Cybersecurity and Privacy Protection
Central Retail faces ongoing cybersecurity and privacy challenges that require immediate attention to safeguard sensitive data and maintain stakeholder trust. Cybercriminal tactics, like ransomware attacks and social engineering schemes, constantly evolve with new technologies, such as AI, posing new threats. Risks of cybersecurity breaches, cyber-attacks, and violation of personal data privacy may lead to disruptions and suspension of information systems, thus leading to financial loss as well as damage to reputation and confidence of its stakeholders.
Therefore, Central Retail must ensure that cybersecurity and privacy protection protocols are put in place and being strictly followed. Striking the correct balance between establishing strong access controls and encouraging internal collaboration must also be considered as threats to cybersecurity and privacy protection can sometimes involve employees.
As these threats are constantly changing, Central Retail is committed to safeguarding its information system and personal data by adopting a proactive and adaptive approach to strengthen cybersecurity. Central Retail can develop threat detection systems, implement safe authentication procedures and apply advanced encryption technologies.
Additionally, raising cybersecurity awareness and training programs equips staff members with the ability to proactively identify and report threats. Integrating privacy protection measures into the products and services following the privacy-by-design can also help Central Retail promote consumer trust and make regulatory compliance easier.
Target
Impact to Business and Stakeholders
As effective cybersecurity and privacy protection has become normal practice for businesses and has been enacted into laws, incidents to cybersecurity and privacy protection are mostly regarded as risks by Central Retail and stakeholders. Threats to cybersecurity and privacy protection pose significant risk to Central Retail. A security breach can harm an organization's reputation by undermining the confidence of customers and stakeholders as people are increasingly discerning about the security of their personal data. This can also cause financial impact beyond reputation as it includes costs to incident response (remediate the breach, recover lost data), dispute resolution, and fines from regulatory organizations.
As for stakeholders, customers can lose confidence in the face of unavailable services from cyberattacks. They also risk having their personal data stolen that lead them being directly targeted by cybercriminals. Similarly, suppliers also risk having their sensitive data on business operations stolen. Cybersecurity incidents and data leaks deter customers from buying and suppliers from conducting business with Central Retail. Victims affected from the data leakage can issue complaints to government agencies that can results in scrutiny, penalties, and lawsuits. Eventually, these risks can pose financial implications to shareholders and investors.
Management Approach
Cybersecurity Governance Structure
To ensure the security, effective management, and proper utilization of Central Retail's cybersecurity system and privacy protection, a governance structure has been instituted. This structure involves the Risk Policy Committee, Chief Executive Officer (CEO), Chief Information Security Officer (CISO), and the Information Technology Committee (ITC). The Risk Policy Committee oversees enterprise risk management, including risks from cybersecurity and privacy protection at the Board level. Mr. Yol Phokasub, who is the current CEO of Central Retail, and also a member of the Board of Directors and the Risk Policy Committee oversees and establish strategies to manage cybersecurity and privacy protection at the group level. The CEO has an educational background in computer science and software engineering and has work experience as a System Manager previously. The ITC is an executive-level committee, with the CISO leading the implementation of cybersecurity and privacy protection measures. The current CISO also has vast experience in cybersecurity and as CISO at another major online retail company. Other members of the ITC include executives from different business units that ensure compliance to Central Retail’s cybersecurity and privacy protection management approach, while operating with competent employees possessing expertise necessary for implementing and communicating these measures throughout the organization and to external stakeholders. Importantly, Central Retail has appointed the Data Protection Officer (DPO) to oversee the development of an operational structure compliant with the Personal Data Protection Act (PDPA) and established a dedicated staff to protecting personal data and handling privacy issues.
Cybersecurity Governance Structure
Cybersecurity Management
Central Retail has established the Information Security Mission Statement and Policy to announce its commitments in ensuring that its information system and services can meet the standards of protection expected by customers and stakeholders. Central Retail has adopted international standards such as the ISO 27001:2022, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and standard of the Center for Internet Security Control (CIS) to provide and act as an internal policy and guidance that all employees and relevant personnels must adhere to effectively manage and protect the core systems and relevant personal data.
Central Retail has applied the risk-based approach to protection by managing the most recent information environment, and balance openness and control of the information systems. Central Retail also prioritized sensitive data into different level of risks, which will determine its level of protection and measures. Other cybersecurity measures include but not limited to server vulnerability management, endpoint detection response and virus protection, and data encryption. Moreover, information technology resources should have cybersecurity measures embedded into their respective lifecycles, from acquisitions to disposal. With regards to physical security, Central Retail has set up a security system at its data center to guard against potential physical harm from fire, flood, and other emergencies, as well as illegal entry into the system.
Cybersecurity Process
Data Privacy Protection
Central Retail is dedicated to privacy protection from taking appropriate security measures (including organizational and technical measures) to prevent data leakage, and establishing the Data Handling Policy for internal use that all employees and pertinent personnels must follow to prevent breaches and misuse of personal data. Central Retail has also put in place its agreements with the suppliers to control the activities carried out by the suppliers and to ensure suppliers’ compliance with privacy practice. The Data Handling Policy covers extensive topics such as recordkeeping of data processing activity, consent management system, data subject rights management, data retention, data processing agreement, personal data breach procedures, etc. Central Retail has also made the Privacy Policy available to the public on the website and at various contact points where personal data is collected. This is to ensure transparency and to inform customers and stakeholders of their rights to data privacy. The Privacy Policy encompasses the following issues:
- Type of personal data
- Purpose of data collection, use, and disclosure
- Agencies or individuals to which Central Retail may disclose personal data
- Transfer of personal data to third countries
- Duration of personal data storage
- Security measures
- Cookie policy
- Rights of data subject
- Service points of contact regarding the exercise of personal data rights
In addition, Central Retail has set up channels by which data owners can file complaints, inquiries and exercise their rights regarding personal data. Cases and complaints which are substantiated will be addressed and disciplinary actions will be taken. For any questions, concerns, or would like to exercise rights regarding personal data, please contact our Data Protection Officer at:
Central Retail Corporation Public Company Limited
Central Retail Corporate Marketing
Central Chidlom Tower, 8th Floor 22 Soi Somkid Ploenchit Road Lumpini, Pathumwan, Bangkok, 10330 ThailandTel: +66 2 650 3600
Data Protection Officer
Data Protection Office, Central Group 22 Soi Somkid Ploenchit Road, Lumpini, Pathumwan, Bangkok, 10330 ThailandEmail: dpo@central.co.th
Central Retail’s cybersecurity systems are tested through conducting internal and external vulnerability analysis and penetration testing (including simulated hacker attacks) to actively monitor and prevent cause for cyberattacks. These tests are performed on an annual basis by external experts to help identify the system’s weaknesses in addition to business continuity plans. Likewise, Central Retail conducts audits of compliance to data privacy on a regular basis.
To reduce risks to cybersecurity and data privacy, Central Retail integrates these risks as part of the quarterly group-wide enterprise risk management process to ensure that these risks are monitored and managed. Central Retail also conducts regular trainings on cybersecurity topics such as physical security, phishing, and email malware protection for both executives and employees. Moreover, Central Retail selects representatives from each business units in functions specific to data privacy to conduct intensive training on PDPA and proper data handling. Employees are able to notify an incident or potential incident should they suspect any breaches which will be escalated and addressed as appropriate. In the case that there are misconduct or breaches by employees, disciplinary actions will be taken. Cybersecurity and privacy protection is also considered as part of annual performance review of relevant employees to ensure continuous improvements of the entire system.
Project Highlights
Secure Coding Training Program
Secure coding training program aims to equip all developers with Central Retail with the knowledge and skills necessary to produce secure, high-quality code when designing software and applications. The training program employs an interactive and scenario-based learning in which the content is customized to meet the specific needs of the development teams. Topics covered include coding languages, frameworks, and alignment withindustry standards. Central Retail also regularly update the training statusm which are provided to stakeholders and executive management, ensuring transparency. Feedbacks from developers are also gathered to further facilitate continuous improvement to the training program.
The secure coding training program help to reduce post-development remediation costs due to early identification and prevention of security vulnerabilities, and help to increase productivity for developers in addressing security-related issues. Importantly, the increased in security from more secure codes used in developing software and applications help reduce the risks of potential financial losses due to minimized downtime caused by cybersecurity incidents.
Security Logs Ingestion
Central Retail’s IT department has collaborated with other functions to ensure continuous exchange of relevant security logs for improvement of data ingestion. Security logs within the organization that have been ingested and correlated to enhance detectin of cybersecurity incidents at a much earlier stange and reduce financial impact. This process also allow for faster incident recovery and reduced recovery loss, and accurate root cause identification that reduce likelihood of potential future incidents. Central Retail provides quarterly incident summary update to executive management, and inform relevant employees and executives in a timely manner during incidents.
Performance Summary
Performance Summary 2023
| Cybersecurity | 2020 | 2021 | 2022 | 2023 |
|---|---|---|---|---|
| Number of information security breaches1 or other cybersecurity incidents2 | 0 | 2 | 4 | 3 |
| Number of personal data breach incidents3 comprising data leakage, theft, and loss | 0 | 0 | 1 | 0 |
| Total amount of fines/penalties paid in relation to information security breaches or other cybersecurity incidents (baht) | 0 | 0 | 0 | 0 |
Performance Summary 2023
| Privacy Protection | 2020 | 2021 | 2022 | 2023 |
|---|---|---|---|---|
| Number of substantiated complaints4 regarding Personal Data Breach Incident related to customer data | 0 | 1 | 0 | 0 |
| Complaints from third parties (cases) | 0 | 1 | 0 | 0 |
| Complaints from regulatory bodies (cases) | 0 | 0 | 0 | 0 |
| Number of Reported Personal Data Breach Incident | 0 | 0 | 1 | 6 |
Remark:
1 Information security breach is defined as authorized access to data, applications, networks, devices, data, and network security systems.
2 Other cybersecurity incident is defined as a cybersecurity breach other than unauthorized data access or disclosure, e.g., a perpetrator taking control of an information system that controls the organization’s power generation or transport system.
3 Personal data breach incident is defined as a breach of security measures that causes unlawful or unauthorized loss, access, use, modification, rectification or disclosure of personal data, resulting from an intentional, willful, negligent, unauthorized, or unlawful act, or an act related to computer crimes, cyber threats, mistakes or accidents, or any other act.
4 Substantiated complaint is defined as a complaint letter drafted by a customer or a government regulatory body related to a breach of customer personal data, or a third-party complaint, which is consistent with Central Retail’s personal data criteria or policy.
5 Secondary purposes are definded as the use of customer data different from the purpose previously notified to the data subject.
