A comprehensive framework and set of processes identify, assess, monitor, and manage cybersecurity risks within ThaiBev. Additionally, we deploy strategic planning, policies, procedures, and technological measures to protect the organization’s information assets from potential cyber threats. This framework also conforms to global standard guidelines such as IS0 27001 and the NIST Cybersecurity Framework, which offer cyber risk management best practices and principles to improve an organization’s security and facilitate efficient prevention, detection, and response to attacks, allowing firms to continue operating without any major obstructions.

Furthermore, ThaiBev is fully aware that personal information leakage, illicit use of information or cyberattack instances can result in legal sanctions, including compensation to the victims, as well as reputation damage and confidence from stakeholders and customers. Thus, the personal data of all stakeholders must be managed with great care in compliance with the Personal Data Protection Act (PDPA) and company policies to avoid violations of human rights, legal penalties, and corporate reputation risk. ThaiBev’s cybersecurity governance structure begins with the CEO, who leads on the design of short- and long-term strategies for the Board of Directors. At the executive level, the Chief Information & Security Officer (CI&SO) and Data Protection Officer (DPO) are in charge of all assurance efforts relating to the availability, integrity, and confidentiality of customer, business partner, employee, and business information. To prevent IT system failures and serious cybersecurity events, processes with defined delegation of responsibility are in place.

The CEO-led Cybersecurity Committee was formed to supervise cybersecurity operations within ThaiBev and communicates on a regular basis with the Sustainability and Risk Management Committee (SRMC), since the company considers cybersecurity threats as one of its strategic risks.

The Cybersecurity Committee keeps an eye on cybersecurity threats and develops plans, strategies, and guidelines for managing those threats. It must abide by the risk management policy of the ThaiBev group, which is overseen by the SRMC. To guarantee that all cybersecurity occurrences are tracked, examined, and appropriately mitigated, the Cybersecurity Committee also periodically reports its performance and progress to the SRMC and the Board of Directors.

ThaiBev formulated its IT Security Policy in 2020 to define the direction, principles, and framework for IT security management, including proactively creating awareness among employees’ to comply with policies, operating procedures, and laws relating to information technology security.

Further details on the IT Security Policy

ThaiBev recognizes and respects privacy rights and makes every effort to protect the personal information of all ThaiBev employees and stakeholders including suppliers, consumers, and customers. In 2022, ThaiBev established its Personal Data Protection Policy to prevent improper use of personal information, and to ensure that its stakeholders’ data are properly managed and securely protected, in accordance with the personal information protection laws of the countries in which the group operates, as well as other relevant international standards.

Further details on Personal Data Protection Policy

Continuously working on cybersecurity is an essential process for organizations in an era when technology and the use of online networks play an important role in every aspect of business. Controlling and safeguarding cyber devices and data protects an organization’s confidentiality and security. It is also important to drive organizations’ cybersecurity awareness through training so that all employees understand the significance of cybersecurity and act together to secure the organization’s information and systems. Throughout the fiscal year 2023, the IT security working team has strengthened the security of ThaiBev’s entire IT systems and networks. ThaiBev has continuously expanded the scope of ISO/IEC 27001 certification, in order to systematically strengthen the confidentiality, integrity, and availability of important information assets in the ThaiBev Group. ThaiBev uses the latest Zero Trust security strategy, treating every attempt to gain access to the network or IT infrastructure as a threat and not trusting anyone inside or outside the network unless their identity is verified through authentication. Two-factor authentication, or 2FA, is used to provide stronger and more efficient authentication. ThaiBev began putting its employees through phishing simulations on a regular basis in FY2023 in an effort to gauge and improve employees understanding of phishing threats.

This involves simulating realistic phishing scenarios to evaluate how well employees can identify and respond to phishing attempts. By regularly testing and training employees, ThaiBev is confident that it can significantly reduce the risk of falling victim to real-world phishing attacks. In FY2023, ThaiBev implemented this mandatory staff training program as part of its proactive approach. The objective is to ensure that employees are well-versed in cybersecurity and data privacy best practices and are ready to manage and mitigate potential risks. Employees must pass an exam with a score of not less than 90% to be considered trained. In FY2023, ThaiBev reached 100% of its target group, with over 15,000 personnel newly trained in cybersecurity protection and data privacy. ThaiBev has adopted a robust cybersecurity strategy that not only identifies and addresses vulnerabilities but also continually strengthens its security posture against potential threats. Third-party vulnerability assessments of server systems and network equipment are one of the most effective approaches for identifying and correcting security flaws in network and application systems. ThaiBev further strengthens the protection process by routinely assessing risks with penetration testing, to find weaknesses in the corporate system’s accessibility. These regular assessments, combined with proactive remediation efforts, are essential components of a comprehensive cybersecurity program. Additionally, the organization conducts ongoing external and internal audits of IT systems and networks on a regular basis to ensure that they have the highest level of security and resilience. ThaiBev has installed a proactive network surveillance system for its office buildings to ensure that all systems can be in continuous, service are secure, and can detect problems before they affect users. In addition, the company regularly maintains and updates firmware for all devices in the network. The Web Application Firewall (WAF) is one of the effective new security technologies that we use to safeguard web applications from online threats and to prevent exploitation of vulnerabilities and attacks. ThaiBev Personal Data Privacy Handbook for maintaining trust and complying with privacy regulations. Accordingly, ThaiBev’s legal department in FY2023 prepared a handbook to help ensure that data privacy protection policies and regulations are consistently enforced across the business. Using language that is easy to understand, it allows readers to implement policies in the same way across the organization. The handbook is on an internal company website that is available to ThaiBev employees at any time ThaiBev’s Personal Data Privacy communication channels for stakeholder inquiries and complaints are well maintained, with conclusions reviewed by executive management in every case. ThaiBev uses the infrastructure and networking services of STT Bangkok data center, which has received LEED Gold Certification from the U.S. Green Building Council. LEED certification is a globally recognized rating system for the design, construction, operation, and maintenance of green buildings and communities.