Case study: How CAL promotes cyber security
China Airlines (CAL) is the largest airline in Taiwan, offering flights to / from 29 countries and 160 destinations worldwide. All of CAL’s information operations comply with international cyber security standards and domestic cyber security laws and regulations Tweet This!, which are incorporated into daily business operations. In addition, CAL proactively reports cyber security issues and carries out contingency drills, to review the effect of defence and resilience to such incidents.
This case study is based on the 2019 Corporate Sustainability Report by CAL published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.
Abstract
To continuously enhance its cyber security governance system and organisation CAL has established the CAL Cyber Security Team, with the Vice President of Information Management Division as its convener, who is responsible for overseeing the cyber security governance plan and its implementation. In order to promote cyber security CAL took action to:
- carry out regular evaluations and exercises
- provide cyber security training
- implement a cyber security incident notification and response mechanism
- carry out cyber security audits
Subscribe for free and read the rest of this case study
Please subscribe to the SustainCase Newsletter to keep up to date with the latest sustainability news and gain access to over 2000 case studies. These case studies demonstrate how companies are dealing responsibly with their most important impacts, building trust with their stakeholders (Identify > Measure > Manage > Change).
With this case study you will see:
- Which are the most important impacts (material issues) CAL has identified;
- How CAL proceeded with stakeholder engagement, and
- What actions were taken by CAL to promote cyber security
Already Subscribed? Type your email below and click submit
What are the material issues the company has identified?
In its 2019 Corporate Sustainability Report CAL identified a range of material issues, such as financial performance, flight safety management, climate change mitigation and adaptation, risk and crisis management, governance and integrity management. Among these, promoting cyber security stands out as a key material issue for CAL.
Stakeholder engagement in accordance with the GRI Standards
The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:
Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.
Key stakeholder groups CAL engages with:
Stakeholder Group | Method of engagement |
Employees
| · Labour-management meetings · Labour unions · Employee suggestion boxes · Employee feedback website · China Airlines newsletter · China Airlines Retirees Portal |
Customers
| · Customer satisfaction survey · Global business meetings · Taiwan business meetings · Discussions with travel agencies · CAL’s website, CSR website, Facebook, e-mail, and text messages · Customer service hotline · Corporate customer visits |
Investors
| · Shareholders’ meetings · Shareholder’s hotline / mailbox · Road shows · Interviews |
Government
| · Missives · Visits · Participation in projects · Participation in public hearings, seminars, conferences, and negotiation forums · Participation in initiatives · Audits |
Partners (Suppliers and Contractors)
| · Telephone · Coordination meetings · Business visits · On-site audits |
Community
| · Charity events · Community activities · News releases · Online mailbox |
Media | · News releases · Press conferences · Interviews · Active communication of industry information |
Associations (including Aviation Organisations)
| · Participation in project meetings · Participation in work seminars · Organising or participating in summits, executive summits, committees, and coordination meetings · Participation in government-convened meetings · Telephone, e-mail, and exchange platforms |
How stakeholder engagement was made to identify material issues
To identify and prioritise material topics, CAL engaged with its stakeholders through 307 questionnaires.
What actions were taken by CAL to promote cyber security?
In its 2019 Corporate Sustainability Report CAL reports that it took the following actions for promoting cyber security:
- Carrying out regular evaluations and exercises
- In accordance with the Cyber Security Management Act regarding cyber security responsibility levels, CAL conducts risk assessment of information and information and communication systems every year, and evaluates the cyber security responsibility levels of the core information and communication systems with regard to confidentiality, integrity, availability, and compliance. CAL also developed a business continuity plan for the core information and communication systems and carries out a business continuity drill every year, to control relevant operational risks. Risk response mechanisms are also reviewed and adjusted to minimise potential losses.
- Providing cyber security training
- Each year, for CAL’s Cyber security and Information Technology personnel, at least 4 persons receive the cyber security professional programme training or the cyber security competence training for not less than 12 hours. For general user and officer, each person receives the general cyber security education training for not less than 3 hours. CAL requires every employee to take basic cyber security training to master cyber security risks and self-discipline and communicates cyber security policies and goals to all employees every year, through education and training, internal meetings, and announcements. CAL has also incorporated ethical corporate management into employee performance evaluations and human resources policies and established clear and effective rewards and disciplinary actions. Compliance with the Employee Code of Conduct is also a criterion used in annual performance evaluation. If employees do not comply with or violate the Employee Code of Conduct, they, depending upon the severity of the case, will have to undergo disciplinary action as per internal regulations. The Information Management Division carries out self-inspections and compliance self-assessments every half year, to effectively control cyber security. Audits are carried out by the audit unit independently, to ensure the overall mechanism operations.
- Implementing a cyber security incident notification and response mechanism
- CAL’s cyber security incident notification and response mechanism is initiated based on the level of cyber security incidents and emergency preparedness. Notification and response procedures are in place to control their impact and post-incident recovery. In this regard, CAL develops the security incident notification & contingency drill plan at the beginning of each year, and completes the internal cyber security exercise by the end of each year. Through cyber security exercises, CAL can evaluate the relevance of incident notification and response procedures and familiarise units in charge and support units with their roles and functions during rescue and equip them to respond to cyber security threats quickly and effectively, to minimise their impact on CAL’s customers and the company as a whole.
- Carrying out cyber security audits
- CAL’s Cyber Security Team conducts an internal audit at least once a year to make sure that all employees comply with the Cyber Security Management Act and CAL’s standard operating procedures, and effectively implement and maintain the management system. System reliability is constantly enhanced by refining security designs, including network regions, access control, vulnerability management, and other security protection strategies. In 2019, the Information Management Division reviewed the monitoring of data and warnings for cyber security threats detected by defence systems and found no cyber security threats by cyber-attacks or viruses.
Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?
The GRI Standards addressed in this case are:
1) Disclosure 206-1 Legal actions for anti-competitive behavior, anti-trust, and monopoly practices
Disclosure 206-1 Legal actions for anti-competitive behavior, anti-trust, and monopoly practices corresponds to:
- Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
- Targets: 16.3
Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:
- Sustainable Development Goal (SDG) 16: Peace, Justice and Strong Institutions
- Targets: 16.3, 16.10
78% of the world’s 250 largest companies report in accordance with the GRI Standards
SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.
Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.
7 GRI sustainability disclosures get you started
Any size business can start taking sustainability action
GRI, IEMA, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom (venue: London School of Economics)
- Exclusive FBRH template to begin reporting from day one
- Identify your most important impacts on the Environment, Economy and People
- Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP.
- Benchmarking methodology to set you on a path of continuous improvement
See upcoming training dates.
References:
1) This case study is based on published information by CAL, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:
http://database.globalreporting.org/
2) https://www.globalreporting.org/standards/gri-standards-download-center/
Note to CAL: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.