ORGANISATIONAL CAPITAL

CYBER-READINESS AND DATA PRIVACY

As of 31 December 2023, there were no incidents of corruption, fraud, and money laundering activity across CDL Group, apart from five non-major incidents of fraud under M&C operations.

Data Privacy

The privacy and protection of our stakeholders’ personal data is of paramount importance to us. The Company has established standard operation procedures, policies and guidelines governing the management of personal data in compliance with the Singapore Personal Data Protection Act (No. 26 of 2012), while information security materials are made available to better educate stakeholders on prevailing risks, especially in the handling of sensitive corporate data. Customers and business partners can get in touch with our Data Protection Officer by mail, email and phone on matters concerning their personal data with the Group. The Company’s Data Privacy Policy is available to the public on our corporate website.

Our processes are regularly reviewed and enhanced based on regulatory developments and stakeholder feedback, in consultation with the Legal department to ensure ongoing adherence to applicable data protection laws. Annually, our employees are also required to complete training on data protection. The Company’s Social Media Guidelines advocate employees’ responsibility on the use of social media, including taking precautions for the protection of information privacy.

In 2023, there were no substantiated complaints concerning breaches of customer privacy, theft, leak and loss of customer data or critical information across CDL Group.

External Engagement and Due Diligence

The Anti-Money Laundering and Counter Financing of Terrorism Policy was introduced in July 2016 and updated in June 2023 to reflect the latest regulatory requirements to our employees in frontline sales and compliance job functions. We worked on aligning our policies and guidelines with the external marketing agents for the Group’s properties. This ensures that our business is reasonably guarded against the risk of property transactions being used to finance terrorism or launder illicit funds. The Company’s processes are also updated to comply with the Guidelines for Developers on Anti-Money Laundering and Counter Terrorism Financing.⁸ These include performing Customer Due Diligence and completing Project Risk Analysis in line with the guidelines.

As part of our due diligence, all direct suppliers of the Company’s core operations in Property Development and Asset Management are required to endorse their acceptance of and compliance with the ethical standards as outlined in our Supplier Code of Conduct.

The Company’s Enterprise Risk Management team embarked on a new initiative to provide mandatory training for all new hires from July 2022 on key risk management related topics (namely Anti-Money Laundering and Counter-Financing of Terrorism, Data Privacy, and Incident Escalation). These training sessions are conducted on a quarterly basis. Additionally, Anti-Money Laundering and Counter Financing of Terrorism refresher trainings are conducted annually. Business Units that are at higher risk, such as Sales and Marketing, Accounts Receivable and Fund Management, are recommended to register for the annual training.

Cybersecurity

The Group has adopted a robust Cybersecurity Framework that aligns with industry best practices to protect the confidentiality, integrity, and availability of our digital assets. The framework includes updated policies and standards that ensure our processes and technologies remain relevant in addressing the current threat landscape. The Company’s Computer Security Policies and Standards were updated in early 2024 to reflect the latest cybersecurity practices.

Our policies and cybersecurity framework enabled:

• Secured and Reliable Operations: The Group adopts proven technologies to secure digital infrastructure and ensure critical systems are guaranteed reliable and consistent operation. This guards against interruptions that may result in inefficiencies or data loss. The Group adopts solutions such as Next Generation Anti-Virus, Advanced Email Security Protection solution, Enterprise- Class Firewalls, Intrusion Protection System, and Web Application Firewall to protect our information assets. Endpoint and Network Detection systems are also deployed to detect and respond to anomalies, addressing advanced and persistent cybersecurity attacks. Sensitive data is encrypted at rest and data in transit is encrypted to safeguard critical information. Robust processes were instituted to ensure that only authorised personnel are able to access the relevant data. In addition, data recovery strategies and measures, such as data backup, are in place to minimise downtime and ensure critical information can be made available quickly for business continuity.
• Robust Processes and Security Awareness: The Group takes measures to prevent lapses that could compromise customer data and the organisation’s reputation and profitability. We ensure the robustness of our IT security incident response processes by engaging professional firms to review our response plan and facilitate cybersecurity tabletop exercises. The Company’s Cyber Incident Response Team is well-prepared to handle cybersecurity incidents. The Group adopts round-theclock cybersecurity monitoring and protection through our Managed Security Operation Centre, where service providers provide 24/7 security monitoring and incident response services. Lastly, employee awareness remains a key priority in our defence against cyber threats. Our employees’ IT security awareness and vigilance remains heightened through a series of in-person and online cybersecurity trainings, which are further reinforced by periodic phishing attack simulations.

Employee Training and Communication

Annually, all full- and part-time employees of the Company are required to complete a compulsory online declaration to acknowledge that they are aware of, have read, and are in compliance with the Company’s corporate policies and guidelines before the start of the calendar year. Awareness bulletins are published on the Company’s intranet for a quick refresher anytime on key elements of the Company’s stance against corruption. Fraud risk awareness training and assessments covering topics such as bribery and conflicts of interest were also conducted for selected front-line business units within the Company.

As part of their orientation programme, new hires across the Group are required to learn about their respective Code of Business Conduct and Ethics and/or other related corporate policies and procedures including Anti-Corruption, Fraud, Competition, Anti-Money Laundering, and Whistleblowing. The Company’s new hires are also required to complete a self-paced, interactive e-learning module (also accessible for all employees) that provides information and guidance to recognise, address, resolve, avoid, and prevent instances of corruption. In 2023, 100% of the Company’s new hires were educated with anti-corruption knowledge.

To increase employees’ vigilance against cybercrime, which is exacerbated by the adoption of online working environments and operations, data protection and cybersecurity awareness training sessions were conducted in 2023.