Cybersecurity and Privacy Protection

Central Retail faces ongoing cybersecurity and privacy challenges that require immediate attention to safeguard sensitive data and maintain stakeholder trust. Cybercriminal tactics, like ransomware attacks and social engineering schemes, constantly evolve with new technologies, such as AI, posing new threats.

Risks of cybersecurity breaches, cyber-attacks, and violation of personal data privacy may lead to disruptions and suspension of information systems, thus leading to financial loss as well as damage to reputation and confidence of its stakeholders.

Therefore, Central Retail must ensure that cybersecurity and privacy protection protocols are put in place and being strictly followed. Striking the correct balance between establishing strong access controls and encouraging internal collaboration must also be considered as threats to cybersecurity and privacy protection can sometimes involve employees.

As these threats are constantly changing, Central Retail is committed to safeguarding its information system and personal data by adopting a proactive and adaptive approach to strengthen cybersecurity. Central Retail can develop threat detection systems, implement safe authentication procedures and apply advanced encryption technologies. Additionally, raising cybersecurity awareness and training programs equips staff members with the ability to proactively identify and report threats. Integrating privacy protection measures into the products and services following the privacy-by-design can also help Central Retail promote consumer trust and make regulatory compliance easier.

Target

Maintain

0

breaches

of information security or other cybersecurity incidents (cases) that have material financial impact

Maintain

0

breaches

of customer data incidents (cases) that result in fines

Impact to Business and Stakeholders

As effective cybersecurity and privacy protection has become normal practice for businesses and has been enacted into laws, incidents to cybersecurity and privacy protection are mostly regarded as risks by Central Retail and stakeholders. Threats to cybersecurity and privacy protection pose significant risk to Central Retail. A security breach can harm an organization's reputation by undermining the confidence of customers and stakeholders as people are increasingly discerning about the security of their personal data. This can also cause financial impact beyond reputation as it includes costs to incident response (remediate the breach, recover lost data), dispute resolution, and fines from regulatory organizations.

As for stakeholders, customers can lose confidence in the face of unavailable services from cyberattacks. They also risk having their personal data stolen that lead them being directly targeted by cybercriminals. Similarly, suppliers also risk having their sensitive data on business operations stolen. Cybersecurity incidents and data leaks deter customers from buying and suppliers from conducting business with Central Retail. Victims affected from the data leakage can issue complaints to government agencies that can results in scrutiny, penalties, and lawsuits. Eventually, these risks can pose financial implications to shareholders and investors.

Management Approach

Cybersecurity Governance Structure

To ensure the security, effective management, and proper utilization of Central Retail's cybersecurity system and privacy protection, a governance structure has been instituted. This structure involves the Risk Policy Committee, Chief Executive Officer (CEO), Chief Information Security Officer (CISO), and the Information Technology Committee (ITC). The Risk Policy Committee oversees enterprise risk management, including risks from cybersecurity and privacy protection at the Board level. Mr. Yol Phokasub, who is the current CEO of Central Retail, and also a member of the Board of Directors and the Risk Policy Committee oversees and establish strategies to manage cybersecurity and privacy protection at the group level. The CEO has an educational background in computer science and software engineering and has work experience as a System Manager previously. The ITC is an executive-level committee, with the CISO leading the implementation of cybersecurity and privacy protection measures. The current CISO also has vast experience in cybersecurity and as CISO at another major online retail company. Other members of the ITC include executives from different business units that ensure compliance to Central Retail’s cybersecurity and privacy protection management approach, while operating with competent employees possessing expertise necessary for implementing and communicating these measures throughout the organization and to external stakeholders. Importantly, Central Retail has appointed the Data Protection Officer (DPO) to oversee the development of an operational structure compliant with the Personal Data Protection Act (PDPA) and established a dedicated staff to protecting personal data and handling privacy issues.

Governance Structure of Cybersecurity and Privacy Protection

Click to enlarge

Cybersecurity Management

Central Retail has established the Information Security Mission Statement and Policy to announce its commitments in ensuring that its information system and services can meet the standards of protection expected by customers and stakeholders. Central Retail has adopted international standards such as the ISO 27001:2022, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and standard of the Center for Internet Security Control (CIS) to provide and act as an internal policy and guidance that all employees and relevant personnels must adhere to effectively manage and protect the core systems and relevant personal data.

Central Retail has applied the risk-based approach to protection by managing the most recent information environment, and balancing openness and control of the information systems. Central Retail also prioritized sensitive data into different levels of risks, which will determine its level of protection and measures. Other cybersecurity measures include but not limited to server vulnerability management, endpoint detection response and virus protection, and data encryption. Moreover, information technology resources should have cybersecurity measures embedded into their respective lifecycles, from acquisitions to disposal. With regards to physical security, Central Retail has set up a security system at its data center to guard against potential physical harm from fire, flood, and other emergencies, as well as illegal entry into the system.

Cybersecurity Process

Quarterly Meeting

Organize a monthly Security Committee Meeting (SCM) between working groups and IT executives of each sub-group.

Risk Assessment

Collect and exchange cybersecurity information to assess risks and prepare for cyber threats.

Implementation Framework

Develop guidelines and frameworks for compliance with Center for Internet Security Control (CIS) and National Institute of Standards and Technology – Cyber Security Framework (NIST-CSF) standards or guidelines.

Data Privacy Protection

Central Retail is dedicated to privacy protection from taking appropriate security measures (including organizational and technical measures) to prevent data leakage, and establishing the Personal Data Handling Procedure for internal use that all employees and pertinent personnels must follow to prevent breaches and misuse of personal data. Central Retail has also put in place its agreements with the suppliers to control the activities carried out by the suppliers and to ensure suppliers’ compliance with privacy practice. The Personal Data Handling Procedure covers extensive topics such as recordkeeping of data processing activity, consent management system, data subject rights management, data retention, data processing agreement, personal data breach procedures, etc. Central Retail has also made the Privacy Policy available to the public on the website and at various contact points where personal data is collected. This is to ensure transparency and to inform customers and stakeholders of their rights to data privacy. The Privacy Policy encompasses the following issues:

Type of personal data
Purpose of data collection, use, and disclosure
Agencies or individuals to which Central Retail may disclose personal data
Transfer of personal data to third countries
Duration of personal data storage
Security measures
Cookie policy
Rights of data subject
Service points of contact regarding the exercise of personal data rights

Consent: Central Retail is committed to lawfully process personal data of customers and other stakeholders. Central Retail may further obtain a consent from the customers and other stakeholders when Central Retail cannot rely on other legal basis for collection, use and disclosure of personal data including but not limited to the processing of sensitive personal data, the processing for analysis or marketing activities etc.

In addition, Central Retail has set up channels by which data owners can file complaints, inquiries and exercise their rights regarding personal data. Cases and complaints which are substantiated will be addressed and disciplinary actions will be taken. For any questions, concerns, or would like to exercise rights regarding personal data, please contact our Data Protection Officer at:

Central Retail Corporation Public Company Limited

Central Retail Corporate Marketing

Central Chidlom Tower, 8th Floor 22 Soi Somkid Ploenchit Road Lumpini, Pathumwan, Bangkok, 10330 Thailand

Tel: +66 2 650 3600

Data Protection Officer

Data Protection Office, Central Group 22 Soi Somkid Ploenchit Road, Lumpini, Pathumwan, Bangkok, 10330 Thailand

Email: dpo@central.co.th

Security Measures for Personal Data Protection: Central Retail is committed to protect the personal data by establishing effective security measures from a technical, physical and organizational point of view to prevent loss, unauthorized or unlawful access, deletion and destruction, use, alteration, rectification or disclosure of personal data.

Central Retail will review its existing security measures when necessary, or when the technology has changed to ensure effective measures, taking into account the nature, scope, context and purposes as well as the significance of risks associated with the processing of personal data.

Central Retail’s cybersecurity systems are tested through conducting internal and external vulnerability analysis and penetration testing (including simulated hacker attacks) to actively monitor and prevent cause for cyberattacks. These tests are performed on an annual basis by external experts to help identify the system’s weaknesses in addition to business continuity plans. Likewise, Central Retail conducts audits of compliance to data privacy on a regular basis.

To reduce risks to cybersecurity and data privacy, Central Retail integrates these risks as part of the quarterly group-wide enterprise risk management process to ensure that these risks are monitored and managed. Central Retail also conducts regular trainings on cybersecurity topics such as physical security, phishing, and email malware protection for both executives and employees. Moreover, Central Retail selects representatives from each business units in functions specific to data privacy to conduct intensive training on PDPA and proper data handling. Employees are able to notify an incident or potential incident should they suspect any breaches which will be escalated and addressed as appropriate. In the case that there are misconduct or breaches by employees, disciplinary actions will be taken. Cybersecurity and privacy protection is also considered as part of annual performance review of relevant employees to ensure continuous improvements of the entire system.

Information Security Mission Statement and Policy

Download

Data Privacy Policy

Project Highlights

Secure Coding Training Program

Secure coding training program aims to equip all developers with Central Retail with the knowledge and skills necessary to produce secure, high-quality code when designing software and applications. The training program employs an interactive and scenario-based learning in which the content is customized to meet the specific needs of the development teams. Topics covered include coding languages, frameworks, and alignment with industry standards. Central Retail also regularly update the training status which are provided to stakeholders and executive management, ensuring transparency. Feedbacks from developers are also gathered to further facilitate continuous improvement to the training program.

The secure coding training program help to reduce post-development remediation costs due to early identification and prevention of security vulnerabilities, and help to increase productivity for developers in addressing security-related issues. Importantly, the increased in security from more secure codes used in developing software and applications help reduce the risks of potential financial losses due to minimized downtime caused by cybersecurity incidents.

Security Logs Ingestion

Central Retail’s IT department has collaborated with other functions to ensure continuous exchange of relevant security logs for improvement of data ingestion. Security logs within the organization that have been ingested and correlated to enhance detection of cybersecurity incidents at a much earlier stage and reduce financial impact. This process also allow for faster incident recovery and reduced recovery loss, and accurate root cause identification that reduce likelihood of potential future incidents. Central Retail provides quarterly incident summary update to executive management, and inform relevant employees and executives in a timely manner during incidents.