Doing Right
Cybersecurity and Data Privacy
UOL implements a robust cybersecurity and data privacy framework to protect sensitive information across our global operations. We are committed to maintaining the highest standards of cybersecurity and data privacy, while staying informed about the challenges posed by advancements in technology such as artificial intelligence to cyber resilience.
Our Data Protection Policy sets out how we collect, use and disclose personal data with our customers and partners, whereas the Acceptable Use Policy outlines the guidelines and requirements in place to protect employees from cyber-attacks.
Our Data Protection Policy sets out how we collect, use and disclose personal data with our customers and partners, whereas the Acceptable Use Policy outlines the guidelines and requirements in place to protect employees from cyber-attacks. The Group strictly complies with relevant laws and regulations such as General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA).
Aligned with ISO 27001 Information Security Management Systems framework, an internationally recognised standard on information security, and the National Institute of Standards and Technology (NIST) cybersecurity framework, we have established cybersecurity policies, standard operation processes (SOP) and advanced security technologies to tackle cybersecurity and data privacy threats to our organisation. We have been actively working with cross-functional teams and auditors to review our data management system against ISO 27001 requirements and aim to achieve leading cybersecurity certifications across the group in 2025, namely the Cyber Security Agency of Singapore (CSA) Cyber Essentials, Cyber Trust Mark certifications and ISO 27001 certification.
Cybersecurity
The Group adopts a defence-in-depth strategy that leverages multiple layers of security defence for holistic cybersecurity protection. This approach integrates a variety of solutions and tools.
Network and Perimeter Security
We employ robust network security measures to safeguard our infrastructure, leveraging on the state-of-the-art Intrusion Detection and Prevention System (IDPS) such as Next-Gen Firewalls and secured VPN solutions.
Threat Detection and Incident Management
Our 24/7 Security Operations Centre (SOC) leverages advanced monitoring tools, such as a custom Security Information and Event Management (SIEM) system, to detect, analyse and respond to potential threats. Regular vulnerability scans and assessments, supported by platforms like Tenable and CrowdStrike, enhance our capabilities in proactively addressing system weaknesses.
Email and Endpoint Security
We secure our communications and devices through leading AI-based Email and Endpoint Detection & Response (EDR) solutions such as Microsoft Defender, SentinelOne EDR and CrowdStrike. These tools protect against email-based threats and provide real-time monitoring and response to endpoint vulnerabilities.
Third-Party and External Risk Management
We have established a Cybersecurity Risk Assessment process and actively monitor third-party risks and external attack surfaces to safeguard our supply chain and mitigate vulnerabilities.
Data Protection
We utilise data loss prevention (DLP) tools, privileged identity management and privileged access management (PAM) systems to ensure the confidentiality and integrity of sensitive information.
Employee Awareness and Training
We conduct regular training and simulated exercises on best practices to educate employees and enhance their vigilance against potential cyber threats, building a strong cybersecurity culture. Trainings include regular Phishing Simulation Exercises, Annual Cybersecurity E-learning, Business Continuity Management (BCM) and Personal Data Protection Act (PDPA) E-learning, alongside monthly awareness emails. We also maintain a cybersecurity portal on our Intranet where employees can access these resources. In 2024, a cybersecurity awareness training tailored for UOL was conducted by NTUC Learning Hub for all employees.
Our cybersecurity teams operate 24/7 focusing on critical areas to ensure robust protection. These include managing firewall configurations to safeguard network perimeters, monitoring and responding to endpoint threats, overseeing data loss prevention to mitigate risks of sensitive information exposure, detecting and analysing potential threats across the environment, and securing privileged access to critical systems. Together, these teams work seamlessly to maintain a secure and resilient cybersecurity framework for UOL. UOL has also embarked on AI-driven tools such as Microsoft Copilot and an AI anti-spam solution to enhance the efficiency of our security operations. In addition, suppliers involved with IT systems are required to complete a questionnaire to assess their data privacy, protection and cybersecurity measures, enhancing accountability and alignment with UOL’s standards.
In 2024, we partnered with a third-party consultant to conduct a cybersecurity maturity assessment, which identified key areas for improvement. We are in the process of implementing the recommended improvements and aim to complete them by 2025.
Data Privacy
The Personal Data Management Framework encompasses policies and procedures that govern the entire lifecycle of each type of personal data within UOL. It also defines the roles and responsibilities of individuals tasked with managing personal data. To ensure its sustainability, policies and processes under this framework are regularly reviewed, with ongoing personal data-related communications and training provided to employees.
Our Data Protection Policy, accessible on our corporate website, outlines the processes for collecting, using, and disclosing personal data of individuals who engage with our company. We recognise the responsibility that comes with handling private and sensitive information through channels such as online reservations, loyalty programmes and credit card transactions. To protect sensitive data, we enforce strict security protocols and implement various measures across our commercial and hospitality operations. In 2024, there were no customer complaints regarding data privacy breaches.
UOL is dedicated to maintaining rigorous data privacy and security practices across all operations and extends our principles to our suppliers. The Group requires suppliers to adhere to PDPA through a Letter of Undertaking, alongside signing for additional agreements such as NDAs to safeguard intellectual property and sensitive information.
Personal Data Management Framework
