Sustainability Report 2023/24

Measures for Our Business Units Business units must adhere to our internet guidelines, encompassing website design, footers, language, content and data collection. The guidelines specifically emphasize obligations related to data collection; webpages that gather customer data must incorporate the Customer Data (Privacy) Policy. Our security is supported by Data Backup, Restore, and DRILL test policy, password changes and management policies. Ensuring the Security and Protection of Our Network • Regular external vulnerability assessments and penetration-testing identify weaknesses and entry points • Proactive monitoring by our 24/7 operations centre enables early threat detection and swift response Mitigating the Risk of Data Breaches • Next-generation firewalls monitor network traffic, and identify suspicious activities and unauthorized access attempts. They are the first line of defence in detecting and blocking potential attacks • Regular security updates are applied in our operating systems, and anti-malware solutions remove malicious software • Monitoring tools access real-time data and detect suspicious patterns and anomalies in our IT systems Raising Employee Awareness • Employees receive regular cybersecurity awareness training to identify and report suspicious activities, and follow secure practices when handling sensitive data • Conduct phishing simulations for all full-time staff to enhance their ability to recognize attacks. Staff who fail the exercise receive training and webinars to learn about cybersecurity threats and best practices, and how to identify and respond to phishing. This training has reduced the number of staff failing the subsequent phishing tests by 47% • During the reporting year, our training covered cybersecurity trends, policies and tools, the Personal Data (Privacy) Ordinance, data security measures and case-sharing • Staff are reminded to use only approved and registered removable drives and to remain vigilant against fraudulent emails Responding Swiftly • A comprehensive IT security incident response plan specifies the procedures and responsibilities for cyber threats and incidents • The plan’s predefined actions and communication protocols ensure a coordinated response • A robust backup strategy with regular backups prevents loss of data, where immutable backups are utilized to prevent deletion of backup data • Endpoint protection software isolates compromised data and contains leaks We uphold the integrity of our business through stringent cybersecurity and safeguarding customer privacy. The Board, via the Executive Committee, oversees our cybersecurity strategy, which entails identifying, monitoring, mitigating and managing risks. Our IT Governance Steering Committee (IT Committee), led by executive management, supports the Executive Committee in supervising information security, including our IT infrastructure. The IT Committee also collaborates with the IT department to integrate security into the daily operations of all business units and ensure the successful implementation of our cybersecurity strategy. A Cybersecurity Policy, introduced in the previous reporting year, provides a framework to manage IT-related risks effectively and sets clear responsibilities in the Group. In our operations, we ensure compliance with the Personal Data (Privacy) Ordinance and other applicable laws and regulations. Policies and procedures are reviewed regularly. Our Customer Data (Privacy) Policy gives detailed information to customers regarding the collection, handling and usage of their information. Prior to purchasing a property, all homebuyers are required to sign a Personal Information Collection Statement that outlines the purpose of data collection and handling. To mitigate the risk of data breaches, strict adherence to up-to-date data-handling procedures is mandatory for all staff. A Cybersecurity Operating Guideline has been newly developed by our Group IT department to monitor and respond to data breaches and cyberattacks. Regular internal and external audits ensure compliance with security policies, industry regulations and best practices. The audits assess the effectiveness of our security system and identify areas for improvement. Protecting Customers’ Data Privacy and Responding to Cybersecurity Our hotels have implemented various measures to safeguard customer privacy. Royal Plaza Hotel engages third-party consultants to perform penetration tests every six months. An endpoint security programme and endpoint detection and response protect the Royal Plaza Hotel’s system and data from threats and cyberattacks. Royal View Hotel conducts four rounds of phishing simulations every year to enhance user’s cybersecurity awareness. Sun Hung Kai Properties Limited | Sustainability Report 2023/24 < 68 > Our Reporting Approach Message from the Sustainability Steering Committee Our Business Our Approach to Sustainability Value Created for the Environment Value Created for People Value Created for Customers Value Created for Supply Chain Value Created for Community Appendices