CYBER-READINESS AND DATA PRIVACY
As at 31 December 2024, there were seven non-major incidents of fraud across CDL Group. There were no incidents of corruption and money laundering across CDL Group.
Data Privacy
The privacy and protection of our stakeholders’ personal data is of paramount importance to us. The Company has established standard operation procedures, policies and guidelines governing the management of personal data in compliance with the Singapore Personal Data Protection Act (No. 26 of 2012), while information security materials are made available to educate stakeholders on prevailing risks, especially in the handling of sensitive corporate data. Customers and business partners can get in touch with our Data Protection Officer by mail, email and phone on matters concerning their personal data with the Group. The Company’s Data Privacy Policy is available to the public on our corporate website.
Our processes are regularly reviewed and enhanced based on regulatory developments and stakeholder feedback, in consultation with the Legal department to ensure ongoing adherence to applicable data protection laws. Annually, our employees are also required to complete training on data protection. The Company’s Social Media Guidelines advocate employees’ responsibility on the use of social media, including taking precautions for the protection of information privacy.
In 2024, the Group recorded one incident concerning a leak of tenant information to seven of our tenants. This incident was due to human error. Immediate actions were taken to rectify the breach with our tenants. Security training on handling confidential information was conducted for all relevant employees, and an updated standard operating procedure was formalised.
External Engagement and Due Diligence
The Anti-Money Laundering and Counter Financing of Terrorism Policy was introduced in July 2016 and updated in June 2023 to reflect the latest regulatory requirements to our employees in frontline sales and compliance job functions. We worked on aligning our policies and guidelines with the external marketing agents for the Group’s properties. This ensures that our business is reasonably guarded against the risk of property transactions being used to finance terrorism or launder illicit funds. The Company’s processes are also updated to comply with the Guidelines for Developers on Anti-Money Laundering and Counter Terrorism Financing.16 These include conducting Customer Due Diligence and Project Risk Analysis.
As part of our due diligence, all direct suppliers of the Company’s core operations in property development and asset management are required to endorse their acceptance of and compliance with the ethical standards as outlined in our Supplier Code of Conduct.
The Company’s Enterprise Risk Management team periodically provides mandatory training for all new hires on key risk management related topics (namely Anti-Money Laundering and Counter-Financing of Terrorism, Data Privacy, and Incident Notification and Management). Anti-Money Laundering and Counter Financing of Terrorism refresher training is also conducted periodically for internal stakeholders. Business units that are assessed to be at higher risk, such as sales and marketing, accounts receivable, and fund management, are encouraged to register for the training.
Cybersecurity
A robust Group-level Cybersecurity Framework that aligns with industry best practices has been adopted to protect the confidentiality, integrity, and availability of our digital assets. The framework includes updated policies and standards that ensure our processes and technologies remain relevant in addressing the current threat landscape. The Company’s Computer Security Policies and Standards were updated in late 2024 to reflect the latest cybersecurity practices. Our policies and cybersecurity framework enabled:
- Secure and Reliable Operations: Proven technologies are adopted to secure digital infrastructure and ensure critical systems are guaranteed reliable and consistent operation. This guards against interruptions that may result in inefficiencies or data loss. This includes solutions such as Next Generation Anti-Virus, Advanced Email Security Protection solution, Enterprise Class Firewalls, Intrusion Protection System, and Web Application Firewall to protect our information assets. Endpoint and Network Detection systems are also deployed to detect and respond to anomalies, addressing advanced and persistent cybersecurity attacks. Sensitive data is encrypted at rest and data in transit is encrypted to safeguard critical information. Robust processes were instituted to ensure that only authorised personnel are able to access the relevant data. In addition, data recovery strategies and measures, such as data backup, are in place to minimise downtime and ensure critical information can be made available quickly for business continuity.
- Robust Processes and Security Awareness: Measures are taken to prevent lapses that could compromise customer data and the organisation’s reputation and profitability. We ensure the robustness of our IT security incident response processes by engaging professional firms to review our response plan and facilitate cybersecurity tabletop exercises. The Company’s Cyber Incident Response Team is well-prepared to handle cybersecurity incidents. The Group adopts round-the-clock cybersecurity monitoring and protection through our Managed Security Operation Centre, where service providers provide 24/7 security monitoring and incident response services. Lastly, employee awareness remains a key priority in our defence against cyber threats. Our employees’ IT security awareness and vigilance remains heightened through a series of in-person and online cybersecurity trainings, which are further reinforced by periodic phishing attack simulations.
Employee Training and Communication
Annually, all full- and part-time employees of the Company are required to complete a compulsory online declaration to acknowledge that they are aware of, have read and are in compliance with the Company’s corporate policies and guidelines before the start of the calendar year. For more information on our employee training and communication initiatives, please refer to page 104 of the integrated sustainability report.