Our Approach and SDGs Environment Society Reporting Center Sustainability in Actions Awards and Recognitions
Corporate Governance Business Conduct, Ethics and Compliance Risk and Crisis Management Organization Contributions Tax Strategy Innovation Management Supply Chain Management
Cybersecurity Governance and Targets Process and Infrastructure

Cybersecurity Measures

GC has established policies and measures pertaining to information security and cybersecurity as well as personal data management in accordance with ISO/IEC:27001 and ISO/IEC: 27701. Moreover, GC continuously invests in improving its information security systems to ensure the security and stability of the information security and cybersecurity management system and to prevent any actions regarded as an offense under the Computer Crime Act and the Personal Data Protection Act, the company implements strict measures to ensure the integrity and protection of data.

In 2025, GC expanded the scope of its certification for information security management under the ISO 27001:2022 standard and personal data security management under the ISO 27701:2019 standard. The scope of this certification includes the following areas:

Priority Scope of ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certification
1 Provision of information technology infrastructure systems (Infrastructure as a Service) On-Premises
2 Provision of information technology infrastructure services (Infrastructure as a Service) - Cloud
3 Provision of information technology platform services (Platform as a Service) – Cloud
4 Public network system (Cyber Zone / Internet Zone Network)
5 Information system supporting the recruitment, selection, and employment processes (application supporting recruitment process), including SAP HCM and Success Factors systems
6 External recruitment and selection process
7 Personnel hiring process
8 Procedure for providing employees with life, accident and disability insurance coverage

GC has established information security-related business continuity plans and taken preparatory steps by conducting cyber threat management exercises and performing cyber-attack risk assessments to enable risk monitoring and serve as a warning signal for operations (Monitoring and responsibilities to information security threats). In addition, an escalation process has been established to allow employees to report incidents, vulnerabilities, or any suspicious cyber activities.

Escalation process for reporting cybersecurity incidents or suspicious activities

GC has established Key Risk Indicators (KRIs) across three dimensions personnel, business, and technology to monitor the implementation of information security and cyber security measures.

Key Risk Indicator: KRI 2025

Key Risk Indicator (KRI) monitoring results for 2025
Target Group Action Key Risk Indicator (KRI) Target (%) 2025 Outcome (%)
People Conduct phishing test Phishing report rate (Quarterly) >= 45 60.81%
Phishing victim rate (quarterly) < 5 3.51%
Business Perform vulnerability assessment to improve information system security Vulnerability Fixed 100 100
Technology Update and improve protection system against cyber breaches and cyber-attacks to heighten data security Update Firmware and Signature on Firewall 100 100

Furthermore, GC promotes awareness and responsibility among all employees for maintaining information security by establishing clear guidelines and policies. It also sets information security requirements for third parties accessing the company’s data or systems to ensure all stakeholders comply with the same security standards. The company furthermore enhances knowledge on the safe use of information technology alongside raising awareness of cyber threats and risks and data privacy protection through communication materials such as infographics and e-learning. This training and communication extends to employees, contractors, business partners (including both feedstock suppliers and non-feedstock service providers), customers, and any organisations or individuals operating on behalf of the company throughout the supply chain, enabling them to apply these practices in their work and daily lives.

Educating Employees on the Safe Utilization of Information Technology

Form of Communication Details Sample content
Infographics Use infographics to convey news and information via e-mail to create employee awareness.
  • Precautions and prevention against different forms of phishing, e.g., E-mail, SMS, QR code.
  • Precautions and risks of installing malicious application on smartphones and laptops.
  • Precautions and risks associated with using pirated software.
  • Precautions and risks of data leakage from using AI.
E-Learning Create an online knowledge center that is accessible to employees with a focus on creating awareness and understanding of fundamental cybersecurity issues as well as comprehensive information on cybersecurity threats.
  • Use AI safely to avoid becoming a victim of cyber threats.
  • Safeguard company data and protect it against digital-era threats.
  • Use licensed software to enhance data security.

Outcome

  • Test score on cybersecurity knowledge = 100%.
  • Contractors and suppliers must attend online training to acknowledge the Information Security Policy before accessing the company’s information system = 100%.