ORGANISATIONAL CAPITAL

CYBER-READINESS AND DATA PRIVACY

Data Privacy

The privacy and protection of our stakeholders’ personal data is of paramount importance to us. The Company has established standard operation procedures, policies and guidelines governing the management of personal data in compliance with the Singapore Personal Data Protection Act, while information security materials are made available to educate stakeholders on prevailing risks, especially in the handling of sensitive corporate data. Customers and business partners can get in touch with our Data Protection Officer by mail, email and phone on matters concerning their personal data with the Group. The Company’s Data Privacy Policy is available to the public on our corporate website.

Our processes are regularly reviewed and enhanced based on regulatory developments and stakeholder feedback, in consultation with the Legal department to ensure ongoing adherence to applicable data protection laws. Annually, our employees are also required to complete training on data protection. The Company’s Social Media Guidelines advocate employees’ responsibility on the use of social media, including taking precautions for the protection of information privacy.

In 2025, there were no substantiated complaints concerning breaches of customer privacy, theft, leak and loss of customer data or critical information across CDL Group.

External Engagement and Due Diligence

The Anti Money Laundering, Counter Financing of Terrorism and Counter Proliferation Financing Policy was introduced in July 2016 and periodically updated to reflect the latest regulatory requirements to our employees in frontline sales and compliance job functions. We worked on aligning our policies and guidelines with the external marketing agents for the Group’s properties. This ensures that our business is reasonably guarded against the risk of property transactions being used to finance terrorism or launder illicit funds. The Company’s processes are also updated to comply with the Guidelines for Developers on Prevention of Money Laundering, Proliferation Financing and Terrorism Financing.¹ These include conducting Customer Due Diligence and Project Risk Analysis.

As part of our due diligence, all direct suppliers of the Company’s core operations in Property Development and Asset Management are required to endorse their acceptance of and compliance with the ethical standards as outlined in our Supplier Code of Conduct.

The Company’s Enterprise Risk Management team periodically provides mandatory training for all new hires on key risk management related topics (namely Anti Money Laundering, Counter Financing of Terrorism and Counter Proliferation Financing, Data Privacy, and Incident Notification and Management). Anti Money Laundering refresher training is also conducted periodically for internal stakeholders. Business units that are assessed to be at higher risk, such as Sales and Marketing, Accounts Receivable and Fund Management, are encouraged to register for the training.

Cybersecurity

A robust Group-level Cybersecurity Framework aligned with industry best practices has been adopted to protect the confidentiality, integrity, and availability of our digital assets. The framework includes updated policies and standards that ensure our processes and technologies remain relevant in addressing the current threat landscape. The Company’s Computer Security Policies and Standards were updated in late 2024 to reflect the latest cybersecurity practices. In 2025, we published our Artificial Intelligence (AI) Governance and Security Framework to govern the responsible adoption and use of GenAI technologies and to oversee AI-related risks. IT cybersecurity key risk indicators, including any cyber incidents, are reported quarterly to the CDL Risk Management Committee. In addition, IT Risk Reports are submitted to CDL’s Audit Risk Committee on an annual basis. More information can be found in CDL AR 2025. In 2025, there were zero cyber-security related breaches.

Our policies and cybersecurity frameworks enabled:

• Secure and Reliable Operations: Proven technologies are adopted to secure digital infrastructure and ensure critical systems are guaranteed to be reliable and consistent. This guards against interruptions that may result in inefficiencies or data loss. This includes solutions such as Next Generation Anti-Virus, Advanced Email Security Protection solution, Enterprise Class Firewalls, Intrusion Protection System, and the Web Application Firewall to protect our information assets. Endpoint and Network Detection systems are also deployed to detect and respond to anomalies, addressing advanced and persistent cybersecurity attacks. Sensitive data is encrypted at rest and data in transit is encrypted to safeguard critical information. Robust processes are in place to ensure that only authorised personnel have access to the relevant data. In addition, data recovery strategies and measures, such as data backup, are in place to minimise downtime and ensure critical information can be made available quickly for business continuity.
• Good Governance and Secure Use of AI: The CDL AI Governance and Security Framework provides clear governance structures and accountability to guide the responsible and secure use of Generative AI and other AI technologies. AI systems, including those supporting smart building solutions and operational automation, are subject to consistent oversight and risk-based review. All AI solutions, whether developed internally or sourced from external vendors, are reviewed under this framework. The framework is structured around four key pillars: Governance, Layered Security, Threat & Risk Management, and Corporate AI Usage, and establishes clear accountability, defence-in-depth security controls, continuous risk assessments, and rigorous oversight of data usage. These measures address essential elements of AI governance and advanced data ethics, including transparency, fairness, responsible use, and data protection aligned with privacy regulations.

Robust Processes and Security Awareness:

• CDL’s Cyber Incident Response:
  CDL’s Cyber Incident Response: We ensure the robustness of our IT security incident response processes by engaging professional firms to review our response plan and facilitate cybersecurity tabletop exercises. The Company’s Cyber Incident Response Team is well-prepared to handle cybersecurity incidents. The Group adopts round-the-clock cybersecurity monitoring and protection through our Managed Security Operation Centre, where service providers provide 24/7 security monitoring and incident response services. The Company’s Cyber Incident Response Plan provides a defined and systematic process to respond to cyber security incidents, and employees are encouraged to report incidents, vulnerabilities, or suspicious activities via internal channels and help desks.
  
• Information Security Awareness Training:
  Employee awareness remains a key priority in our defence against cyber threats. Quarterly security training sessions focusing on current threat landscapes including Scams, Phishing and GenAI threats are organised in the year and open to all employees. Simulated Phishing attack simulations are also conducted periodically. Audit of IT Infrastructure and Cybersecurity Assessments: the Company’s Internal Audit team conducted an audit to assess the effectiveness of Vulnerability Assessment and Penetration Testing for one internal digital app in 2025. An external consultant conducted a Cybersecurity Incident Response Table-Top Exercise (TTX) in 2025. The TTX simulated realistic cyber-attacks to assess incident response and validate cybersecurity readiness across teams.