Introduction Our business SwireTHRIVE About our report Other ESG disclosures Appendices Overview Our approach EESSGG r riskisk m maananagegemmeenntt TCFD As part of this policy, operating companies and establishing Group cybersecurity We have dedicated governance related to must regularly submit corporate risk service lines. These service lines include cybersecurity, including a GRMC risk forum Threat and Vulnerability Management, to oversee IT, data and technology risks registers and changes in risk pro昀椀les to Managed Security Operation Centre, and to recommend best practice. Regular Swire Paci昀椀c. To ensure consistency of approach, these registers are prepared Incident Response Retainer, and Red cybersecurity reports are provided to the using a standard methodology and format Teaming whereby we test and strengthen IT Committee, GRMC and to the Audit and standard risk ranking criteria. our defences by identifying vulnerabilities Committee. Our IT Committee oversees In 2022, our key risk management focus and simulating attacks. the cybersecurity programmes of our operating companies. A working group The Swire Paci昀椀c CISO is the Chair of the areas included: evolution of Hong of cybersecurity professionals, which Cyber Security Working Group (CSWG) and Kong, regulatory changes, political – reports to the committee, meets regularly international tensions, climate change, is a member of the IT Committee (ITC). to promote the sharing of cybersecurity crisis management, protection and use The CISO has responsibility for presenting studies and best practices, and to enhance of data, portfolio discipline, people and cybersecurity topics to the GRMC and cybersecurity awareness across the Group. culture. More details of our ERM process Audit Committee. and our risk mitigation measures can be In 2021, we appointed a Chief Information Under Swire Paci昀椀c’s enhanced Risk found in our Annual Report. Governance Structure, an IT, Data & Security O昀케cer. We are building a dedicated team at group level to provide Technology (IDT) Risk Forum has been leadership, best practices, research and Cybersecurity established as part of the second line risk support to our operating companies. forums. Swire Paci昀椀c CISO presents during The central team is developing a Group Swire Paci昀椀c has, and monitors compliance the IDT Risk Forum to provide oversight with, a cybersecurity and information of the cybersecurity risk landscape from a cybersecurity strategy, managing security policy, and conducts regular group perspective. cybersecurity programmes and projects, cybersecurity maturity assessments based and establishing Group cybersecurity lines Regular cybersecurity reports are of service. These lines of service include on the recognised US National Institute provided to the ITC, GRMC and to the threat and vulnerability management, of Standards and Technology (NIST) Audit Committee. Our ITC oversees Cybersecurity Framework. Several major a managed security operation centre, operating companies also reference the the cybersecurity programmes for our endpoint detection and response, and operating companies. A working group ISO 27001 standard. web application 昀椀rewalls among others. of cybersecurity professionals, which Our group-level Cybersecurity Centre reports to the committee, meets regularly of Excellence (CCoE), led by our Chief to promote the sharing of cybersecurity Information Security O昀케cer (CISO), studies and best practices, and to enhance provides leadership, best practices, cybersecurity awareness across the Group. research and innovation, support and training to our operating companies. Our operating companies complete This central team is developing the a Control Self-Assessment from a Group cybersecurity strategy, managing cybersecurity perspective on an annual cybersecurity programmes and projects, basis based on GIAD requests. SWIRE PACIFIC — SUSTAINABLE DEVELOPMENT REPORT 2022 — 14