Cybersecurity Governance and Targets

Material Topics

Information and Cyber Security

Impact Level

Impact Materiality : Very High

Financial Materiality : Medium

Stakeholders

Shareholder

Business Partner

Customer

Employee

Investor

Public Sector

SDGs Targets

	Long-Term Targets	2025
	Long-Term Targets	Targets	Progress
Zero incidents of information security and cybersecurity attacks resulting in damage to the company	0	0	0
Time to detect attacks is less than the global median*	Less than 11 days	Less than 11 days	Less than 11 days

^* Global median dwell time is 11 days (Source: FireEye Mandiant: M-Trends Report 2025)

Challenges and Opportunities

Currently, business operations increasingly apply digital technologies across both production systems and operational networks, which are connected to the internet. Also, employees have adapted to working through a work from anywhere approach. These factors may increase the risk of cyber threats, such as the theft of critical data or disruption of key information technology systems. Such incidents could impact business continuity, reliability, corporate image, and the company’s reputation.

To enhance system preparedness and strengthen information technology security measures, GC has implemented prevention, detection, and analysis of potential cyberattacks through its service channels, covering both on-premise and cloud protection. In addition, the GC conducts vulnerability assessments of its systems.

In this regard, GC implements an information security management system that is aligned with the IT security policies, while also developing employee capacity at all levels to be aware of and capable of applying proper mitigation measure against cybersecurity threat.

Management Approach ^{GRI 3-3 (2021)}

Cybersecurity Governance

To establish clear operational direction and and create transparency at policy management and operation levels, GC has implemented an information security management system and personal data security managament in accordance with GC’s strategic plan and cyber-related international standard ISO/IEC 27001:2022, ISO/IEC 27701:2019, and National Institute of Standards and Technology (NIST) framework, covering all six areas of operation, namely Govern, Identify, Protect, Detect, Respond and Recover.

Information Security/Cybersecurity Management Guideline and Process according to NIST Cyber Security Framework

The management hierarchy can be divided into three levels: (1) Governance level, (2) Management level, and (3) Operational level. GC has established a cybersecurity unit to enhance the effectiveness of information security and cybersecurity management.

	Role	Relevant Committee/Department
Governance level	Develop and review of information security and cybersecurity strategies Govern and manage IT operations	Board Level Audit Committee GC Group’s Digital & IT Steering Committee (DISC) Digital and Information Technology Investment Management Committee Enterprise Risk Management Committee Information Security Management System Committee (ISMSC)
Management Level	Manage technology infrastructure to meet usage needs and keep up with international standards Manage information and personal data security according to ISO standards Monitor and verify accuracy and precision	Enterprise Architecture Committee Cybersecurity Department
Operation Level	Establish systems, procedures, and services for users to comply with Assess performance monitoring and report risks to the Enterprise Risk Management Committee	Cybersecurity Department

Moreover, GC has appointed the Senior Vice President – Transformation Excellence to serve as Chief Information Security Officer (CISO), with the following roles and responsibilities:

Information Technology Security Statement

SDGs Targets

Challenges and Opportunities

Management Approach GRI 3-3 (2021)

Cybersecurity Governance

Management Approach ^{GRI 3-3 (2021)}