Case study: How CAL promotes cyber security

What are the material issues the company has identified?

In its 2019 Corporate Sustainability Report CAL identified a range of material issues, such as financial performance, flight safety management, climate change mitigation and adaptation, risk and crisis management, governance and integrity management. Among these, promoting cyber security stands out as a key material issue for CAL.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups CAL engages with: 

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics, CAL engaged with its stakeholders through 307 questionnaires.

What actions were taken by CAL to promote cyber security?

In its 2019 Corporate Sustainability Report CAL reports that it took the following actions for promoting cyber security:

• Carrying out regular evaluations and exercises
• In accordance with the Cyber Security Management Act regarding cyber security responsibility levels, CAL conducts risk assessment of information and information and communication systems every year, and evaluates the cyber security responsibility levels of the core information and communication systems with regard to confidentiality, integrity, availability, and compliance. CAL also developed a business continuity plan for the core information and communication systems and carries out a business continuity drill every year, to control relevant operational risks. Risk response mechanisms are also reviewed and adjusted to minimise potential losses.

• Providing cyber security training
• Each year, for CAL’s Cyber security and Information Technology personnel, at least 4 persons receive the cyber security professional programme training or the cyber security competence training for not less than 12 hours. For general user and officer, each person receives the general cyber security education training for not less than 3 hours. CAL requires every employee to take basic cyber security training to master cyber security risks and self-discipline and communicates cyber security policies and goals to all employees every year, through education and training, internal meetings, and announcements. CAL has also incorporated ethical corporate management into employee performance evaluations and human resources policies and established clear and effective rewards and disciplinary actions. Compliance with the Employee Code of Conduct is also a criterion used in annual performance evaluation. If employees do not comply with or violate the Employee Code of Conduct, they, depending upon the severity of the case, will have to undergo disciplinary action as per internal regulations. The Information Management Division carries out self-inspections and compliance self-assessments every half year, to effectively control cyber security. Audits are carried out by the audit unit independently, to ensure the overall mechanism operations.

• Implementing a cyber security incident notification and response mechanism
• CAL’s cyber security incident notification and response mechanism is initiated based on the level of cyber security incidents and emergency preparedness. Notification and response procedures are in place to control their impact and post-incident recovery. In this regard, CAL develops the security incident notification & contingency drill plan at the beginning of each year, and completes the internal cyber security exercise by the end of each year. Through cyber security exercises, CAL can evaluate the relevance of incident notification and response procedures and familiarise units in charge and support units with their roles and functions during rescue and equip them to respond to cyber security threats quickly and effectively, to minimise their impact on CAL’s customers and the company as a whole.

• Carrying out cyber security audits
• CAL’s Cyber Security Team conducts an internal audit at least once a year to make sure that all employees comply with the Cyber Security Management Act and CAL’s standard operating procedures, and effectively implement and maintain the management system. System reliability is constantly enhanced by refining security designs, including network regions, access control, vulnerability management, and other security protection strategies. In 2019, the Information Management Division reviewed the monitoring of data and warnings for cyber security threats detected by defence systems and found no cyber security threats by cyber-attacks or viruses.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standards addressed in this case are:

1) Disclosure 206-1 Legal actions for anti-competitive behavior, anti-trust, and monopoly practices

2) Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 206-1 Legal actions for anti-competitive behavior, anti-trust, and monopoly practices corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

• Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
• Targets: 16.3, 16.10

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

7 GRI sustainability disclosures get you started

Any size business can start taking sustainability action

GRI, IEMA, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom  (venue: London School of Economics)

• Exclusive FBRH template to begin reporting from day one
• Identify your most important impacts on the Environment, Economy and People
• Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP. 
• Benchmarking methodology to set you on a path of continuous improvement

See upcoming training dates.
References:

1) This case study is based on published information by CAL, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to CAL: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.