MENU PLACES PEOPLE PARTNERS PERFORMANCE PEPERFORFORRMMAANNCCEE (ENVIRONMENT) ((EECCONOONOMMIICC)) Performance (Economic) 2022 Progress Corporate Governance Risk Management and Internal Controls Green Financing Investor Relations Information and Cyber Security GRI Under our risk management framework, the Board and management are responsible for identifying and 418 analysing the risks related to information and cyber security, and for determining how such risks should be managed and mitigated. We are committed to conducting regular audits to ensure compliance with our Information and Cyber Security Policy and Privacy Policy. The two policies include guidelines on data management and protection for implementation in Swire Properties. Our cyber security framework is aligned with National Institute of Standards and Technology (“NIST”), and we regularly conduct independent information security governance assessments to identify opportunities for improvement. We also have a cyber incident response plan in place that outlines clear procedures and guidance for handling cyber security incidents and that addresses potential threats from cyber attacks that may disrupt our business. Scenario-based paper drills are conducted every year to serve for continuous awareness training purposes. In terms of compliance certification, in view of the increasing importance of and demand for privacy data security management, Swire Properties obtained an ISO 27701 certification extension, on top of our existing ISO 27001 certification, covering all managed sites in Hong Kong, the Chinese Mainland and the U.S.A. Completed in late 2022, we continued to prioritise continuous governance and control over the handling of personal data and sensitive information so as to minimise our risk exposure. This year, we also formed our Digital Project Governance (“DPG”) Working Group. Comprised of representatives from our IT operations, information security and enterprise architect teams, the DPG Working Group manages digital projects to ensure they have undergone architecture design and security reviews, penetration tests and privacy impact assessments. We regularly implement comprehensive information security and cyber security awareness training for our employees. In 2022, we offered 8,520 hours of such training. This year, we also initiated an updated awareness programme to ensure that staff understand key concepts relating to information security. All staff were required to participate in the Information Security E-learning Programme 2022. In addition, a legal seminar on information security called “Cybersecurity and Data Privacy Regulation in Asia-Pacific” was held in September, covering important concepts like the history and current state of data privacy regulation in Asia Pacific, cyber security regulation, data privacy versus data security, and cyber attacks and incident response. SUSTAINABLE DEVELOPMENT REPORT 2022 250