The Company has established a Confidentiality Policy to ensure that directors, executives, and employees adhere to appropriate practices for safeguarding and using confidential information, particularly information that is sensitive to the Company or its stakeholders. In addition, the Company has implemented a Cybersecurity and Information Technology Policy and the Instructions on the Use of Computer and Network Systems to manage and ensure the secure use of computers, information, and network systems. The Company has also adopted a Personal Data Protection Policy aligned with international standards and legal requirements, such as the Cybersecurity Act and the Personal Data Protection Act (PDPA).

See more details about our Information Security and Data Privacy Policy.

The Company prioritizes the development of cybersecurity measures to protect the information of the Company and its key stakeholders, including employees, customers, business partners, suppliers, and contractors. Accordingly, the Company has established goals for cybersecurity operations and data security. These goals include implementing a data leakage prevention system across all business units (100%) and ensuring there are no complaints regarding personal data leakage.

The Company focuses on reducing the likelihood and impacts of incidents and cyber-attacks on its information technology system. A working group, chaired by Ms. Dendao Komolmas, Chief Financial Officer, has been set up to review the security system’s structural architecture, identifying vulnerabilities in critical work systems, to ensure that sensitive components in every system are continuously monitored. The working group reports progress and key findings to the Risk Management Committee on a quarterly basis.

Regarding cybersecurity and information security, the Company has assigned the Information Technology Department responsibility for defining cybersecurity control measures and ensuring that cybersecurity risks are appropriately managed. This includes ongoing monitoring, cyber threat detection and response, providing guidance to business units and support functions on appropriate security management measures, and enhancing awareness of information technology security. Cybersecurity risks are reported to Mr. Satha Vanalabhpatana, Acting Chief Strategy Officer and Assistant to Chief Executive Officer, who is responsible for the enterprise risk management function, as well as to relevant committees, to support effective oversight and risk governance.

The Company mandates that data users strictly adhere to the policy and terms of use. To support compliance, it provides training on measures to manage and maintain the security of personal information. Additionally, the Company has raised awareness and fostered a fundamental understanding of information security and cyber threat trends among executives and employees. This training enables them to handle and use data safely, exercise caution, and prevent cyber-attacks. Security measures include using information technology systems that require password-protected access and regularly changing passwords within a specified period.

In addition, the Company places strong emphasis on corporate governance and internal control systems by maintaining regular monitoring and operational review processes to ensure that activities are conducted in strict compliance with established standards. At the same time, the Company seeks to reinforce confidence that its information is accessible only to personnel with a legitimate need and appropriate access rights based on their roles and responsibilities. Key control measures implemented include Privileged Account Management, the use of Two-Factor Authentication for critical systems, Mobile Device Management, and Backup and Disaster Recovery arrangements to support business continuity. The Company has also established clear approval procedures for user account management, together with regular and continuous reviews of access rights to information systems.