Information security

Information Security and IT Risk Management

JT Group recognizes information security and cybersecurity as critical components of enterprise risk management and long-term value protection. Our approach is designed to safeguard all information assets essential to our operations, including personal data relating to customers, consumers, suppliers, and employees, as well as proprietary business information such as strategic plans, intellectual property, engineering designs, and research outputs.
We manage risks associated with unauthorized access, disclosure, alteration, or disruption of information through a structured framework aligned with recognized industry standards. This framework supports the confidentiality, integrity, and availability of our systems and data, helping to mitigate financial, operational, regulatory, and reputational risks.

Governance and Oversight

Information security and IT risk management are embedded within JT Group’s governance structure. The IT Governance Policy establishes the foundation for our control environment, supported by a hierarchy of policies, standards, and procedures.
Cybersecurity and IT risk were identified as key enterprise risks through the Group’s enterprise risk management (ERM) process. Oversight is provided by the Board, with regular reporting to ensure visibility of risk exposure, control effectiveness, and emerging threats.
Executive accountability is assigned to the Senior Vice President, Information Technology, who is responsible for the implementation and oversight of IT governance and cybersecurity practices across the Group.

Data Protection and Privacy

We are committed to protecting personal information and ensuring its responsible use in accordance with applicable data protection laws and regulations.
Our internal policies define standards for the collection, processing, retention, and protection of personal data. These are supported by data classification, labeling, and access controls, as well as employee awareness programs and technical safeguards designed to reduce the risk of unauthorized use or disclosure.

Risk Management, Monitoring, and Assurance

We maintain continuous monitoring of our IT infrastructure and information security systems to identify and respond to potential cyber threats in a timely manner.
To enable early detection and effective response, the Group requires all employees to report any information security incidents, potential vulnerabilities, or suspicious activities identified in the course of their work, regardless of perceived severity. Reported matters are assessed by relevant specialist functions and, where necessary, escalated to appropriate management levels for coordinated incident response and business continuity actions across the organization. Our control environment is subject to regular internal and external assurance activities, including audits, vulnerability assessments, and penetration testing conducted by independent third parties.In addition, we establish information security requirements for third-party providers and manage related risks through defined controls across the vendor lifecycle. Where appropriate, we instruct third-party providers to perform vulnerability testing as part of our continual improvement strategy to strengthen our security posture and respond to an evolving threat landscape. We also conduct simulated cyberattack exercises to test our detection and response capabilities and to enhance organizational preparedness.

Business Continuity and Resilience

Maintaining operational resilience is a key priority. We have established business continuity and incident response frameworks designed to ensure the continuity of critical operations and to minimize the impact of disruptive events, including cyber incidents.
Our response approach focuses on timely detection, effective containment, clear stakeholder communication, and rapid recovery of systems and services. Post-incident reviews are conducted to support continuous improvement and strengthen long-term resilience.