ThaiBev has established a systematic approach to manage digital and technology governance that covers all departments, both domestically and internationally, in order to protect the organization from cyber threats and ensure compliance with cybersecurity regulations. This includes the establishment of the Digital and Technology Group and Digital and Technology Services Co., Ltd. who are responsible for strategic management as well as definition of operational frameworks according to international standards, such as ISO 27001. The focus is on cyber risk management as well as formulation of security policies. Accordingly, ThaiBev has set up Group Center, which is divided into three main management areas:

1. Commercial, Strategy and Governance Group
This group is responsible for defining technological framework to be consistent with the company’s business goals.

2. Technical Strategy and Architecture Group
This group sets guidelines for technology development and improvement, including structure and system design to achieve organizational goals.

3. Solution Design and Development Group
This group is tasked with establishing innovative technologies to meet user needs.

Commercial, Strategy and Governance Group has adopted the NIST Cybersecurity Framework, developed by the US National Institute of Standards and Technology, to prevent, detect, and respond to cyber threats at the highest level of effectiveness

In addition, ThaiBev realizes that the potential risk of personal data breaches, unauthorized use of information, or cyberattacks leading to legal actions, compensation claims, and significant damage to our reputation and customers’ and other stakeholders’ trust. Therefore, we carefully manage the personal data of all stakeholders with great care. In the event of a breach or cyberattack, a report will be reviewed based on the obligations of relevant departments, in accordance with established criteria, and published on ThaiBev’s website, which is in compliance with the Personal Data Protection Act (PDPA) and the company’s policies. This approach aims to prevent human rights violations, legal penalties, and damage to the organization’s reputation.

Heading into 2025, ThaiBev is preparing to address increasingly complex challenges, including the continuous evolution of cyber threats and regulatory requirements.

A strategic plan has been developed, focusing on technology and future trends, along with enhancing security infrastructure across all areas, particularly with regard to data security and privacy.

• Establish a Digital and Technology Policy Framework to ensure comprehensive governance of digital and information operations, supporting business goals, risk management, legal and regulatory compliance, and organizational performance measurement, in alignment with the company’s objectives and strategies.
• Develop an Artificial Intelligence (“AI”) Policy to guide IT team members and external service providers in AI projects. The aim of this policy is to enhance operational efficiency and reduce production costs by using AI to process data for production planning, supply chain management, and environmental considerations, while aligning with the company’s values and adhering to ethical and legal standards.

• Expand the scope of Operational Technology Network Cybersecurity Protection Systems to leverage real-time data analytics more effectively, aligning with the increased connectivity of Operational Technology (“OT”) networks to the internet. The focus will be on protecting control systems and networks from any form of cyberattacks.
• Develop a process to assess the cybersecurity resilience of business partners and suppliers to mitigate risks related to data leaks, cyberattacks, or security breaches that could impact the organization.
• Enhance cybersecurity measures through AI and machine learning to detect threats, analyze real-time data, and predict attacks from large datasets, while also reducing the workload of the cybersecurity teams.
• Develop cybersecurity systems to connect devices through networks or the Internet of Things, including firmware updates, data encryption, and monitoring systems to address potential threats.
• Continually develop automatic detection and response systems to improve the efficiency of threat response, by collecting data, monitoring, and executing rapid countermeasures. This approach will reduce the time spent on threat detection and management, enabling the organization to prevent severe attacks promptly.

Throughout 2024, the Cybersecurity Team has been implementing a wide range of initiatives, focusing on protecting and maintaining data privacy, as well as promoting training to ensure that all employees understand the importance of cybersecurity and actively collaborate to maintain the security of corporate data and systems.

ThaiBev has continuously expanded the scope of ISO/IEC 27001 certification, in order to systematically strengthen the confidentiality, integrity, and availability of important information assets in ThaiBev Group. The security system is continuously reviewed and improved to ensure comprehensive protection against cyber threats. This data center building uses energy-saving technology leveraging infrastructure and network services provided by STT Bangkok’s data center. The facility is certified to the world’s leading standard for information security management, ISO/IEC 27001:2022, to confirm that ThaiBev’s data and information infrastructure systems are protected against any cyber risk. The building has also earned the LEED Gold Award from the United States’ Green Building Council, a globally recognized rating system for promoting sustainable, eco-friendly buildings and communities.

ThaiBev uses the latest Zero Trust security strategy, treating every attempt to gain access to the network or IT infrastructure as a threat and not trusting anyone inside or outside the network unless their identity is verified through authentication. Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) are used to provide stronger and more efficient authentication. ThaiBev conducts Vulnerability Testing to identify the system weaknesses or flaws that unauthorized parties might exploit. This proactive approach allows administrators to address vulnerabilities before a problem occurs.

• Vulnerability assessment has been conducted and vulnerabilities have been remediated.
• Vulnerability scanning: VA scan reports are provided to system/service owners.
• Remediation: At the completion of each vulnerability scan, system/service owners must review the vulnerability report and ensure that vulnerabilities are remediated.
• Risk-compensating controls shall be performed if applicable.

The purpose of the scan is to identify vulnerabilities in 561 IT assets. The audit results are presented using Tenable software.
The vulnerability scan revealed 109 unique vulnerabilities across 39 assets, categorized by critical, high, medium, and low severity levels, as shown in the table below.
ThaiBev conducts penetration testing by authorized cybersecurity experts to identify vulnerabilities in network systems, software, applications or devices. Pen testing enables us to strengthen any weaknesses and reduce the risk of unauthorized access or attacks. ThaiBev manages public-facing parts of its computer systems and networks to prevent unauthorized access. Tools like Security Scorecard help monitor risks and vulnerabilities in externally accessible systems and protect confidential user data from exposure. This approach provides a comprehensive view of all assets and potential vulnerabilities, facilitating quick remediation. ThaiBev develops the cybersecurity of its operational networks, especially critical systems like production line control and machinery management, with a focus on protecting control systems and networks from attacks, network segmentation, surveillance, and real-time monitoring of network activities in order to detect and respond to anomalies. This ensures the continuity of production operations. ThaiBev has adopted a robust cybersecurity strategy that not only identifies and addresses vulnerabilities but also continually strengthens our security posture against potential threats. Accordingly, we conduct ongoing external and internal audits of IT systems and networks on a regular basis to ensure that they have the highest level of security and resilience.

• Independent audits shall be performed at least annually to ensure that the organization addressesnonconformities with established policies, standards, processes, and compliance obligations.
• Audit plans shall focus on reviewing the effectiveness of security operations implementation.
• The internal audit results comply with the requirements of the ISO/IEC 27001:2022 standard.
• External Audit – Overall Conclusion:The overall management system has been effectively implemented and is properly operated to ensure the achievement of its intended outcomes and In the past year, it has been certified by BSI.

The objective is to bring additional value by keeping the services uninterrupted in the event of a disaster and to maintain the availability targets as agreed.

• Initiation Phase:Define the scope of the policy, allocate necessary resources, and establish the project and control structure.
• Requirements, Strategy, and Tactics:Business Impact Analysis (BIA), selection of continuity/recovery strategies, risk assessment, and risk treatment planning
• Implementation Phase:Develop the Service Continuity Plan (SCP) and implement the selected continuity and recovery strategies.
• Ongoing Operation and Testing:Education, awareness, and training; review, testing, and change control.

Maintain test records and conduct testing of the Service Continuity Plan at least twice a year to ensure its effectiveness and readiness.During the recent test, the Active Directory (AD) server was activated at the DR Site (STTGDC), and a Service Core Switch failure was simulated at The PARQ-QSR.
All staff involved demonstrated an understanding of the Business Continuity Plan (BCP), and testing results were documented.
Recommendations for improvement were identified to address any observed weaknesses and enhance the continuity response.
Maintaining personal data privacy is important both to engender trust and to comply with regulations. Last year, ThaiBev’s legal department developed a privacy manual for all affiliated companies, written in easy-to-understand language, which is available on the company’s internal website. ThaiBev’s Personal Data Privacy communication channels for stakeholder inquiries and complaints are well maintained, with conclusions reviewed by executive management in every case.
Information Security Incident Response Process – ensure a consistent and effective approach to managing and responding to information security incidents and events.

• Communication Strategy Information security events shall be reported , recorded and applicable legal, statutory, or regulatory compliance obligations.
• Criteria for Classifying High-Severity Information Security Incidents
• Monitoring of Reported Security Incidents
• Information Security Incident Response
• The testing process must be conducted at least once a year.
• Service Improvement Through Knowledge Gained from Information Security Incidents

Measurement and Reporting: Information security event reports must be responded to promptly

ThaiBev employs high-performance anti-virus and anti-malware systems which are updated regularly to cope with threats and attacks. This system efficiently prevents unauthorized access, detects and eliminates threats, reducing the risk of potential data loss or damage to critical data. ThaiBev enforces strict measures to prevent email threats by using Spam Filter and Anti-Phishing systems to screen for fraudulent emails. The system detects and blocks emails containing malicious links or attachments. ThaiBev has installed proactive surveillance systems and Web Application Firewall (WAF) to effectively detect and prevent cyberattacks. In addition, the systems and networks are regularly inspected by internal and external auditors to evaluate risks and continuously improve cybersecurity. Over the past year, ThaiBev has regularly conducted phishing simulations with employees to raise awareness and improve understanding of internet-based threats. The simulations aim to reduce the risk of employees falling victim to cyberattacks. ThaiBev enhances application-level cybersecurity through source code scanning tools to identify vulnerabilities before they reach our customers. This proactive approach helps to reduce the risk of cyberattacks and increase trust among users. As data loss prevention is essential for organizational data security, ThaiBev has implemented strict measures integrating antivirus tools and software features to prevent threats to employee, customer, and stakeholder data in order to strengthen confidence among stakeholders. ThaiBev organizes cybersecurity training for senior executives, designed to provide in-depth understanding of cyber threats and knowledge of preventive strategies. Over the past year, ThaiBev has expanded mandatory employee training programs to ensure a comprehensive understanding of cybersecurity practices and data privacy. All participants are required to pass with a score of at least 90%. This year, over 15,000 personnel have been trained. Digital communication enables employees to communicate and collaborate effectively even without internet connectivity. It also allows employees to access essential information accurately and securely. Digital skill assessments help employees understand and enhance their skills and encourage them to develop additional skills as needed.

Governance of data security, privacy, and risk management are key responsibilities in administering the expansion to other business units, particularly F&N, GRG, and SABECO. The objective is to implement a unified cybersecurity standard across these entities, which helps reduce the complexity and variety of processes, improve work efficiency, minimize errors, and facilitate smooth communication and collaboration among teams, as everyone adheres to the same standards. Over the past year, ThaiBev has organized international workshops to enhance knowledge and skills, adopting the NIST Cybersecurity Framework as the standard. The training focused on both cyber threat prevention and personal data management to strengthen cybersecurity across all organizations.