The case for CSR/ Sustainability Reporting Done Responsibly


IDENTIFY - MEASURE - MANAGE - CHANGE

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How SCB promotes cyber security

Case study: How SCB promotes cyber security

Siam Commercial Bank (SCB) is a leading global bank and the first local bank that has been part of the Thai society for 114 years, creating and offering end-to-end financial solutions to fulfill the needs of all groups of customers. To ensure continuity and effectiveness in its operation, SCB places heavy emphasis on data governance and cyber security by developing systems and infrastructure, investing in technologies, enhancing employee capabilities, and improving processes to keep pace with change.

This case study is based on the 2019 Sustainability Report by SCB published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

SCB seeks to continuously improve its data governance and cyber security  Tweet This! so as to make sure that data on all of its systems and digital platforms are managed with care and adequately protected against new threats, and that there shall be no breach in customer data privacy. In order to promote cyber security SCB took action to:

  • implement an Information Security Policy
  • integrate cyber security into its software development and operations
  • build a data and cyber security culture

What are the material issues the company has identified?

In its 2019 Sustainability Report SCB identified a range of material issues, such as corporate governance and risk management, customer experience, financial inclusion, responsible lending. Among these, promoting cyber security stands out as a key material issue for SCB.

Stakeholder engagement in accordance with the GRI Standards                        

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups SCB engages with: 

Stakeholder Group                Method of engagement
Customers

 

 

·      Customer relationship-building activity

·      Information sessions on SCB financial products and services

·      Providing financial advice and knowledge to customers through online media, branch network and other electronic channels

·      Customer satisfaction surveys through telephone, questionnaire and electronic channels

·      Complaint and service channels through Customer Centre, Branch network and SCB Easy app

Employees

 

 

·      Meetings and online channels for policy and news announcement

·      Employee meetings, seminars and CSR activities

·      Annual performance evaluation

·      Employment engagement survey

·      Employee development programme

·      Employee recognition programme

·      Employee hotline

Shareholders

 

 

·      Annual general meeting

·      Extraordinary general meeting

·      56-1 Report

·      Annual report (Form 56-2)

·      Press release

·      Quarterly financial report

·      Investor meeting/conference

·      Investor call

·      Equity analyst meeting

·      Global roadshow event

Society and Environment

 

 

·      Projects and initiatives by SCB and the Siam Commercial Bank Foundation

·      Community and social surveys

·      Community engagement activities

Regulators

 

 

 

·      Assign Compliance unit to serve as SCB’s regulatory liaison

·      Attend meetings and hearings on regulatory policies and guidance from relevant authorities

·      Attend forums on regulatory compliance

·      Seek feedback and guidance on regulatory compliance

·      Offer feedback on regulations through public hearings

·      Prepare and provide support for regulatory audit

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics SCB conducted in-depth interviews with selected groups of stakeholders to collect suggestions, feedback and information on economic, social and environmental material topics.

What actions were taken by SCB to promote cyber security?

In its 2019 Sustainability Report SCB reports that it took the following actions for promoting cyber security:

  • Implementing an Information Security Policy
  • Based on the Confidentiality-Integrity-Availability (CIA) triad, the SCB Financial Group Information Security Policy is communicated to all employees, including those in probationary periods and on temporary contracts, suppliers and consultants, from whom strict compliance is expected. The Policy also assigns the Audit Unit to perform an audit and make recommendations for further improving cyber security. SCB has adopted a proactive approach to cyber security by focusing on developing technology and processes for cyber threat detection, such as the Cybersecurity Threat Intelligent Surveillance system and machine learning technology to study the pattern of cyber-attacks, both internally and externally. This proactive approach enables SCB to assess the situation and be ready to respond and prevent potential losses. Additionally, for data storage with comparable effectiveness to on-premise storage, SCB uses Cloud Computing Technology to keep potential risk under its risk appetite level, to increase operational speed, and to lower the cost of maintaining the internal computer network and systems. Moreover, cyber security performance is regularly reported to senior management in a dashboard format. To be ready for an emergency situation and make sure that systems can be recovered back to normal service and operation in an appropriate timeframe, SCB has also established a policy and guideline for preparing an IT Contingency Plan, which is aligned with its Business Continuity Plan. This contingency plan defines processes, practices and the roles and responsibilities of the relevant business units in executing, testing, reviewing and revising the IT Contingency Plan according to the business context.
  • Integrating cyber security into software development and operations
  • In 2019, SCB upgraded its software development approach from DevOps to DevSecOps (Development Security Operations), whereby cyber security is integrated as part of SCB’s development and operations life cycle. This means that cyber security control measures are embedded throughout SCB’s software development life cycle to enhance the ability to create innovation and make further product and service improvements to deliver even greater speed, effectiveness, and security. Through this approach, SCB added security automation tools in the software development process to make security testing faster and more effective. The automation tools allow SCB’s software developers and system administrators to perform security testing on their own and detect any vulnerability after the software launch, receiving timely reports on potential problems.
  • Building a data and cyber security culture
  • In parallel with continuously investing in technology and developing cyber security systems that meet global standards, SCB is committed to building a data and cyber security culture for employees at every level. SCB uses work processes, training and internal communication to promote awareness on appropriate and secure data handling, data protection, cyber risk, and cyber threat prevention. Accordingly, SCB provides a data classification training course on its e-learning system to promote appropriate and secure data usage throughout the organisation and offers a cyber security course to senior executives which covers topics such as causes of cyber-attacks and impacts of cyber threats. Employees at all levels are also required to take the mandatory course on cyber security on the system which focuses on basic knowledge regarding data protection, on understanding the forms and impacts of cyber threats through simulation, and on how to prevent and report an incident. Throughout 2019, SCB organised “Don’t Let It Happen” activities to promote awareness on cyber threats, cyber risks, and data security protection with an emphasis on safeguarding the data of both customers and SCB and building awareness on risk behaviours that may cause damage to the business or SCB ‘s One of the highlights that attracted many participants was the “Cybersecurity Awareness Day 2019,” which featured talks by external experts regarding cyber security on topics such as knowing tricks of cyber criminals inside out, understanding data risk, and using personal information on social media.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

 

80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.



FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP

 

References:

1) This case study is based on published information by SCB, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to SCB: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.