GC has established an information security management system that also includes data privacy that have been audited and certified according ISO/IEC 27001:2022 and ISO/IEC 27701:2019.

GC also conducts reviews and audits systems and practices relating to information security and data privacy management by an internal audits function at least four times per year and external audits (a third-party entity) on an annual basis to test for vulnerabilities in information security. Based on the assessment of the past year, GC’s information and cyber processes and infrastructures were in compliance with relevant standards while no non-conformities were detected. In addition, the Company performs information security vulnerability testing at least once a month and conducts penetration testing at least once a year.

Moreover, GC has managed and organized cyber threats with NIST framework to enhance cybersecurity for entire organization. The NIST could be divided in the following six aspects.

NIST Framework and Outstanding Information and Cybersecurity Projects in 2024

No. Process Detail
1. Govern
  • GC conducts reviews and updates of its information security policies, frameworks, and/or practices to ensure alignment with international standards, laws, and relevant regulations annually.
  • GC identifies cybersecurity threats by considering both internal and external risk factors, and reviews of its risk treatment plans. Key Risk Indicators (KRIs) are also established to monitor and track risks on an annual basis.
  • GC organizes a Governance, Risk, and Compliance (GRC) Roadshow to raise employee awareness about cybersecurity risks and promote secure use of information technology.
2. Identify Develop a project to assess the cybersecurity framework for third-party management in order to evaluate the governance standards for external service providers involved in the use, connection to, or access of the company’s information systems. This will be benchmarked against the draft Third-Party Management guidelines issued by the National Cybersecurity Agency (NCSA).
3. Protect
  • GC has installed the Web Application Firewall (WAF) to increase security and reduce the risk of being attacked by any ill-intentioned parties, providing both on-premise and cloud protection.
  • GC has implemented an Email Protection system to enhance security and reduce the risk of attacks such as phishing and business email compromise (BEC).
  • GC has developed the Cybersecurity E-learning to support and encourage employees to learn about cybersecurity. 99% of employees were able to finish the course within 2 months.
  • GC has developed the Phishing Test Campaign to assess awareness and knowledge in dealing with cyber threats through a total of 10 Phishing Email tests. Compared to 2023, the phishing rate dropped by 0.57% while the reporting rate upon encountering phishing emails rose by 7.48%.
4. Detect
  • GC has installed the Attack Surface Management system to detect and analyze the likelihood of being attacked via GC’s service channels which are accessible from the internet.
  • GC has implemented a Network Detection and Response (NDR) system to monitor and analyze network traffic.
5. Respond GC continuously enhances its preparedness for abnormal situations by conducting crisis management and business continuity exercises. These exercises simulate corporate-level Information Technology (IT) and Operational Technology (OT) security attack scenarios. In addition, the Company regularly reviews and updates its Cybersecurity Incident Response Plan to ensure effective response and mitigation of potential incidents.
6. Recover
  • GC has conducted drills twice a year on system and data recovery procedures from its Disaster Recovery (DR) site to support emergency situations that impact critical information systems, ensuring recovery targets are met.
  • GC has the Cybersecurity Insurance.

Information & Cybersecurity Performance

Year Target
2021 2022 2023 2024 2024
No. of cybersecurity incidents 0 0 0 0 0
No. of complaints about information insecurity 0 0 0 0 0
Total Number of Information Security Breach 0 0 0 0 0
Total number of clients, customers and employees affected by the breach 0 0 0 0 0