The Group is committed to protecting customer data privacy and maintaining strong cybersecurity through robust policies, governance, and technology. It adheres to the six principles of the Personal Data (Privacy) Ordinance, ensuring data is collected lawfully, used only for legitimate purposes, minimized, accurate, securely stored, and retained only as long as necessary. Confidentiality and security are maintained throughout the data lifecycle, from creation and storage to processing, transfer, and disposal, supported by controls such as multi-factor authentication, encryption, and privileged access management.
Employees handle personal data strictly for legitimate business and regulatory purposes and must comply with internal policies outlined in the Code of Conduct. Data is only shared on a need-to-know basis, and obligations with third parties are strictly observed.
The Group’s cybersecurity framework adopts a multilayered defence strategy integrating people, processes, and technology. It covers physical, network, endpoint, application, and data security, alongside staff training and awareness. Oversight is provided by the Information Security Committee (ISC), which manages policies, risk, incident response, and compliance, and regularly reviews emerging threats and control effectiveness.
An established emergency response plan ensures coordinated handling of cybersecurity incidents. It defines clear roles across senior management, response teams, and employees, supported by procedures for incident identification, management, mitigation, and communication. Regular drills and training enhance preparedness and coordination.
Advanced security technologies strengthen detection and response capabilities, including AI-powered monitoring, intrusion detection, vulnerability management, centralized event analysis, threat intelligence platforms, forensic tools, and data backup solutions.
The Group promotes open reporting of security incidents through internal channels and conducts continuous risk assessments and audits to address evolving threats. Ongoing staff training covers key risks such as phishing, social engineering, and emerging threats like deepfakes, supported by simulations and regular communications to reinforce awareness.
The Group has achieved ISO/IEC 27001:2022 certification and complies with PCI DSS v4, demonstrating alignment with international security standards. It has also received industry recognition for its strong commitment to cybersecurity and staff awareness.
FOLLOW US
FOLLOW SMARTONE ON WECHAT NOW
Tap the “+” button in the top right-hand corner, and tap “Scan QR Code”
Scan the QR code and view our official account right away
Please refer to the Environmental, Social & Governance section of the 2024/25 Annual Report