Key stakeholders: shareholders/ customers and consumers/ government and civil society sectors
In the digital era, where data and technology are integral to business operations, creating added value and enhancing efficiency, robust cybersecurity and data protection are essential for sustainable growth. These measures not only enable responsible and effective use of data but also promote cybersecurity. Furthermore, they help build trust among customers and stakeholders, a key factor in strengthening the Company’s competitiveness. However, while technology can significantly support operations, it must be implemented with caution and due diligence, as it may expose the business to risks if cybersecurity is not properly managed.
|
|
Target
|
Performance
|
|---|---|---|
|
Timeframe for responding to a cybersecurity breach
|
Within 4 hours
|
No cybersecurity breaches
|
|
Evaluate cybersecurity awareness using the Phishing Simulation Test
|
2 times per year
|
2 times
|
|
Conduct a cyber drill simulation with the operations team to prepare for cybersecurity incidents
|
1 time per year
|
1 time
|
|
Conduct cybersecurity tabletop exercises with relevant units to prepare for cybersecurity incidents
|
1 time per year
|
1 time
|
Recognizing that information and cybersecurity are critical to business operations, the Board of Directors has assigned the Digital Transformation and Cybersecurity Committee to work in collaboration with the Risk Management Committee and the Audit Committee. The Executive Committee is responsible for translating policies into practice. The Company has appointed a Data Protection Officer (DPO) and a Chief Information Security Officer (CISO) to work directly under the Digital and Technology Transformation Group, which is responsible for overseeing information technology, cybersecurity, and data protection. The roles and responsibilities of each position are as follows:
plays a key role in establishing risk management policies, objectives, and guidelines, as well as supporting, monitoring, and evaluating performance, and providing recommendations for effective risk management. This helps Mitr Phol Group to achieve its business goals and maximize benefits for its stakeholders. Key risks related to IT, cybersecurity, and information security are closely monitored by the Risk Management Committee.
has the duty to define policies on IT, cybersecurity, and information security, as well as oversee and support the implementation of these policies across all business units within the Mitr Phol Group.
independently reviews the Company’s operations, ensuring that risk management and internal controls align with best practices and comply with relevant laws, rules, and regulations. The committee closely monitors and oversees risk management and controls related to IT, cybersecurity, and information security as part of its audit cycle. Moreover, the Company has an Audit Office that reports directly to the Audit Committee. This internal audit function is responsible for monitoring and auditing operations of departments related to cybersecurity and personal data management. Its objective is to ensure that the relevant departments operate correctly, comprehensively, and in compliance with the Company’s policies.
A role held by the Executive Vice President of Digital and Technology Transformation, is responsible for translating the Digital Transformation and Cybersecurity Committee’s policies into IT strategies and managing digital and technology operations across all units within the Digital and Technology Transformation Group. The operations, encompassing digital transformation, systems and business solutions development, IT infrastructure, IT security, cybersecurity, and information security, ensure that business units receive the necessary support according to their needs and operations to achieve the Company’s goals. The performance is reported to the Digital Transformation and Cybersecurity Committee.
is responsible for providing advice, reviewing operations, and supporting all business units within Mitr Phol Group to ensure compliance with personal data protection laws. This includes establishing security measures to safeguard personal data in accordance with legal requirements and in alignment with international standards.
are responsible for technology systems, information systems, and information (including personal data) within the Mitr Phol Group, ensuring security and maintaining confidentiality, integrity, and availability. These units conduct risk assessments, implement IT, cybersecurity, and information security controls, and manage risks to keep them within acceptable levels for the Company. They also monitor anomalous situations and promptly address them to minimize damage and restore normal operations. Moreover, the units promote awareness among Mitr Phol Group employees, external service providers, and involved agencies.
Mitr Phol has established the Information Technology Policy, Cybersecurity Policy, Personal Data Protection Policy, Data Governance Policy, and AI Governance Policy, which are enforced and observed throughout the Mitr Phol Group. The Company has also established a risk management framework for digital technology and data security to achieve the following key objectives.
Aspiring to achieve a sustainable digital transformation while creating measurable impact and driving long-term organizational success, Mitr Phol has established a robust digital management strategy built on the 3C Pillars and 7 Strategic Parts.
Mitr Phol aligns its organizational structure with the 3 Lines of Defense model to ensure proper checks and balances. The 3 Lines of Defense comprise of:
The Company has empowered employees at all levels and raised cybersecurity awareness through training programs delivered across various platforms, ensuring comprehensive and accessible learning for all employee groups. The aim is to prepare employees for the rapidly evolving landscape of cyber threats. The following activities were implemented:
The Company enhances its processes to meet standards and improve efficiency, ensuring systematic risk management and response to cyber incidents through the following activities.
Advanced, high-efficiency technologies were implemented to enhance cybersecurity and prevent cyber threats through the following activities.
Cyber Drill Simulation
Mitr Phol conducted a Cyber Drill Simulation to assess the IT team’s readiness in responding to potential cybersecurity incidents. The simulation involved realistic cyber threat scenarios, with the team responding in accordance with the Cybersecurity and Privacy Incident Response Procedure and the Business Continuity Plan (BCP). This exercise marked a significant step in strengthening the team’s confidence and professionalism in managing future cyber threats, while also reinforcing a strong cybersecurity culture across the organization.
