risk Appetite Statement and Limits approved by the Board. Further details on REA’s material and key business risks, as well as detailed risk management responsibilities of the REA Board, its Committees and Management, can be found in the following: ⋅ Risk Management Policy ⋅ 2024 Annual Report ⋅ 2024 Corporate Governance Statement 22 Governance REA Group Ltd | Sustainability Report 2024
RkJQdWJsaXNoZXIy MjE2NDg3