Cybersecurity and Operational Improvement Initiatives

These initiatives significantly strengthen our defence against cyber threats by providing real-time threat detection, log analysis, and incident response capabilities. They help in quick identification and mitigation of potential security threats, thereby reducing the risk of data breaches and other cyber incidents.

Protecting Data Privacy

We have prioritised data protection and privacy at APSEZ, not merely as a compliance requirement but as a core value that drives our commitment to excellence and integrity in all our operations. We are committed to upholding the highest standards of data protection and privacy. Our business model is built on a foundation of trust, transparency, and ethical practices, ensuring that all personal and sensitive information is handled with the utmost care and confidentiality.

Data Privacy Governance

Our commitment to safeguarding the privacy and security of the data of our various stakeholders is unwavering. To uphold this commitment, we are in the process of formulating a comprehensive Data Privacy Policy, covering all individuals and entities associated with the organisation, including but not limiting to employees, contractors, partners, customers and third-party vendors. The policy will help manage personal and sensitive data responsibly. It will comply with current regulations and will incorporate the global best practices, underscoring our belief that privacy is a fundamental right.

We implement robust measures to protect Personally Identifiable Information (PII), ensuring our processes meet regulatory standards. We also encourage our stakeholders, including customers and business partners, to contact us via email or phone with any questions about their personal data. These initiatives are designed to promote transparency and open communication regarding data collection and use.

We have integrated a detailed privacy policy system into our group-wide risk and compliance management framework. This system ensures the protection of stakeholders' privacy rights, regulatory compliance in data handling practices, and effective risk mitigation strategies. By embedding privacy policies throughout the organisation, we prioritise data security, and build trust with our customers and partners.

The Head - Cybersecurity is responsible for ensuring compliance of the Privacy Policy at APSEZ.

Strategy for Data Privacy Protection & Risk Mitigation

Given the threat posed by data privacy issues to the company’s integrity and operational continuity, we have aligned our framework for data privacy risk assessment with the Digital Personal Data Protection (DPDP) Act. Our efforts are focussed on ensuring compliance with legal requirements and industry best practices as per the Act.

Detection Mechanisms

• Monitoring Tools: Intrusion Detection Systems (IDS), Data Loss Prevention (DLP) solutions, and Security Information and Event Management (SIEM) platforms are utilised to monitor suspicious activities
• Access Logs: Access logs are regularly reviewed to identify unauthorised access or anomalies
• Incident Reporting Channels: Employees are trained to promptly report suspicious activities or potential breaches to the cybersecurity team

Reporting Procedures

• Internal Reporting: Potential breaches are escalated to the Incident Response Team (IRT) for further investigation and containment
• Regulatory Reporting: Timely notification to regulatory authorities is ensured for confirmed breaches involving personal data, as mandated by data privacy regulations
• Stakeholder Notification: Detailed information about the breach and the measures taken is provided to affected individuals and stakeholders, along with guidance on how they can protect themselves

Our Data Privacy Protocols

We have instituted a comprehensive privacy impact assessment (PIA) for various projects at APSEZ. The assessment is designed to evaluate how a project, system or process affects the privacy of individuals whose data is being collected, stored, or processed. It ensures compliance with data protection laws like the GDPR and DPDP Act, and helps mitigate potential privacy risks.

At APSEZ, we have established elaborate mechanisms to detect and report data breaches as part of our cybersecurity framework. The framework is also being extended to include privacy considerations. We employ a combination of technical and procedural measures to ensure timely detection and reporting of breaches.

Data protection and information sharing practices

We follow elaborate practices designed to ensure the integrity and security of data sharing and protection.

These include:

Safe Data Storage

Back-up and secure storage for 5 years for all essential applications, including IPOS Container and IPOS Non-Container systems; Protection and safe retention for 7 years for all financial documents

Controlled Information Sharing

Adani Microsoft SharePoint Solution Information used to enable sharing with third parties, when necessary; Approvals needed for this from relevant business and cybersecurity teams, ensuring compliance with strict security protocols

Seeking Consent

Individual’s opt-in consent obtained, where required under relevant Data Protection Laws, before processing activities on customer data / personal information are undertaken

Data Deletion

Identification and secure deletion of data that is no longer needed, ensuring that it cannot be recovered. Deletion process, including details of what was deleted and when, clearly documented

Data Anonymisation

Data identified for anonymisation and for application of techniques like generalisation, suppression, or pseudonymisation, to protect privacy while retaining its analytical value

Purpose-Specific Data Usage

Restriction on use of personal data of all stakeholders to essential business operations, such as invoice generation and payment processing. Such data includes key identifiers like names, addresses, email, mobile numbers, and financial details. All such data securely blocked in the system after completion of process/service

Regulatory Compliance

Strict regulation of disclosure of customer information to third parties; Limited to legal obligations with government agencies; May include sharing of specific details, such as PAN and GST numbers, for tax filing purposes

Privacy by Design

Privacy-by-design principles being adopted to embed data privacy into IT systems, in line with DPDP Act; To include features like data minimisation, encryption, and role-based access controls

Protection of Personal Information

Emphasis on protection of personal data or information of all the stakeholders, including customers, employees, third-party vendors, partners, suppliers, etc.; DPDP Act 2023 acts as regulation on data privacy and control; Our stakeholder data privacy measures include authorisation, encryption, verification, data back-up and recovery; We adopt the best business practices to protect all private data, including restrictions on data collection and access, regular audits, employee training on privacy practices, and regular reviews of compliance with the data protection laws

As a B2B enterprise, with our primary focuss on commercial activities rather than marketing, we don’t necessitate an opt-out option for our customers regarding the handling of their personal information. In the broader context, given that the personal data is predominantly used for commercial purposes, the application of such data for secondary purposes is not relevant.

Compliance

Robust data privacy incident response management

A robust Incident Response Plan (IRP) is in place with respect to cybersecurity & data privacy at APSEZ. The plan ensures effective management of data breaches involving personal data and is aligned with the organisation's overall cybersecurity strategy as well as the requirements of privacy regulations like the DPDP Act.

We are now in the process of establishing dedicated communication channels, such as an email helpdesk and a grievance cell, to enable data principals to seamlessly lodge complaints. These mechanisms will be backed by defined timelines to address concerns efficiently.

Training & Awareness

Cyber Security and Data Privacy training and awareness help employees identify and avoid cyber threats, reducing the risk of data breaches and cyberattacks. These training fosters a culture of security compliance, ensuring that everyone in the organisation understands their role in protecting sensitive information and maintaining regulatory standard.

Key Topics of these trainings focus on phishing awareness, password best practices, and data protection. Additionally, it cover safe internet practice, Social Engineering , mobile device security, two-factor authentication, and incident reporting to ensure comprehensive understanding and protection.

The effectiveness of data privacy and cybersecurity training is measured through several methods:

1. Pre- and Post-Training Assessments: Comparing knowledge and skills before and after training to gauge improvement.

2. Phishing Simulations: Conducting simulated phishing attacks to see how well employees apply what they've learned

3. Employee Feedback: Gathering feedback from participants to understand their perception of the training's relevance and effectiveness

Maintaining Confidentiality

We follow a zero-tolerance policy against any violations to the privacy policy. We have embedded the principle of confidentiality of personal information into our code of conduct. Any violation of the privacy policy, or involvement in privacy breaches, by an employee invites strict disciplinary action. We have an excellent track record in terms of customer privacy protection, and have not reported any cases of information security breaches, data breaches, or cybersecurity incidents in the past three fiscal years. APSEZ has the distinction of ZERO substantiated incidents related to breach of customer privacy, data theft, leaks, or loss for FY 2024-25. This underlines our strong commitment to data protection and implementation of cybersecurity measures. No fines or penalties levied have been imposed on APSEZ with respect to data security breaches or cybersecurity incidents.