The Group places strong emphasis on establishing comprehensive information technology security policies to ensure robust information security, alongside the protection of personal data in compliance with the PDPA, and systematic data management practices.
Proactive preventive measures are implemented, including need-to-know-based access controls, together with the establishment of Responsible AI principles under human oversight and Board of Directors supervision, as well as the continuous enhancement of data standards and quality — all in support of operations that are secure, transparent, and sustainable.
| Topic | Nature of Risk | Risk Management Approach |
|---|---|---|
| Cybersecurity | Risks arising from cyber threats that may affect the organization’s systems and data | Establishment of an enterprise-wide information security policy, implementation of proactive preventive measures, and systematic cyber incident management |
| Personal Data Protection | Risks from inappropriate access, use, or disclosure of personal data | Compliance with PDPA, establishment of a data governance framework, and access control based on the principle of necessity |
| Responsible Use of Technology | Risks from the use of technology or AI without appropriate oversight | Establishment of Responsible AI principles, human oversight, use of certified systems only, and oversight by the Board of Directors |
| Data and Technology Governance | Risks arising from misalignment of data and technology practices | Development of an enterprise-wide data governance framework, establishment of data standards, and continuous improvement of data quality |
