Cybersecurity Management Policy

The Company has established an information security policy to ensure that its information technology systems are managed and controlled in a secure and appropriate manner, encompassing confidentiality, accuracy, integrity, and availability, allowing for business continuity and efficiency. The Company’s Information Security Policy complies with international standards such as ISO/IEC 27001:2022 and the Computer Crime Act 2017. All departments and employees are required to adhere to the policy in all aspects as follows:

• Information security management
• Securing mobile computing devices and remote operations
• Cloud computing systems
• Asset management
• Access control and encryption
• Physical and environmental security
• Security for operations
• Data communication, procurement, system development, and maintenance
• Security incident management

Furthermore, the Company uses artificial intelligence (AI) systems to improve operational efficiency while maintaining data security. The policy also specifies the penalties for any violations of the established policy.

More Information available in:

Cyber Threat Management

The Company established a process for managing and responding to cyber threats to prevent, mitigate, and restore systems after an attack occurs. This includes establishing an inspection and incident reporting, analyzing causes, and resolving issues to ensure business continuity. The management framework and response to cyber threats is as follows:

Personal Data Protection

The Company established a personal data protection policy to protect the Company’s data, personal data of suppliers and stakeholders. The Company recognizes the significance of personal data protection, which can affect business operations, reflect the Company’s credibility, and support crucial fundamental human rights. The Company is committed to responsible data management and complies with the Personal Data Protection Act 2019 (PDPA) to ensure security and privacy in its operations.

Employees and departments handling personal data must prioritize and take responsibility for its collection, use, and management in strict compliance with the Company’s personal data protection policy and the Personal Data Protection Act. The Company aims to prevent customer data breach. In addition, measures to protect personal data information are in place, including reviewing and evaluating the effectiveness of the measures and the management process of a personal data breach. In the event of a personal data breach, the Data Protection Officer will notify the Office of the Personal Data Commissioner within 72 hours of becoming aware of the incident unless the breach poses no risk to the rights and freedoms of the data owner. If the data breach significantly affects the rights and freedom, the Company will promptly inform the data owner and provide remedial measures without excessive questioning.

Additionally, the Company established guidelines for maintaining customer confidentiality in the Code of Conduct and Code of Ethics, which employees are required to strictly follow. Disciplinary measures have been implemented to prevent the misuse of confidential information for personal gain and to ensure that customer confidentiality is maintained strictly in line with the Company’s established objectives.

More Information available in: