Our Approach and SDGs Environment Society Reporting Center Sustainability in Actions Awards and Recognitions
Corporate Governance Business Conduct, Ethics and Compliance Risk and Crisis Management Organization Contributions Tax Strategy Innovation Management Supply Chain Management
Cybersecurity Governance and Targets Cybersecurity Measures

Process and Infrastructure

The company has established an information security management system, including the security of personal data, which has been audited and certified in accordance with the ISO/IEC 27001:2022 and ISO/IEC 27701:2019 standards.

GC also conducts reviews and audits of systems and practices relating to information security and data privacy management by an internal audit function at least four times per year and external audits (by a third-party entity) on an annual basis to test for vulnerabilities in information security. Based on the assessment of the past year, GC’s information and cyber processes and infrastructures were in compliance with relevant standards, and no non-conformities were detected. In addition, the Company performs information security vulnerability testing at least once a month and conducts penetration testing at least once a year.

In addition, GC manages cyber risks in accordance with the NIST Framework to enhance security across all levels of the organisation. The framework is divided into six areas, with notable information security and cyber control projects in 2025 as follows:

NIST framework and key projects in 2025

No. Process Key information security and cybersecurity control projects in 2025
1. Govern
  • GC conducts reviews and updates of its information security policies, frameworks, and/or practices to ensure alignment with international standards, laws, and relevant regulations annually.
  • GC has established guidelines for the use and development of Generative AI to ensure that the adoption of Generative AI technology is effectively governed and safeguarded.
  • GC identifies cybersecurity threats by considering both internal and external risk factors, and reviews of its risk treatment plans. Key Risk Indicators (KRIs) are also established to monitor and track risks on an annual basis.
  • GC organizes a Governance, Risk, and Compliance (GRC) Roadshow to raise employee awareness about cybersecurity risks and promote secure use of information technology.
2. Identify GC has conducted a cybersecurity operations assessment against the NIST Cybersecurity Framework version 2.0 to improve cybersecurity operations.
3. Protect
  • GC has installed the Web Application Firewall (WAF) to increase security and reduce the risk of being attacked by any ill-intentioned parties, providing both on-premise and cloud protection.
  • GC has implemented an Email Protection system to enhance security and reduce the risk of attacks such as phishing and business email compromise (BEC).
  • GC has developed the Cybersecurity E-learning to support and encourage employees to learn about cybersecurity.99% of employees were able to finish the course within 2 months.
  • GC has developed the Phishing Test Campaign to assess awareness and knowledge in dealing with cyber threats through a total of 6 Phishing Email tests. Test results indicated that the rate of phishing email reporting rose by 5.63% compared to 2024, demonstrating ongoing improvement in employee cybersecurity awareness.
4. Detect
  • GC has implemented an Endpoint Detection and Response (EDR) system to detect and analyze cyberattacks on Company computers
  • GC has implemented a Security Operations Center / Security Information and Event Management (SOC/SIEM) system to collect, analyze, and correlate security events from various systems through centralized monitoring, as well as provide alerts for high-risk events.
5. Respond GC continuously prepares for abnormal situations by conducting cybersecurity incident response drills that simulate attacks on Information Technology (IT) systems, as well as reviewing and updating the Cybersecurity Incident Response Plan to respond to and mitigate potential incidents.
6. Recover
  • GC has conducted drills twice a year on system and data recovery procedures from its Disaster Recovery (DR) site to support emergency situations that impact critical information systems, ensuring recovery targets are met.
  • GC has obtained Cybersecurity Insurance to cover damages and expenses that may arise from cybersecurity incidents.

Information security and cybersecurity performance results

Year Target
2022 2023 2024 2025 2025
No. of cybersecurity incidents 0 0 0 0 0
No. of complaints about information insecurity 0 0 0 0 0
Total Number of Information Security Breach 0 0 0 0 0
Total number of clients, customers and employees affected by the breach 0 0 0 0 0
Assurance Statement ISO 27001