Cybersecurity and Personal Data Protection Management

Supporting the SDGs Goals

Goal 16:

Peace, Justice and Strong Institutions

Stakeholders Directly Impacted

External Service Providers

Customers/Consumers

Business Partners

Regulatory Agencies

Goals and Performance Highlights

Goals

Number of Successful Cyber Attacks is

Zero

Performance Highlights 2024

Number of Successful Cyber Attacks is

Zero

ESG Performance Data

Commitment, Challenge and Opportunity

Currently, measures for personal data protection and cybersecurity are essential to building trust among stakeholders. As the group uses technology to modernize its business in line with new innovations, there is a high likelihood of becoming a target of cyber threats or personal data breaches, which could cause harm to stakeholders and affect confidence and trust in the organization. The group has established policies to ensure the security of information systems and personal data protection policies to define guidelines for protecting personal data. Additionally, a cyber threat response plan has been developed and is practiced at least once a year. All employees can quickly report incidents via an application to enable immediate prevention, response, and risk mitigation from cyber threats. This helps prevent crimes, attacks, and various errors, and ensures compliance with government regulations such as the Cybersecurity Act B.E. 2562 (2019) and the Personal Data Protection Act B.E. 2562 (2019). Personal data management is aligned with the Personal Data Protection Act B.E. 2562 (2019) to prevent violations of stakeholder rights from improper use of personal data, enabling the business to operate continuously.

Management and Operational Approach

The company places strong emphasis on the protection of personal data and cybersecurity in order to build confidence among stakeholders.

Policies, guidelines, and systematic risk management measures have been established in line with international information security standards, along with initiatives to enhance awareness and encourage participation among employees at all levels in preventing and responding to cyber threats.

1

Announcement The Information Security Policy is based on the ISO/IEC 27001 information security management framework, integrating cybersecurity risk with organizational risk management and building cybersecurity awareness.

2

Develop a cyber threat response plan ready to handle potential cyber threats in all forms of operations with the following four key implementation steps:

Cyber Incident Response Cycle

Click to Enlarge

3

Provide a means of reporting issues through the application, such as receiving phishing emails, emails containing malware or viruses, as well as other anomalies that may result from cyber attacks, in order to manage incidents and issues caused by the use of information technology appropriately and promptly.

Sustainability Plan

The company has continuously implemented proactive measures on cybersecurity and personal data protection to mitigate risks and strengthen preparedness against potential threats, with the following actions undertaken.

Conducts phishing simulation training

The group conducts phishing simulation training, aimed at increasing knowledge, understanding, and familiarity with the response process, enabling those involved to effectively handle cyber threats.

Conduct vulnerability assessments and penetration testing

Regularly to assess risks and test system penetration, identifying and addressing potential vulnerabilities in the information security and network systems. This involves simulating various penetration test scenarios, which helps improve understanding and strengthen defenses.

Conduct an annual risk assessment

To evaluate the effectiveness of operations, providing insights into emerging threats and areas that need improvement in the security system, which will guide the enhancement of cybersecurity measures.

Future Plans

The information security management approach uses the ISO/IEC 27001 framework. The group is committed to obtaining ISO/IEC 27001 certification in 2026.

ISO Certification Process