Importance and Mission

In an era where information technology and the digital economy play an increasingly significant role in enhancing operational efficiency, the Company recognizes both the opportunities and cybersecurity risks that may affect critical organizational data, including business information, personal data, and information belonging to all stakeholder groups. Data breaches or losses — whether arising from negligence or cyberattacks — pose risks to business continuity, organizational reputation, and stakeholder confidence. To manage these risks, the Company has established an Information Technology Security Policy, covering the protection, control, and management of computer systems, networks, software, and critical systems, as well as measures to safeguard data from cyber threats, in accordance with internationally recognized information security standards and frameworks, to ensure the ongoing safety and efficiency of information and communication systems.

The Company has also implemented preventive, detection, and response measures for cybersecurity incidents, including the development of emergency response plans to mitigate potential impacts on operations and financial performance. Communication, awareness-raising, and cybersecurity education initiatives are provided to directors, executives, and employees at all levels. To remain aligned with the continuously evolving threat landscape, the Information Security Policy is reviewed at least once annually to ensure that the organization's governance mechanisms and data protection measures remain current and effective.

Information Technology Security Policy (3rd Revised Edition)

Goals and Performance

Annual Target for the Year 2025

  • Information security and cybersecurity violations or non-compliance incidents 0 incidents
  • Complaints related to customer personal data breaches 0 cases
  • Information technology infrastructure incidents 0 incidents
  • Fines or penalties arising from data security breaches or incidents 0 baht

Performance

Operational Monitoring Unit 2023 2024 2025
Violations or non-compliance with IT security policy and practice guidelines Incidents 0 0 0
IT infrastructure incidents Incidents 0 0 0
Complaints related to personal data breaches Cases 0 0 0
Data leakage or unauthorized disclosure/use incidents Incidents 0 0 0
Fines or penalties arising from data security breaches or incidents Baht 0 0 0

Management Approach

Information Technology Governance Structure

The Company is committed to strengthening information technology security to support business operations in the digital era and to comprehensively protect the data of the organization, customers, business partners, and all stakeholder groups. A clear cybersecurity governance structure has been established, encompassing the roles of the Board of Directors, management, and operational units, to ensure robust and transparent cyber risk management, as follows:

Board of Directors
  • Oversee the effectiveness of the risk management and internal control systems.
Audit Committee / Corporate Governance and Risk Management Committee
  • Oversee risks related to information security
  • Review the adequacy of risk control measures
  • Verify the accuracy and completeness of reported information.
Management
  • Develop plans and oversee implementation of information system control and security measures.
Risk Management Working Group
  • Assess organizational risks related to information security.
  • Propose risk management plans and approaches to relevant committees
Internal Audit Department
  • Evaluate the effectiveness and adequacy of information technology security measures.
  • Review access rights to programs and data in accordance with internal control principles, covering Access to Program and Data management processes, including user account management, User Access Modification, and User Revocation.
Corporate Support Division / Information Technology Department
  • Define plans, targets, and operational procedures for implementing the information security program.
  • Continuously monitor, track, and improve system security measures.
  • Manage access rights to programs and data in accordance with users' roles and responsibilities.
  • Support the development and improvement of information technology systems to enhance organizational operational efficiency.

Information Technology and Cyber Security Management

The Company places strong emphasis on the security of its information technology and communication systems, adhering to internationally recognized information security principles to ensure continuous Confidentiality, Integrity, and Availability of information systems. Additional key attributes are also considered, including Authenticity, Accountability, Non-Repudiation, and Reliability. To support security management, the Company has established Information Security Practice Guidelines as an operational framework encompassing preventive, detection, and response measures against information technology risks and cyber threats. These guidelines enable the Company to protect data, critical systems, and digital assets from potential threats, while maintaining business continuity and building confidence among all stakeholder groups. The guidelines comprise 11 sections as follows:

  1. Access control and use of information and communication technology systems
  2. Data center entry and exit procedures
  3. Computer usage
  4. Internet and email usage
  5. Asset and network management
  6. Operational security controls
  7. Data backup and recovery
  8. Information and communication technology system risk assessment
  9. Information technology security awareness
  10. Procurement, development, and maintenance of information technology systems
  11. Use of Artificial Intelligence (AI)

Personnel who violate or disregard the Information Technology Security Policy and/or the Information Security Practice Guidelines are subject to disciplinary action by the Company and penalties prescribed by applicable laws.

Cyber Threat Emergency Response Measures

To strengthen information technology system security and reduce cyber threat risks, the Company has established rigorous information security measures and processes, as specified in the Information Security Guidelines, covering prevention, data backup, and emergency preparedness, as follows:

A secure data storage and backup system is maintained by data type

covering operating system programs, applications, job commands, and critical data, with at least one backup copy stored at a separate location to ensure security and continuous availability.

Dedicated personnel are assigned responsibility for data backup

with verification of backup accuracy and completeness conducted at least once annually.

A systematic backup schedule is defined and executed at regular intervals

no less than once per year, to ensure adequate protection of critical data.

A Disaster Recovery Plan is developed to enable system restoration within defined timeframes

with the plan reviewed at least once annually.

A contingency operations plan is developed for situations where electronic systems are unavailable

to ensure the Company can continue operations despite technology disruptions.

These measures reflect the Company's commitment to protecting critical organizational and stakeholder data, and to maintaining Business Continuity in the event of cyber risks. The Company will continuously review and develop these practices to remain aligned with the evolving threat landscape and international information security standards.

Internal Communication for Awareness Building

The Company places strong emphasis on fostering a cybersecurity culture within the organization, with the goal of ensuring that employees at all levels recognize the importance of data protection and safe use of information technology. The Company conducts communications and training on IT-related laws, including the Computer Crime Act, to ensure employees comply with applicable requirements and reduce risks arising from inappropriate system use.

The Company has also developed information technology training courses on the corporate Intranet to provide employees with convenient access to learning. These courses enhance employees' understanding of cyber threat prevention, data responsibility, and safe IT practices. The Company is committed to promoting continuous learning to prepare personnel to address cyber risks and support long-term secure operations.

In fiscal year 2025, all new employees are required to complete an Information Technology in Practice training course, enabling them to learn, understand, and familiarize themselves with the organization's IT security policies and guidelines, as well as safe and efficient use of internal information systems such as the Intranet and Microsoft 365 — key tools for daily work. Participants may practice using the systems hands-on as part of the course to build understanding and operational confidence. The course objectives are:

  • To enable participants to use information systems correctly and safely.
  • To develop basic IT troubleshooting skills.
  • To promote collaboration between the IT department and operational users.
  • To prepare new employees or those assigned IT-related responsibilities.
  • To enhance work efficiency through appropriate use of information technology.

In an era where digital technology plays a central role in all organizational operations, Artificial Intelligence (AI) and Cybersecurity have become essential areas that all personnel must understand and apply correctly. While AI enhances work efficiency, data analysis, and decision support, it also enables cyber threats to evolve and become increasingly sophisticated. The greatest organizational risk is therefore not technology itself, but human behavior (Human Error). Building employee knowledge to enable safe AI use and effective cyber threat prevention is therefore essential for any organization seeking to reduce risk and strengthen data security. For this reason, the Company offers a Cybersecurity and Artificial Intelligence Awareness course, delivered via E-Learning on the corporate Intranet, to provide all employees with foundational knowledge of the opportunities and risks accompanying digital technology, build skills for data protection, promote ethical AI use, and foster a strong organizational security culture. The course objectives are:

  • To raise cybersecurity awareness enabling employees to understand real organizational threats such as Phishing, Malware, Ransomware, Social Engineering, and risky user behaviors.
  • To enable employees to effectively protect themselves against cyber threats through safe practices including password management, Multi-Factor Authentication (MFA), link and email verification, data breach prevention, and incident reporting.
  • To provide employees with a foundational understanding of Artificial Intelligence (AI) what AI systems are, how they work, and how to use them correctly and safely.
  • To build employee awareness of AI related risks, including data risks, privacy concerns, output accuracy, and appropriate AI use within the organizational context.
  • To promote effective AI use, enabling employees to leverage AI to enhance efficiency, reduce working time, and support decision-making within defined security parameters.
  • To elevate organizational security standards reducing the likelihood of Cyber Attacks arising from Human Error and developing a "Human Firewall" within the organization.
  • To ensure employees understand the organization's Cybersecurity and AI policies and that all personnel comply with unified standards covering security, personal data protection (PDPA), and AI tool usage.

Personal Data Protection

The Company places great importance on protecting the personal data of all stakeholder groups, including customers, business partners, service providers, job applicants, employees, interns, visitors, directors, and investors, in compliance with the Personal Data Protection Act B.E. 2562 (PDPA), to appropriately protect the rights and privacy of data subjects. To ensure legal compliance, the Company has established a Personal Data Protection Policy providing guidelines for relevant departments and employees on the correct handling of personal data in accordance with the Company's business objectives. The policy covers the entire data lifecycle, from collection, storage, use, and disclosure through to systematic destruction of personal data, to prevent unauthorized access or misuse. To promote awareness of the potential impacts of personal data breaches, the Company has established Data Protection Measures to comprehensively protect data subjects, encompassing access controls, data security, monitoring, and breach incident management, to ensure transparent, accountable, and internationally compliant operations. These measures reflect the Company's commitment to ethical data management, maintaining stakeholder trust, and supporting long-term organizational sustainability.

To enhance internal operational efficiency and legal compliance, in fiscal year 2025, the Personal Data Protection Working Group required all new employees (100 percent) to complete a personal data protection orientation course. Departmental representatives (Change Agents) were also appointed to drive, monitor, advise, and provide guidance on personal data processing within their respective departments. A "PDPA Consent Management Workshop" was conducted to ensure departmental representatives understand the Personal Data Protection Act, consent management principles, and relevant requirements and exceptions.