Cybersecurity

In the current context of increasingly complex and severe cyber threats, the Company recognizes the risks posed by significant cyberattacks such as ransomware, phishing, and data breaches, as well as threats arising from the misuse of artificial intelligence (AI) to generate fraudulent emails, messages, or voice recordings for deceptive purposes. The Company acknowledges the risks associated with insufficient technological knowledge and the inappropriate use of digital tools by employees, which may unintentionally result in the disclosure of sensitive Company data on external platforms and lead to business damage.

The Company places significant importance on data and information security management to prevent adverse impacts on business operations and stakeholders, maintain customer trust, and ensure compliance with applicable laws and regulations. The Company has implemented cybersecurity controls and security technologies to protect sensitive information from unauthorized access, use, and unauthorized disclosure and to mitigate the risk of operational disruption from cyber incidents. In addition, the Company has established a personal data protection policy to ensure that the personal data of employees, customers, and other stakeholders are managed in accordance with applicable data protection laws and standards.

The Company has also established cybersecurity governance guidelines to achieve zero customer data breaches through cyberattacks. Furthermore, the company promotes cybersecurity and data protection awareness among employees at all levels to effectively enhance the prevention, detection, and response to emerging cyber threats.

Policies and Management Approach

Cybersecurity

Investments in alignment with corporate strategy, regulatory requirements, and the Company’s information technology risk management framework. The Committee also defines roles and responsibilities for information security management and appoints a working team to oversee and manage the Company’s information security.

The Company has established an Information Security Policy to ensure that its information systems and data assets are appropriately protected, covering the three fundamental principles, which are Confidentiality, Integrity, and Availability (CIA), to effectively and continuously support business operations in compliance with applicable laws and standards.

The Company regularly reviews and updates its Information Security Policy and related practices to ensure compliance with the international standard ISO/IEC 27001:2022, as well as applicable laws, including the Computer Crime Act B.E. 2560 (2017) and the Personal Data Protection Act. Executives, employees, and relevant departments are required to strictly comply with these policies and procedures.

The Company’s Information Security Policy encompasses all aspects of information security management, including but not limited to:

• Information security management
• Cybersecurity risk assessment
• Securing mobile computing devices and remote operations
• Cloud computing systems
• Information asset management
• Access control, authentication, and data encryption
• Physical and environmental security
• IT operations and infrastructure security
• Information security in human resource management
• Data communication, procurement, system development, and maintenance
• Information security incident management

This approach enables the Company to mitigate cyberattack risks, prevent data breaches, system disruptions, and potential damage to business operations while strengthening the confidence of customers, suppliers, and stakeholders in the sustainable information technology management.

For more information available in:

Personal Data Protection

The Company established a personal data protection policy to protect corporate data and personal data of suppliers and stakeholders. The Company recognizes the significance of personal data protection, which can affect business operations, reflect the Company's credibility, and support crucial fundamental human rights. The Company is committed to responsible data management and complies with the Personal Data Protection Act 2019 (PDPA) to ensure security and privacy in its operations.

Employees and departments handling personal data must prioritize and take responsibility for its collection, use, and management in strict compliance with the Company's personal data protection policy and the Personal Data Protection Act. The Company aims to prevent customer data breaches. In addition, measures to protect personal data information are in place, including reviewing and evaluating the effectiveness of the measures and the management process of a personal data breach. In the event of a personal data breach, the Data Protection Officer will notify the Office of the Personal Data Commissioner within 72 hours of becoming aware of the incident unless the breach poses no risk to the rights and freedoms of the data owner. If the data breach significantly affects the rights and freedom, the Company will promptly inform the data owner and provide remedial measures without excessive questioning.

Additionally, the Company established guidelines for maintaining customer confidentiality in the Code of Conduct and Code of Ethics, which employees are strictly required to follow. Disciplinary measures have been implemented to prevent the misuse of confidential information for personal gain and to ensure that customer confidentiality is maintained strictly in line with the Company's established objectives.

For more information available in:

Cyber Threat Management

The Company established a process for managing and responding to cyber threats to prevent, mitigate, and restore systems after an attack occurs. This includes establishing an inspection and incident reporting, analyzing causes, and resolving issues to ensure business continuity. The management framework and response to cyber threats is as follows:

Cyberthreat Management and Response Framework

Performance

• Enhancing the Information Security Management System to Meet International Standards

  In 2025, the Company developed and enhanced its Information Security Management System (ISMS) and obtained certification under ISO/IEC 27001:2022, the international standard for information security management. The certification scope covers the Company’s IT infrastructure. The Company has also implemented data recovery testing and established a Disaster Recovery Plan (DR Plan) to ensure business continuity in the event of unforeseen incidents or disasters. These measures aim to provide confidence to customers and stakeholders that the Company’s critical data and information systems are securely protected and prepared for any potential disruptions. The Company also promotes cybersecurity awareness and ensures compliance with the Personal Data Protection Act.

• Information Security Management Structure

  To ensure effective operations, the IT Committee assigned the Chief Executive Officer (CEO) to appoint an Information Security Executive, Information Security Management System Working Team and Audit Team in accordance with the Information Security Management System standard (ISO/IEC 27001:2022). The roles and responsibilities under the ISMS were clearly defined, including the establishment of risk assessment methodologies, risk acceptance criteria, and defined risk appetite. These responsibilities include reviewing information security risk assessment results, monitoring and evaluating ISMS performance, providing necessary resources, and issuing direction to ensure the effective implementation of information security controls and plans within the established framework.

Organizational Chart of the information Security Management System Committee (ISMS Management Committee)

In regard to the auditing and evaluation of the Information Security Management System (ISMS), the Company has established a two-level audit structure as follows:

• Internal Audit: The Company has appointed an ISMS Internal Audit Team responsible for reviewing processes and conducting internal audits of the ISMS according to the set schedule or as directed by executives or its designated representative. The Internal Audit Team reports audit findings to the executive committee or its representative and the audited parties. This includes follow-up on corrective and preventive actions from internal audit findings to prevent recurrence of identified issues.
• External Audit: The Company undergoes external audits conducted by a certified auditor in accordance with ISO/IEC 27001:2022. Audits are conducted annually, and certification is subject to renewal every three years.

• Enhancing Governance of Artificial Intelligence Applications Plan

  Currently, the Company utilizes artificial intelligence (AI) systems to enhance the efficiency of its IT operations and data security. In 2025, the Company recognized the increasing significance of information technology and AI governance in business operations. Accordingly, the Company incorporated a plan to strengthen AI governance into the Company’s governance plan under the JUMP+ project of the Stock Exchange of Thailand. The key actions and implementation plans are as follows:

  • Define roles and revise the charter of the Information Technology Committee to expand its oversight to cover information technology and cybersecurity, management, and the governance of artificial intelligence (AI).
  • Define roles and revise the charter of the Corporate Governance and Sustainability Committee to include responsibility for overseeing appropriate policies and practices, as well as monitoring and evaluation related to the use of artificial intelligence (AI) within the organization.
  • Establish clear policies, guidelines, and designated responsible parties for the implementation of AI within the organization, including mechanisms for monitoring and reporting on the responsible use of artificial intelligence, with targeted implementation by 2028.
  • Provide training and communication on AI governance and implement monitoring and reporting mechanisms to ensure the responsible use of artificial intelligence.
• Employee Cybersecurity Awareness

  The Company conducted a PDPA & Cybersecurity Awareness training program for employees, which included post-training assessments to evaluate knowledge of personal data protection and cybersecurity. Employees who completed the training and passed the assessment in accordance with the Company’s criteria represented 82% of all employees who use the Company’s information technology systems and have significant responsibilities related to cybersecurity and personal data protection, exceeding the Company’s target of 80%.

  The Company has set a target to provide cybersecurity and personal data protection training to all employees by 2027. In addition, a refresher training program will be conducted on an ongoing basis for employees who have already completed the program.