74 Environmental, Social and Governance Report 2023 PILLAR 3: CORPORATE PERFORMANCE IT AND CYBERSECURITY The Group recognises the increasing threats posed by cyberattacks, which are becoming more prevalent and sophisticated. ESR consistently evaluates the adequacy of the computer systems and implements enhancements to various platforms, given the growing reliance on technology to enhance operational efficiency and ensure effective internal governance. ESR has a cyber resilience infrastructure and network, which safeguards against technology-related risks originating from both internal and external sources. Additionally, ESR has comprehensive information technology policies and procedures in place, governing information availability, confidentiality, and security, to prevent any unauthorised disclosure of sensitive information. The Group understands the importance of the increasing and intricate cyber threats on a global scale. As we expedite our digitalisation efforts to enhance business operations, we acknowledge that technology-related risks from both internal and external origins are fundamental components of our primary business risks. At the governance and management structure level, the Group IT department reports to the Group Head of IT, who implements the information security plans and initiatives, enforces central IT controls and coordinates the identification, assessment and monitoring of information security risks to enhance the Group’s resilience. In bolstering our cybersecurity measures, vulnerability assessments are performed to test the integrity of the systems. In view of potential external threats that may impact ESR’s network and data, a Security Operations Centre (“SOC”) has been established and supervised by a third-party service provider in collaboration with the Group IT department. The SOC continually monitors and enhances our security posture, proactively prevents, detects, analyses and responds to potential cybersecurity incidents. By regularly reviewing the information technology disaster recovery plan and assessing the robustness of our IT systems, we ensure the protection of critical information systems and safe recovery of essential business operations. At the defence and management approach level, ESR effectively manages cybersecurity risks through the implementation of an Information Security Management System (“ISMS”), which includes procedures dedicated to technology and data security controls. The ISMS Committee, headed by the Group’s IT director, consists of senior IT leaders from various business units within the Group. This committee is responsible for establishing the information security governance framework, monitoring the system’s functionality and ensuring the implementation of suitable safeguards to enhance the resilience of our IT operations against cyberattacks. Risk Management In 2023, we updated our cyber defence strategy to align with the growing adoption of cloud computing. To ensure continuous protection against malware and network threats, both within and outside our corporate networks, the Group IT department has implemented a new cloud-based security services for our staff computing devices. Our cyber defences undergo regular testing through vulnerability assessments and penetration testing by third-party security specialists. Additionally, we conduct regular backups and disaster recovery testing to ensure the uninterrupted continuity of our operations. These measures collectively strengthen our ability to prevent, detect and respond to potential threats, safeguarding our data, assets, and reputation. ESR has established a comprehensive set of IT policies and procedures. These encompass the governance of information accessibility, confidentiality and security to prevent any unauthorised disclosure of sensitive information. Mandatory annual training sessions on IT security awareness, including simulated phishing tests, are conducted to keep employees informed and vigilant regarding potential security breaches and phishing scams. To augment our defence mechanisms against the financial repercussions of cyber incidents, the Group has secured cyber liability insurance, which also covers information security risks. Over the past three years, ESR is proud to report that there have been no group-wide and third-party information security breaches, a testament to the effectiveness of the Group’s cybersecurity measures and proactive risk management approach. ESR Group engages service providers to carry out a range of business functions. To ensure effective third-party security management, ESR Group has developed a robust framework and processes to assess and monitor the information security controls implemented by third parties and continuing compliance with the Group’s stringent security standards.
RkJQdWJsaXNoZXIy MTIwODcxMw==