XML 19 R8.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 16K. Cyber Security

 

a)
Definitions. For purposes of this section:

 

Cyber security incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of PLDT’s information systems or any information residing therein.

 

Cyber security threat means any potential unauthorized occurrence on or conducted through PLDT’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of PLDT’s information systems or any information residing therein.

 

Information systems means electronic information resources, owned or used by PLDT, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of PLDT’s information to maintain or support PLDT’s operations.

 

b)
Cybersecurity Risk Management and Strategy

Our cybersecurity risk management program (Program) includes:

Information security risk assessment – We developed the Information Security Risk Management Standards (Risk Management Standards), which serve as our Company’s guidelines for performing information security risk assessments that are conducted by CSOG. They also serve as a guide for the conduct of risk assessments for third parties with business dealings with the PLDT Group, such as vendors, suppliers, and service providers. CSOG reviews the Risk Management Standards on an annual basis, taking into consideration the latest international standards in cyber security. The information security risk assessment includes, among others:

o
identifying material cyber security risks to which our systems are exposed, including exposure to breach in confidentiality, integrity and availability of personal data as defined under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
o
analyzing the potential impact of the identified information security risk on our business operations;
o
classifying information security risks as a low, medium or high risk, based on the impact score and likelihood score provided in the Risk Management Standards; and
o
implementing risk treatment or mitigating actions necessary to address the identified information security risk.

In addition, all technologies, systems, platforms and network elements go through a security assessment by CSOG and must be approved by CSOG before they are implemented in order to ensure that all network elements meet our cyber security standards.

As part of our continuing efforts to improve security measures and fortify the network environment, PLDT Group has retained external cyber security experts to assist us in deploying the latest technology and adopting global best practices to detect and prevent cyber security attacks.

Cyber security incident response - CSOG, through its cyber security incident response team, is the central authority for handling security incidents. We developed the Information Security Incident Management Standards (Incident Management Standards), which are reviewed annually, as a guide in handling security incidents by establishing an incident handling capability through a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. CSOG has adopted the incident response plan which is a set of documented procedures for identifying, responding to, and limiting the impact of information security incidents to the business. This document is the primary business-level documentation which reflects the corporation’s due care and due diligence on the handling of incidents, methods for response, and business criteria for the recovery and restoration of normal business operations after an incident. The Incident Management Standards lays down the stages of the incident management process to be followed upon the occurrence of a security incident. These are: (1) preparation; (2) identification; (3) remediation (e.g., containment, eradication and recovery); (4) incident closing and archiving; and (5) post-incident activities.

Cyber security awareness – Since all employees, consultants, and third parties with business dealings, directly or indirectly, with PLDT Group must comply with the Corporate Information Security Policy (CISP) and its supporting Standards and the Information Security Management System (ISMS) that implements the CISP, CSOG leads the organizational initiatives aimed at enhancing awareness of the CISP, its supporting standards and ISMS. For this purpose, CSOG conducts an annual information security e-learning course which is mandatory for all employees and consultants. The course is intended to achieve the following objectives: (1) prevent and reduce threats that cannot be addressed by technical controls; (2) increase awareness on cyber security matters; (3) drive appropriate behavior and
improve judgment on cyber risks; and (4) enable our people to become the Company’s first and last lines of defense, all with the aim of creating a sustainable culture of cyber security.

The Program is constantly reviewed for compliance with ISO 27001. While CSOG uses the Balanced Scorecard Framework (Balanced Scorecard) as a tool for measuring performance and effectiveness of security controls, as well as for alignment of CSOG objectives with the goals of the PLDT Group, it has adopted the National Institute of Standards and Technology (NIST) as a framework. The Balanced Scorecard is a strategic planning and management method designed to align business activities with the vision and strategy of the organization to improve internal and external communications, and monitor CSOG’s performance against the strategic goals of the entire organization, including financial stability, customer satisfaction, efficient internal processes, and continuous improvement and innovation in cyber security capabilities. On the other hand, the adoption of the NIST Framework enhances our ability to identify, protect, detect, respond and recover from cyber threats. By identifying the risks, the organization is able to understand and manage the cyber security risks to systems, assets, data and capabilities and, at the same time, implement safeguards to ensure the delivery of critical infrastructure services. Detection is achieved by developing and implementing activities to identify the occurrence of a cyber security event.

The Program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes with the enterprise risk management program, which are also applied to other legal, compliance, strategic, operational, and financial risk areas. This integration serves to align PLDT’s cyber security initiatives with the overall strategic objectives of the organization.

a)
Process for Assessing, Identifying, and Managing Material Risks from Cyber Security Threats Pursuant to the Program

 

Assessment

CSOG, through its Risk Management Team, performs functional security risk assessments for projects (e.g., solutions, products, services, and their components) and enterprise (e.g., in response to incidents, intelligence threat information, and/or as part of planned scope and schedule) in accordance with the Risk Management Standards. Information security risk assessments are performed on all new technologies, systems, platforms, and network elements that:

1.
introduce and connect to any part of our network;
2.
use the services of external service providers;
3.
permit access to our critical systems either through internal or external users or system accounts; and
4.
grant access from external locations outside our network.

In other words, all technologies, systems, platforms and network elements go through a security assessment by CSOG and must be approved by CSOG before they are implemented, whether it is merely proof-of-concept, for demonstration, or for production. Information security risk assessments on existing systems should be initiated and performed by CSOG based on emerging threats and risk.

Identification

 

Risks are identified based on the probable loss of confidentiality, integrity, and availability of information within the scope of our ISMS. Risks are categorized based on their impact on the following: (1) customer’s rights; (2) reputation; (3) technology; (4) finance; (5) people; and (6) governance. Once identified, risks are categorized as either high or low to arrive at the risk rating/score.

 

Results of risk assessment are documented in our Risk Register, which shall be the basis of the risk treatment.

Risks identified as part of information security risk assessment shall be treated according to the Company’s security requirements (risk appetite), taking into account business circumstances and level of threat. Treatment of information security risk shall primarily be via risk mitigation. In cases where the risk is difficult to mitigate and requires long-term efforts, we may (i) document acceptance of the risk by an appropriate senior management, (ii) cancel, postpone or modify the implementation of a project or initiative that gives rise to the risk or (iii) share the risk with external parties, such as joint venture partners, cloud service providers and other third-party service providers.

Management/Strategy

 

CSOG uses the Balanced Scorecard methodology/framework to ensure that cyber security efforts are not just technically proficient, but also contribute to the overall strategic objectives of the organization, including financial stability, customer satisfaction, efficient internal processes, and continuous improvement and innovation in cyber security capabilities. The Balanced Scorecard is reviewed annually or as necessary to keep up with the latest threats, technological advancements, and regulatory

requirements. In the end of 2024, CSOG started reviewing its strategy and roadmap based on the approved budget and its identified projects and initiatives.

See Section (b) above for more details.

Engagement of Third-Parties

 

The Company engages third-party service providers, such as, but not limited to assessors, consultants, and auditors, in connection with the processes described above. The Company has established its External Party Security Standards to ensure the confidentiality, integrity, and availability of information transmitted between PLDT Group and third parties are maintained, that hardware and software acquired from third parties do not compromise PLDT Group’s confidential and restricted information, and that security requirements are satisfied and maintained when the running of a particular environment or service is entrusted to a third party.

When entering into contracts, third parties must agree to PLDT Group’s security requirements as embodied in PLDT Group’s Cyber Security Clauses and CS Requirements set forth in the External Party Security Standards. All contracts are reviewed by CSOG before they are executed and subjected to a risk assessment on the third party, including assessing their security posture and compliance with security requirements, before launching the project or implementing the solution. Through this process, CSOG seeks to ensure that we have the appropriate controls in place for any systems, solutions or platforms that are to be integrated with our internal network or system, or will involve the processing of personal data.

b)
Cybersecurity Incidents

In the second quarter of 2023, pursuant to Philippine laws, the Company notified the relevant regulatory authorities that it experienced cybersecurity attacks on its network and systems and, with the help of leading cybersecurity experts here and abroad, the Company was able to contain the effects of such cybersecurity attacks on network and systems performance. Upon detection of the incidents, the Company immediately activated relevant security protocols, and worked around the clock to protect its network and systems. Therefore, such cybersecurity attacks did not have any material financial, legal, reputational or regulatory repercussions for the Company. We did not experience any cyber security incidents in Fiscal 2024 that resulted in any financial loss, reputational damage, or regulatory fines.

 

We continue to analyze and enhance our network and systems to introduce further security measures, and fortify our network environment. Further, we have retained external cyber security experts to ensure that we deploy the latest technology, and adopt global best practices to detect and prevent cyber security attacks.

c)
Cyber Security Governance

Our Board considers cyber security risk as part of its risk oversight function and has delegated the responsibility for overseeing cyber security and other information technology risks to the Board’s Data Privacy and Information Security Committee (the Committee). This Committee gives strategic direction to governance functions relating to data privacy and information security matters and oversees management’s implementation of our Program.

 

The Committee receives quarterly reports from management on (a) our data privacy and information security risk profile, with a focus on known or emerging major risk exposures; (b) the level of compliance with regulatory requirements and internal policies and standards on data protection and information security; and (c) any significant gaps in our data protection and information security capabilities and the status of any initiatives to address those gaps. In addition, management updates the Committee, as necessary, regarding any material cyber security incidents, as well as any incidents with lesser impact potential, and the steps or proposed steps taken by management to monitor and manage data privacy and information security risks, including adequacy of resources; training of the workforce; administrative, physical, and technical safeguards; and an incident management framework.

 

On the other hand, the Committee reports to the full Board on its activities including those related to cyber security. Further, the Committee reports and secures the full Board’s approval, at least annually, on the risk appetite and risk tolerance of our Company and the risk management objectives and strategies on data privacy and information security. The Committee also ensures that management, through its Chief Information Security Officer (CISO), reports to the full Board the level of our compliance with regulatory requirements and internal policies and standards on data protection and information security. Each year, the Committee also ensures that the CISO creates and implements continuing annual training programs for Directors to inform them of developments in the business and regulatory environments, including emerging risks relevant to data protection and information security.

 

Our CSOG, led by the CISO, is responsible for assessing and managing any material risks from cyber security threats. CSOG has primary responsibility for implementing and monitoring our Program and supervises both our internal cyber security personnel and our external cyber security consultants. The CISO, through the different pillars of CSOG (e.g., Governance, Innovation, Risk Management, Compliance, Internal Cyber Security Operations, and Special Operations Group), supervises efforts to prevent, detect, mitigate, and remediate cyber security risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants; and alerts and reports produced by security tools deployed in the IT environment.

 

CSOG oversees and implements organizational initiatives aimed at creating a sustainable culture of cyber security, including, but not limited to, internal and external training programs for staff, technological upgrades in cyber security, and knowledge management practices in cyber security. Collectively, CSOG is equipped with the relevant experience and technical knowledge to perform its responsibilities in relation to cyber security.

 

The CISO provides quarterly reports to the Committee on potential and existing cyber security risks identified by CSOG, remedial actions undertaken, and measures implemented to enhance PLDT Group’s cyber security posture. The Committee then reports such cyber security matters to the full Board. The CISO also directly provides the Board with quarterly reports on the implementation of the Group’s security measures.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

The Program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes with the enterprise risk management program, which are also applied to other legal, compliance, strategic, operational, and financial risk areas. This integration serves to align PLDT’s cyber security initiatives with the overall strategic objectives of the organization.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Board of Directors Oversight [Text Block]
c)
Cyber Security Governance

Our Board considers cyber security risk as part of its risk oversight function and has delegated the responsibility for overseeing cyber security and other information technology risks to the Board’s Data Privacy and Information Security Committee (the Committee). This Committee gives strategic direction to governance functions relating to data privacy and information security matters and oversees management’s implementation of our Program.

 

The Committee receives quarterly reports from management on (a) our data privacy and information security risk profile, with a focus on known or emerging major risk exposures; (b) the level of compliance with regulatory requirements and internal policies and standards on data protection and information security; and (c) any significant gaps in our data protection and information security capabilities and the status of any initiatives to address those gaps. In addition, management updates the Committee, as necessary, regarding any material cyber security incidents, as well as any incidents with lesser impact potential, and the steps or proposed steps taken by management to monitor and manage data privacy and information security risks, including adequacy of resources; training of the workforce; administrative, physical, and technical safeguards; and an incident management framework.

 

On the other hand, the Committee reports to the full Board on its activities including those related to cyber security. Further, the Committee reports and secures the full Board’s approval, at least annually, on the risk appetite and risk tolerance of our Company and the risk management objectives and strategies on data privacy and information security. The Committee also ensures that management, through its Chief Information Security Officer (CISO), reports to the full Board the level of our compliance with regulatory requirements and internal policies and standards on data protection and information security. Each year, the Committee also ensures that the CISO creates and implements continuing annual training programs for Directors to inform them of developments in the business and regulatory environments, including emerging risks relevant to data protection and information security.

 

Our CSOG, led by the CISO, is responsible for assessing and managing any material risks from cyber security threats. CSOG has primary responsibility for implementing and monitoring our Program and supervises both our internal cyber security personnel and our external cyber security consultants. The CISO, through the different pillars of CSOG (e.g., Governance, Innovation, Risk Management, Compliance, Internal Cyber Security Operations, and Special Operations Group), supervises efforts to prevent, detect, mitigate, and remediate cyber security risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants; and alerts and reports produced by security tools deployed in the IT environment.

 

CSOG oversees and implements organizational initiatives aimed at creating a sustainable culture of cyber security, including, but not limited to, internal and external training programs for staff, technological upgrades in cyber security, and knowledge management practices in cyber security. Collectively, CSOG is equipped with the relevant experience and technical knowledge to perform its responsibilities in relation to cyber security.

 

The CISO provides quarterly reports to the Committee on potential and existing cyber security risks identified by CSOG, remedial actions undertaken, and measures implemented to enhance PLDT Group’s cyber security posture. The Committee then reports such cyber security matters to the full Board. The CISO also directly provides the Board with quarterly reports on the implementation of the Group’s security measures.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board considers cyber security risk as part of its risk oversight function and has delegated the responsibility for overseeing cyber security and other information technology risks to the Board’s Data Privacy and Information Security Committee (the Committee).
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] This Committee gives strategic direction to governance functions relating to data privacy and information security matters and oversees management’s implementation of our Program.
Cybersecurity Risk Role of Management [Text Block]

Our CSOG, led by the CISO, is responsible for assessing and managing any material risks from cyber security threats. CSOG has primary responsibility for implementing and monitoring our Program and supervises both our internal cyber security personnel and our external cyber security consultants. The CISO, through the different pillars of CSOG (e.g., Governance, Innovation, Risk Management, Compliance, Internal Cyber Security Operations, and Special Operations Group), supervises efforts to prevent, detect, mitigate, and remediate cyber security risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants; and alerts and reports produced by security tools deployed in the IT environment.

 

CSOG oversees and implements organizational initiatives aimed at creating a sustainable culture of cyber security, including, but not limited to, internal and external training programs for staff, technological upgrades in cyber security, and knowledge management practices in cyber security. Collectively, CSOG is equipped with the relevant experience and technical knowledge to perform its responsibilities in relation to cyber security.

 

The CISO provides quarterly reports to the Committee on potential and existing cyber security risks identified by CSOG, remedial actions undertaken, and measures implemented to enhance PLDT Group’s cyber security posture. The Committee then reports such cyber security matters to the full Board. The CISO also directly provides the Board with quarterly reports on the implementation of the Group’s security measures.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our CSOG, led by the CISO, is responsible for assessing and managing any material risks from cyber security threats. CSOG has primary responsibility for implementing and monitoring our Program and supervises both our internal cyber security personnel and our external cyber security consultants
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] the Committee reports to the full Board on its activities including those related to cyber security. Further, the Committee reports and secures the full Board’s approval, at least annually, on the risk appetite and risk tolerance of our Company and the risk management objectives and strategies on data privacy and information security. The Committee also ensures that management, through its Chief Information Security Officer (CISO), reports to the full Board the level of our compliance with regulatory requirements and internal policies and standards on data protection and information security.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true