LOADING

As Sri Lanka’s national ICT enabler, we recognise that resilient digital infrastructure must be supported by equally robust cybersecurity, information governance, and service continuity frameworks. As we continued to expand our fibre backbone, cloud infrastructure, data-centre ecosystems, and next-generation digital platforms during 2025, strengthening cyber resilience remained a strategic priority underpinning customer trust, operational continuity, and national digital security. Operating within an increasingly interconnected and digitalised environment, we maintained a proactive and risk-based approach to cybersecurity governance, integrating information security principles across technology operations, enterprise systems, cloud environments, and customer-facing services. This approach aligns with internationally recognised standards and supports our broader commitment to secure, reliable, and future-ready digital infrastructure.

Cybersecurity Governance and Oversight

SASB: TC TL 230a.2 | ISO/IEC 27001:2022 | Framework

We maintain a comprehensive cyber and information security governance framework aligned with internationally recognised standards and industry best practices. Governance oversight is supported through clearly defined management responsibilities, structured policy frameworks, and enterprise-wide accountability mechanisms designed to safeguard critical information assets and digital operations.

Our Information Security Management System (ISMS) operates on a structured and risk-based framework that supports the identification, assessment, mitigation, and monitoring of cyber risks across operational environments. Security policies and governance controls are periodically reviewed to ensure continued effectiveness in responding to evolving cyber threats and changing digital risk landscapes.

To strengthen consistency across the organisation, we have implemented an extensive information security policy framework covering key domains including the below:

  • Information security governance
  • Access control and identity management
  • Cryptography and data protection
  • Asset management and information classification
  • Secure development and application security
  • Logging, monitoring, and incident management
  • Cloud security and third-party risk management
  • Remote working and mobile device security

These frameworks support the consistent implementation of cybersecurity controls while reinforcing regulatory compliance and operational resilience across the Group.

Cyber Risk Management and Security Operations

SASB: TC TL 230a.2 | ISO/IEC 27001 | Framework

We adopt a proactive and intelligence-driven approach to cyber risk management, embedding cybersecurity considerations within broader enterprise risk management processes. Risks are continuously identified and managed through layered security controls, continuous monitoring mechanisms, governance procedures, and secure operational practices.

A dedicated 24x7 Cyber Security Operations Centre (CSOC) provides continuous monitoring, threat detection, incident management, and rapid response capabilities across our critical systems and digital infrastructure. Advanced monitoring tools and threat intelligence capabilities enable real-time identification and mitigation of potential cyber threats, helping safeguard network operations, enterprise systems, and customer services.

Our cybersecurity posture is further strengthened through a defence-in-depth architecture and zero-trust operating model, delivering multiple layers of protection across networks, cloud platforms, applications, and operational environments. We continued to deploy industry-standard security technologies, supported by stringent policy enforcement and access governance mechanisms.

Key security measures implemented across operations

  • Next-generation firewalls deployed across data-centre perimeters
  • Two-factor authentication and controlled administrative access
  • Endpoint detection and response capabilities
  • Network detection and monitoring systems
  • Logging and anomaly detection mechanisms
  • Secure application development practices
  • Continuous security monitoring and incident response protocols

Collectively, these capabilities form an integrated cybersecurity ecosystem designed to protect critical national digital infrastructure while supporting secure digital transformation initiatives.

Data Security and Customer Privacy

(SASB: TC-TL-220a.1)

Protecting customer information and safeguarding digital trust remain fundamental priorities for us. The Group maintains policies, governance frameworks, and operational controls designed to ensure the secure collection, processing, storage, and transfer of customer and enterprise data across its digital platforms and services.

The organisation complies with applicable regulatory and privacy requirements, including the Personal Data Protection Act (PDPA), while embedding privacy considerations into service design and operational processes.

Data protection enabled security controls

  • Data classification frameworks
  • Access control mechanisms
  • Encryption protocols
  • Monitoring and logging systems
  • Secure information handling procedures

These measures help ensure that sensitive information remains protected against unauthorised access, misuse, and cyber threats while reinforcing transparency and customer confidence across digital interactions.

Identifying and Addressing Cybersecurity Risks

(SASB: TC-TL-230a.2)

We employ a structured and continuously evolving approach to identifying and managing cybersecurity and data security risks through its enterprise-wide ISMS framework. Our cyber risk management processes integrate operational monitoring, governance oversight, technical controls, and security assurance mechanisms to strengthen organisational resilience against emerging threats.

Cybersecurity approach safeguards

  • Periodic risk assessments and vulnerability management
  • Continuous monitoring through the CSOC
  • Logging and monitoring controls
  • Secure development and application security practices
  • Third-party security and compliance assessments
  • Alignment with internationally recognised cybersecurity standards

In addition, we continued to strengthen cyber resilience through employee awareness programmes, policy enforcement, and the integration of secure-by-design principles across operational and development processes.

The renewed National Cyber Protection Strategy 2025-2029 introduced by the Government during the year further reinforced the national cybersecurity ecosystem by strengthening legal frameworks, response preparedness, and public-private collaboration initiatives.

Network Management, Service Continuity and Operational Resilience

(SASB: TC-TL-520a.3 and TC-TL-550a.2)

As a provider of critical national telecommunications infrastructure, we continued to prioritise network resilience, service continuity, and regulatory compliance across its operations. We maintain network management practices aligned with applicable telecommunications regulations while ensuring fair, transparent, and reliable service delivery across customer segment.

Potential risks relating to evolving regulatory developments, traffic management practices, and network neutrality considerations are continuously monitored and managed to maintain compliance and strengthen customer trust.

Our Business Continuity Management System (BCMS), aligned with ISO 22301:2019 standards, supports effective response, recovery, and continuity planning across critical infrastructure and digital operations.

Key resilience measures

  • Redundant network and infrastructure architecture
  • Backup and recovery systems
  • Incident response and crisis management procedures
  • Continuous operational monitoring through the CSOC
  • Rapid response and service restoration capabilities

These measures help minimise operational disruption while ensuring the continuity of critical telecommunications and digital services across the country.

Certifications and International Standards

Our cybersecurity and information governance framework is reinforced through internationally recognised certifications and standards that support operational integrity, service resilience, cloud security, and data protection across our digital ecosystem. During the year, we continued to strengthen its compliance with global best practices in information security management, business continuity, cloud governance, and privacy protection through a series of internationally benchmarked certifications.

Key certifications

  • ISO/IEC 27001:2022 – Information Security Management Systems
  • ISO 22301:2019 – Business Continuity Management Systems
  • ISO/IEC 27017 – Cloud Security Controls
  • ISO/IEC 27018 – Protection of Personally Identifiable Information (PII)

These certifications demonstrate our continued commitment to safeguarding critical information assets, ensuring service continuity, strengthening cloud security practices, and maintaining customer trust across increasingly digital and data-driven operating environments.

Strengthening Digital trust for the future

As digital ecosystems continue to evolve in scale and complexity, we remain committed to continuously strengthening its cybersecurity, data governance, and operational resilience capabilities. Through sustained investments in secure digital infrastructure, advanced monitoring systems, internationally aligned governance frameworks, and enterprise-wide cyber resilience practices, we continue to safeguard critical national connectivity infrastructure while enabling secure and trusted digital experiences for customers, enterprises, and public-sector institutions across Sri Lanka.