Risk Management Structure
VNET has developed a risk management process tailored to the characteristics of our business. The purpose of this process is to identify financial and non-financial risks in our operations as early as possible. The Company has formed effective risk prevention and control mechanism to safeguard our operations in the long run. The Board of Directors is responsible for guiding and overseeing risk identification and management, and senior management works with external auditors to ensure the soundness and effectiveness of the Company’s risk management process.
Three Lines of Defense for Risk Management
Based on the COSO internal control framework and in compliance with the Sarbanes-Oxley Act of 2002, VNET has applied the three lines of defense model for risk management. The model distinguishes different lines of defense involved in risk management and defines the control process for risks of various types. The first line of defense focuses on prevention and control of business-related risks through regular business processes. The second line of defense involves dedicated risk management professionals, who manage risk-related tasks and activities and guide and oversee the first line of defense to maximize risk reduction. The third line of defense provides examination of the operation of the first two lines of defense through an internal audit process. Using this model, we identify problems and arrange for rectification to ensure the implementation and optimization of risk management policies and responsibilities.
Forward-looking Risk Management
VNET pays particular attention to risks that are highly sensitive to corporate operations, such as the risk of relevant transactions. The Company is committed to implementing a comprehensive and forward-looking risk management process and controlling potential risks such as climate change and energy supply risks. VNET has developed a series of emergency response guidelines, such as the Sudden Disaster Emergency Response System, and we received the ISCCC (China Information Security Certification Center) certification for disaster recovery information security services, which establishes processes for protecting normal business operation from potential risks.
Privacy and Data Security
VNET provides industry-leading full-lifecycle IT infrastructure services by building cyberspace infrastructure operation platform with indigenous core technology and hyper-scale operation capability. As a leader in telecom neutral, cross-carrier interconnection network platform, and Carrier-Neutral Data Center Service, we provide customers with highly available data center services while ensuring our devotion to the protection of customers’ privacy and data security. On top of strictly complying with the "Cybersecurity Law of the People's Republic of China" and other relevant legal requirements, VNET strive to safeguard customers’ data safety and security through measures such as rigorous ID control, access regulation, data encryption, and de-identification related techniques.
At VNET, our comprehensive customer data security protection measures includes:
l Physical security: 7*24-hour security patrol and surveillance mechanism and standard procedures, designated cloud service (provided upon request, fulfilling customers’ need for physical isolation of data)
l Operational security: Document Security Management (DSM), data security training (require all employees to participate and pass the exam), security procedure specific auditing
l Technical security: Application resilience (virtual firewall, Web Application Firewall, Website Defacement System), Data Leak Prevention (DLP), Anti-DDoS (Anti-Distributed Denial of Service), remote access VPN, anti-virus (servers and devices), defensive protections and security scans
To prevent and control external attacks, we strictly abide by laws, administrative regulations, rules, and our internal information security regulations, such as the "Cybersecurity Law of the People's Republic of China", to create an underlying security platform. Logging, anomaly detection, and vulnerability scan tools are deployed to protect user data.
In 2020, VNET Blue Cloud further strengthened customer privacy protection. The upgraded "Microsoft Azure Privacy Statement" and "Microsoft Azure Online Service Standard Agreement" are ISO/IEC 27018 is compliant with clear description of the ownership of customer information. At the same time, we have incorporated the protection of personally identifiable information throughout the life cycle of operations and maintenance work. Shanghai Blue Cloud renews its Protection of Personally Identifiable Information in Public Clouds certification each year in accordance with ISO/IEC 27018 (international code of practice for protection of personally identifiable information in public clouds) to ensure the privacy and security of user data.
To further reinforce VNET’s data compliance and security, VNET has setup Data Compliance and Security Management Committee designed to govern and manage relevant considerations at the corporate strategic level. The Committee is responsible to review and authorize compliance and data security related issues, audit and approve relevant reports, as well as instruct and coordinate daily operation progress. The Committee is led by VNET Group CEO, and involves both the Senior VP of Security, and Senior VP of Network. The Committee members are made up of BU and Regional heads, and has setup Data Compliance and Security Task-force for daily execution, monitoring and management of data security system’s operation and iteration. Up to now, VNET has developed "Information Security Management System", "Cybersecurity Management System", "Password Security and Confidentiality System", "Cybersecurity Vulnerability Detection System", "Case Report and Co-investigation System" and other systems to protect cybersecurity.
VNET appreciates the commercialization of cyber resilience related services and products as an important proposition for its future. VNET has thus introduced emergency response center, safety service standards, and provide cyber resilience products such as anti-DDoS service, penetration test, host security, security analysis, website security CA certificate, security level evaluation and consultation, etc. Moreover, VNET has developed and constructed an indigenous private cloud platform based on virtual machine and container. Through our indigenous private cloud platform, users can detach the software services and the hardware system, realizing computation resources pool-like management. Users can thus realize dynamic allocation and elastic adoption, while ensuring centralized management of operation and maintenance capabilities. This indigenous platform is both adopted by VNET internally, and provided to customers externally. The platform is still evolving at feature level, benchmarking best practices, and strive to contribute to the creation of an open-source ecosystem. VNET’s cyber resilience related services has received great recognitions market-wide, and with its rapid growth, VNET has already achieved revenue generation on it.
As certified by the China Cybersecurity Review Technology and Certification Center (CCRC), VNET’s proposition that has earned top tier-3 qualification rating includes: Information Security Risk Assessment, Information Security Emergency Response, Information System Security Integration, Information System Security O&M, and Information System Disaster Backup and Recovery. In addition, VNET has also received Trusted Cloud Certificate by the China Academy of Information and Communications Technology (CAICT), ISO 27001 Information Security Management System, ISO 20000 Information Technology Service Management System, ISO 22301 Business Continuity Management System, ISO 50001 Certification of Energy Management System Certification, and various other certification.
Business Ethic
We do business with integrity and act in strict accordance with laws, regulations, and industry standards, including the "Criminal Law of the People's Republic of China", "Company Law of the People's Republic of China", and "Anti-Unfair Competition Law of the People's Republic of China". We abide by the highest ethical standards and compliance requirements when interacting with our stakeholders.
In regards to business ethics and corruption issues, VNET has established a multi-layer management mechanism ranging from the Department of Integrity to the Board level. Any stakeholders or public can make a report, either using their name or anonymously, by e-mail, phone, and other means. VNET resolutely fights non-compliant behaviors such as bribery, bribe solicitation, and kickbacks. Once corruption and related complains has been received, no matter anonymous or not, the Department will contact the accused and plaintiff separately immediately, and plan corresponding investigation according to the situation learned. Once authorized by the company leadership, the Department of Integrity will then form a task-force and initiate the investigation. After the investigation is complete, the task-force and the Department of Integrity will then provide an investigation report consisting of research outcome, recommendation, and follow-up procedures for the company leadership and Board to review. The investigation report will be reviewed in 2 days, and finalized with feedback and signoffs. VNET has also developed whistleblower protection policy and strictly prohibits retaliation against these employees.
For the purpose of strengthening risk management capability, VNET has published a comprehensive "Internal Audit Procedure" for all procedures of VNET, all of its affiliates, as well as respective operations. The audit scope includes all financial performances and related activities, internal control regulations and executions, national legal requirement and enforcement, general operation efficiency and comments. The Department of Internal Audit shall prepare special audit plan on annual basis, and executes when permitted by the Group Audit Committee.
VNET conducts annual anti-corruption auditing for VNET, all of its affiliates, as well as respective operations. On top of which, VNET also carries out various forms of education and publicity for all employees on the theme of integrity and anti-corruption. We have developed policies and systems such as the "VNET Group Integrity Interview System", "the Anti-Corruption Inspection System", "the Gift Registration System", and "the Anti-Commercial Bribery Statement" to ensure all employees understand and comply with VNET standards of integrity. VNET requires all of its employees and suppliers to sign the "Commitment against Commercial Bribery" and receive respective training on integrity. Since October 2020, the Department of Integrity has created a special section of anti-corruption education on the internal e-learning platform, sharing corruption cases to all employees on a regular basis, helping them to strengthen anti-corruption awareness and recognition. In addition, we joined the Anti-Fraud Alliance in 2019, and participate in online courses and offline training sessions organized by the Alliance on a regular basis to ensure the best practice of business ethics and compliance requirements are met.
