ESG Research 2019 - Industry specific (cybersecurity)
Please answer all the questions and mark the source (ESG/ AR and page number) at the comment box ^^
The company identified cybersecurity as a material ESG topic
The company mentioned cybersecurity in...
ESG Report - Materiality Matrix
ESG Report - CEO Message
ESG Report - Other Section (Please specify)
Annual Report - Risk Management
Annual Report - Directors Report
Annual Report - Other Section (Please specify)
N/A
There was a Board-level oversight of cybersecurity issues
The company described the managements role (including committee) in managing cybersecurity issues
Level of management regarding cybersecurity issues (with responsibility disclosed)
Board of Directors
Top Management e.g. CEO, CFO
Committee/ Working Group
Department
Officer/ Other Individuals
N/A
Did the company identify any cyber risks/ key threats of cyber risks over the short/ medium/ long term?
Did the company describe any impacts of cyber risks on the companys businesses, strategy and financial planning?
Did the company mention any strategies of managing cyber risks?
Did the company disclose any company policies for cyber risk management?
Did the company describe the process ofidentifying, assessing and managing cyber risks?
Yes: with a structured response plan dedicated to cyber risks
Yes: incorporated into the companys business risk model
Yes: with a general description
No
Did the company conduct simulation exercises for cyber risk management?
Did the company set targets to manage cyber risks? (Directional/ Quantitative)
Any awareness-building campaign e.g. employee training?
Did the company adhere to any national/ international standards with respect to cyber/ information security?
The company adhered to...
ISO27001 Information Security Management System
ISO27002 Information Security System
GB/T 22081 《信息安全管理使用規則》
Other national/ international standards (please specify)
N/A
Part 5 Reported Incident and Follow Up
Any reported incident relating to cybersecurity within the company?
Yes, during the reporting year
Yes, in past years
No
Any reported incident relating to cybersecurtiy within the industry ?
Yes, during the reporting year
Yes, in past years
No
Did the company mention how they responded/ improved to prevent similar incidentsin the future?
Yes
No
N/A (no reported incident within the company/ industry)