SHKP Sustainability Report 2024/25

60 Sun Hung Kai Properties Limited | Sustainability Report 2024/25 Continuous Staff Training and Awareness Enhancement As part of our commitment to operational integrity and data security, all employees undergo mandatory cybersecurity awareness training on a regular basis. These programmes equip staff with the knowledge to recognize potential threats, promptly report suspicious activities, and adhere to established protocols for handling sensitive information. During the reporting year, our training covered cybersecurity trends, policies and tools, the Personal Data (Privacy) Ordinance and data security measures. Staff are reminded to use only approved and registered removable drives and to remain vigilant against fraudulent emails. Anti-phishing As part of our cybersecurity strategy, we conduct regular phishing simulations for all full-time employees to strengthen organizational defences. These exercises enhance staff vigilance and improve threat recognition capabilities. Employees who initially fail the simulated attacks receive targeted remedial training, including specialized webinars that address cybersecurity best practices, threat identification techniques and proper response protocols. This proactive training approach has yielded significant results, with the number of employees failing in the subsequent testing cycle decreased by 29.3% due to increased security awareness. Measures for Our Business Units and Hotels All business units must comply with our extensive internet guidelines, which govern website design, footers, language, content, and-critically-data collection practices. Notably, any webpage collecting customer data must explicitly include the Customer Data (Privacy) Policy to ensure transparency and compliance. Our security framework is further reinforced by the Data Backup, Restore and DRILL Test Policy, along with stringent password change and management policies, to maintain data integrity and access control. Hong Yip attained the Platinum Award in the Cyber Security Staff Awareness Recognition Scheme 2024, co-organized by The Hong Kong Internet Registration Corporation Limited and ISACA China Hong Kong Chapter. This year, SmarTone enhanced its data security with two key initiatives: Hong Kong’s first Staff Verification Code, enabling customers to authenticate SmarTone staff during phone interactions, and a 24-hour ‘Anti-ScamWhatsApp Hotline’ for expert consultation if customers suspect their devices have been compromised. SmarTone also offers a comprehensive cybersecurity solution that includes Data Guard, Call Guard and Phishing Alerter, providing continuous protection against data leaks, blocking junk calls at the network level and alerting users instantly to suspicious SMS messages. For detailed information, please refer to SmarTone’s ESG Report 2024/25. Our hotels have implemented robust safeguards to protect customer privacy. Royal Plaza Hotel conducts bi-annual third-party penetration testing to identify and remediate vulnerabilities. Additionally, the hotel employs an endpoint security programme with detection and response capabilities to defend against cyber threats. Meanwhile, Royal View Hotel and ALVA Hotel by Royal strengthen its cybersecurity posture with quarterly phishing simulations, enhancing staff awareness and preparedness against cybersecurity attacks. Cybersecurity Risk Management The Group has earned ISO 27001 Information Security Management certification, demonstrating our commitment to high standards of information security and protection. To safeguard operations and stakeholders, we maintain cybersecurity risk management procedures—preventing threats, mitigating impacts and ensuring rapid recovery from disruptions. Our Reporting Approach Message from the Sustainability Steering Committee Our Business Our Approach to Sustainability Value Created for the ENVIRONMENT Value Created for PEOPLE Value Created for CUSTOMERS Value Created for SUPPLY CHAIN Value Created for COMMUNITY Appendices Preventive Measures Conduct regular external vulnerability analyses and penetration testing to identify potential weaknesses Engage 24/7 security operations centre service to enable real-time threat detection and immediate response Deploy next-generation firewalls to monitor all network traffic, identify suspicious activities and block unauthorized access attempts Install advanced security software to detect, isolate, and mitigate threats to prevent data exfiltration Implement regular, tamper-proof backup systems with immutable storage to prevent unauthorized deletion or alteration Employ a multi-layered cybersecurity approach, including regular security updates, real-time anti-malware protection, and advanced monitoring systems to detect anomalies, prevent breaches and safeguard critical data Responsive Measures Develop a comprehensive business continuity plan and IT Security Incident Response Plan, outlining procedures, roles and responsibilities for identifying, addressing, and recovering from cybersecurity incidents, ensuring minimal disruption to operations Establish a clear escalation process and communication strategies for employees to report incidences, vulnerabilities or suspicious activities to ensure swift, coordinated action during an incident. Reported cases will be directed to the Legal and Compliance Department, IT Department, or other relevant internal stakeholders