Material Topics
Information and Cyber Security
Impact Level
Impact Materiality : Very High
Financial Materiality : Medium
Stakeholders
Shareholder
Business Partner
Customer
Employee
Investor
Public Sector

Target

  • No cases of cybersecurity breach or trail in cyberattack after the provisions of cybersecurity training.
  • Reduce time to detect cyber incidents to the lowest possible*

*Remarks: The average time in the industry is 11 days. (Source: FireEye Mandiant: M-Trends Report 2024)

Risks and Opportunities

In the present, increase in dependence on technology may result in risk of cyber threats that affect our production processes and our entire operating platforms that rely on Internet connections. Particularly during the COVID-19 pandemic, where our ways of work have been relying more on digital technology, could lead to the increase of cyber threat such as theft of critical information or production process interruptions would affect our reliability, credibility, and reputation.

To enhance system preparedness and strengthen information technology security measures, the Company has implemented to prevention, detection, and analysis of potential cyberattacks through its service channels, covering both on-premise and cloud protection. In addition, the Company conducts vulnerability assessments of its systems.

In this regard, GC implements an information security management system that is aligned with the IT security policies, while also developing our employee capacity at all levels to be aware of and capable of applying proper mitigation measure on cybersecurity threat.

Management Approach GRI 3-3 (2021)

Cybersecurity Governance

To prevent ambiguity in our work direction and create transparency at policy management and operation levels, GC has implemented an information security management system and personal data security managament in accordance with GC’s strategic plan and cyber-related international standard ISO/IEC 27001:2022, ISO/IEC 27701:2019, and National Institute of Standards and Technology (NIST) framework, covering all six areas of govern, operations, namely Identify, Protect, Detect, Respond and Recover.

Information Security/Cybersecurity Management Guideline and Process according to NIST Cyber Security Framework

The management hierarchy can be divided into three levels, comprising (1) Governance Level, (2) Management Level and (3) Operation Level. GC has established a cybersecurity-related department to enhance efficiency in information security and cybersecurity management.

Role Relevant Committee/Department
Governance level
  • Develop and review of information security and cybersecurity strategies
  • Govern and manage IT operations
  • Board Level Audit Committee
  • GC Group’s Digital & IT Steering Committee (DISC)
  • Digital and Information Technology Investment Management Committee
  • Enterprise Risk Management Committee
  • Information Security Management System Committee (ISMSC)
Management Level
  • Manage technology infrastructure to meet usage needs and keep up with international standards
  • Manage information and personal data security according to ISO standards
  • Monitor and verify accuracy and precision
  • Enterprise Architecture Committee
  • Cybersecurity Department
Operation Level
  • Establish systems, procedures, and services for users to comply with
  • Evaluate, monitor, and report risk assessment to corporate-level Risk Management Committee (ERMC)
  • Cybersecurity Department

Moreover, GC has appointed Senior Vice President – Transformation Excellence to serve as Chief Information Security Officer (CISO), which having role and responsibility as follows: