The Company is committed to the responsible use of digital technologies, strengthening cybersecurity and data protection to drive its business in a transparent and sustainable manner.
Key Stakeholders Affected
Impact on Stakeholders
Impact on the Business
Performance Against Targets
Cases of cyberattacks that have a significant impact on business operations.
2027
2025
2025
Note: The percentage of cyberattacks that have a significant impact on business operations refers to incidents that result in significant impacts on business operations, including financial impacts (profit) and high-level non-financial impacts (reputation or corporate image), and are cyberattacks that the Company is unable to prevent.
Management Approach
Information Security and Cybersecurity Governance Structure
The Company has a clear governance structure, with defined roles and responsibilities for each committee in overseeing and managing information and information technology in a systematic manner. An executive directly responsible for this area has been appointed, namely the Chief Information Officer (CIO), whose role is to define strategy, manage, and control technology operations in alignment with the Company’s objectives. Information security governance is structured into three levels: the governance level, the management level, and the operational level.
Information Security and Cybersecurity Management Framework and Processes
At present, PTG Energy Public Company Limited has established information technology policies that are aligned with the regulations of relevant corporate governance authorities, Thai laws, and international standards, with reference to ISO/IEC 27001. These policies are regularly reviewed and assured by internal audit functions and external audit firms in accordance with international standards. In addition, the Company has established information technology security policies and guidelines as an integral part of its IT policy framework, to ensure that employees and relevant stakeholders recognize the importance of information system security and clearly understand their roles, responsibilities, and operational guidelines for controlling potential risks. The Company consistently implements, monitors, controls, and oversees IT security in compliance with these policies, such as through penetration testing, among other measures.
Moreover, information and cybersecurity processes and infrastructure are a critical foundation for business operations in the digital era. Organizations must have systems that are secure, resilient, and capable of continuously adapting to technological change. Effective management covers the entire lifecycle, from system architecture design, data management, access control, and data backup, to systematic monitoring and response to cyber threats. These measures ensure business continuity while reducing the risks of system disruptions and data breaches.
The Company has established structured guidelines and processes for information security and cybersecurity management, encompassing prevention, detection, and response to risks, in order to protect data and information systems and ensure compliance with relevant standards. In addition, the Company regularly conducts cyber drills in a tabletop exercise format to review and reinforce cyber threat management procedures among relevant employees.
Cybersecurity Safeguards and Cyber Threat Response Measures
The Company places great importance on protecting its information systems and organizational data, including the personal data of stakeholders, through the following measures:
- Information Security Policies and Guidelines Establishes guidelines for the secure use of information systems in compliance with applicable laws.
- Risk Management and Governance Integrates cyber risks into the enterprise risk management process, with designated committees or executives responsible for cybersecurity oversight.
- System Controls and Monitoring Implements technical measures such as data encryption, access control restrictions, and regular system monitoring and audits.
- Employee Awareness and Capability Development Provides cybersecurity awareness training and enhances cybersecurity skills for employees at all levels.
- Cyber Incident Response Plan Establishes clear procedures for responding to cyber incidents to mitigate impacts and prevent recurrence.
Emergency Drills and Business Continuity Management
PTG Energy Public Company Limited requires testing of the Business Continuity Plan (BCP) at least once a year. In 2025, the Company conducted BCP testing with relevant functions, including the Information Technology Department, Operations, Sales, Accounting and Finance, and its subsidiaries. The test scenario involved a cyberattack from external sources on the core system servers at the head office, resulting in the unavailability of the primary systems. In the event that the core systems could not be used, the relevant functions implemented the Business Continuity Plan, while the Information Technology Department executed the IT Disaster Recovery Plan. The Company places emphasis on expanding the scope of such tests to cover additional critical systems. tecting its information systems and organizational data, including the personal data of stakeholders, through the following measures:
Based on the test results, the Information Technology Department successfully resolved the cyberattack on the servers in accordance with established procedures. The data were fully recovered and verified to be accurate and complete, and all departments were able to resume normal operations.
Information Security Assessment & Testing
The Company regularly conducts information security assessments and testing to identify vulnerabilities, assess risks, and enhance system security in alignment with relevant standards and best practices. The key approaches include:
- Risk Assessment Continuously assess vulnerabilities and risks within IT systems and the organization’s critical data to identify weaknesses and prioritize appropriate preventive measures.
- Security Testing/Penetration Testing Conduct penetration testing and security control testing to detect potential system vulnerabilities.
- Monitoring & Audit Monitor operations and assessment results to ensure that information security measures can effectively protect against emerging threats.
- Continuous Improvement Apply assessment and testing outcomes to improve control measures and operational processes in line with international standards, such as ISO/IEC 27001.
Building an Organizational Culture and Cybersecurity Awareness
The Company places strong emphasis on communicating policies, roles, duties, and responsibilities related to information technology security to all relevant parties, from management to employees. This communication is conducted continuously and covers both new employees and existing staff, under the coordination of the Information Technology Department. The objective is to ensure that all employees are aware, jointly vigilant, and well informed about appropriate actions to take when encountering potential cybersecurity risks, as follows:
| Communication type | Description |
|---|---|
| Phishing Email Test | The Company conducted IT security awareness tests among its employees and affiliated companies. In 2025, phishing email simulations were carried out, focusing on employees within the Company and its subsidiaries, with testing conducted annually. |
| IT security training for employees across the Group | The Company organized internal information technology security awareness training for employees of PTG Energy Public Company Limited and its subsidiaries in an online format, with a total of 752 employees participating. The training aimed to enhance employees’ awareness of cybersecurity risks and to strengthen their role as a key line of defence in protecting the organization against cyber threats. |
| Infographics | In addition, the Company regularly disseminated information and updates to raise cybersecurity awareness among employees of PTG Energy Public Company Limited and its subsidiaries through internal communication channels. Employees’ knowledge and understanding were also assessed through phishing simulation tests. |
| PTG Technology Day | The Company also organized the “PTG Technology Day” seminar, featuring knowledge-sharing sessions by leading speakers on “Technology Updates and Cybersecurity Awareness,” as well as exhibition booths presented by leading service providers. The event was held to update employees on technology trends and enhance cybersecurity awareness. In 2025, the seminar was organized twice, with a total of 550 participants. |
PTG Technology Day 2025
Personal Data Protection
In 2025, the Company reviewed and updated its Privacy Notice, Personal Data Protection Policy (Privacy Policy), and other related personal data governance documents to ensure alignment with the continually evolving personal data protection landscape. The Company also strengthened data security measures to prevent, control, monitor, and mitigate risks that may affect personal data. In addition, the Company established clear procedures for handling personal data breach incidents, including incident response and appropriate notification to relevant parties. The Company promotes employee awareness of data subject rights, confidentiality measures, and strict compliance with personal data protection laws. Regular training programs are conducted, along with independent monitoring and audits to assess the effectiveness of internal controls and risk management. Relevant departments are required to implement improvements based on recommendations and report progress to the appropriate committees on a quarterly basis.
The Company continues to implement its personal data risk management and communication plans consistently. Over the past year, no incidents of personal data breaches or leakage were identified, reflecting the effectiveness of the Company’s governance framework. The Company will continue to monitor and enhance personal data protection measures on an ongoing basis to ensure effective data protection and compliance with applicable laws.
Actions in the Event of a Personal Data Breach
The Company has established a systematic approach for managing data leakage incidents and personal data breaches, which is divided into three phases. Phase 1: When a data leakage incident occurs or when there is reasonable suspicion of such an incident, employees must immediately report it to the Personal Data Protection Office within 24 hours. Phase 2: The Personal Data Protection Office will promptly assess the incident. If it is determined to constitute a personal data breach under the law, the Office will report the incident to the Personal Data Protection Committee Office within 72 hours, while simultaneously implementing control measures to mitigate and minimize potential damage. Phase 3: The Personal Data Protection Office will document the incident and coordinate with the Legal function and the Information Technology team to establish long-term preventive measures. In addition, the Personal Data Protection Office regularly communicates guidelines and procedures for handling data leakage incidents to employees on an annual basis, to ensure that all employees have the necessary knowledge, understanding, and ability to comply correctly with these procedures.
Promotion and Awareness Building on Personal Data Protection
PDPA management training is provided to the Board of Directors, executives, and representatives from each business unit.
The Company places great importance on enhancing knowledge, understanding, and awareness of personal data protection (PDPA) among executives and employees at all levels. PDPA awareness is provided to all new employees as part of the orientation process. In addition, PDPA Management training has been organized for the Board of Directors, executives, and representatives from each business unit.
Observe PDPA
The Company regularly reviews and audits personal data protection practices at branches and retail outlets within the Group on a quarterly basis, conducting one review per quarter with two branches each time. This is to assess compliance with applicable laws and established guidelines, while also providing continuous guidance and recommendations to employees. Such activities help enhance employees’ awareness of personal data protection and support sustainable business operations in compliance with legal requirements and good practices.
Development and Dissemination of PDPA Awareness Materials within the Organization
The Company has continuously developed and disseminated internal communication materials on personal data protection (PDPA) to enhance employees’ knowledge, understanding, and awareness, enabling them to collect, use, disclose, and dispose of personal data correctly in accordance with the law and the Group’s regulations. The materials cover key topics such as membership registration for Max Card holders aged 13 and above, guidelines for safeguarding customers’ personal data, response measures in the event of data breaches, disciplinary practices in cases of PDPA violations, news and case studies on law enforcement, and the application of PDPA principles in digital marketing with respect for customer rights. These materials are distributed on a weekly basis to support employees in appropriately applying this knowledge in their day-to-day operations.
