ThaiBev Sustainability

ThaiBev’s Sustainability 2025

Home / Governance & Economic

Data Security and Privacy

In today’s digital era, ThaiBev recognizes the critical importance of information security and privacy protection for all stakeholders, covering both personal data and essential organizational information. Safeguarding this data not only upholds high security standards but also builds trust and confidence among customers, partners, and communities, forming the basis for sustainable business growth in a rapidly evolving digital landscape.

In 2025, ThaiBev continued to strengthen our approach to information security and data privacy management, bolstering key initiatives that strengthen security across all levels—from governance and policy to operations—in alignment with international standards and our ESG goals. ThaiBev created continuous improvements that demonstrate our commitment to maintaining data confidentiality, integrity, and availability, while advancing innovation and resilience to meet stakeholders’ evolving expectations.

Management Approach

ThaiBev has established a comprehensive cybersecurity governance and risk management framework, which includes the formation of a Cybersecurity Committee chaired and supervised by the Group CEO. The Committee is responsible for monitoring cybersecurity risks, setting policies and objectives, and overseeing task forces that ensure effective management across the Group.

Information Security Governance

ThaiBev’s Cybersecurity Committee, which includes members of the Board of Directors—one of whom is the Group CEO, Board of Directors and Cybersecurity Committee—holds responsibility for overseeing information security issues. The Committee monitors cybersecurity risks at the organizational level to ensure that cyber threats are properly assessed, analyzed, and addressed.

Thapana Sirivadhanabhakdi has served as Director and Group CEO of ThaiBev since 2003. He is an active member of both the Sustainability and Risk Management Committee and the Cybersecurity Committee. As Group CEO and Board member, Thapana brings extensive knowledge and strategic insight in cybersecurity. He plays a critical role in shaping ThaiBev’s short- and long-term cybersecurity strategies, ensuring they align with business objectives and enhance organizational resilience against evolving cyber threats. Thapana possesses extensive experience in cybersecurity, having worked in various roles. He serves on the ThaiBev Cybersecurity Committee, overseeing the implementation of effective defenses against cyber attacks to safeguard organizations.

Additionally, he led the ThaiBev Group SAP implementation team from 2007 to 2008, designing secure work processes and earning ISO/IEC 27001 certification for the IT security module, and driving digital transformation initiatives such as the Accounting Shared Services Center and the Digital & Technology Capability Center. Since 2021, Thapana has also served as Chairman of TCC Technology Co., Ltd., a leading provider of IT security and technology solutions in the region. Additionally, he is a member of the Board of Trustees of CMKL University, a collaborative institution between Carnegie Mellon University and KMITL, globally recognized for its research and education in advanced cybersecurity and digital technologies.

The company has appointed a Chief Information & Security Officer (CISO) and a Data Protection Officer (DPO) to manage and operationalize information security, ensuring the Availability, Integrity, and Confidentiality of data related to customers, partners, employees, and internal departments.

Additionally, ThaiBev has established clear cyber risk management processes and assigned responsibilities to relevant units to prevent information system failures and minimize the impact of potential security incidents.

The Cybersecurity Committee regularly reports progress and performance to the Board of Directors to maintain transparency and ensure effective governance and decision-making regarding cybersecurity risks

Information Technology Security Policy and Guidelines

Since 2020, ThaiBev has implemented its Information Technology Security Policy as the overarching governance framework for IT security across the organization. The policy promotes awareness, accountability, and discipline among employees while establishing key principles, operational requirements, legal obligations, and alignment with international standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework. Its purpose is to ensure secure, robust, and auditable management systems that reinforce stakeholder confidence in protecting both corporate and personal data.

To support effective implementation of the policy, ThaiBev has developed detailed Information Technology Security Guidelines. These guidelines translate policy directives into practical procedures, outline best practices, define roles and responsibilities, and specify controls for risk prevention, incident response, and secure operations across all business units.

Together, the policy and guidelines drive the organization’s ongoing efforts to continuously improve information security systems, ensure the integrity and protection of data, and monitor and respond to information security threats. They also establish security requirements for third parties, such as suppliers, to ensure extended ecosystem protection and reinforce governance through internal and external audits of IT infrastructure and information security management systems.

Collectively, the policy and guidelines form an integrated foundation that enables ThaiBev to maintain consistent, resilient, and compliant IT security practices across the enterprise. For further information, visit IT Policy and Information Technology Guideline.

Personal Data Protection Policy

ThaiBev places the highest priority on protecting personal data of employees, suppliers, consumers, customers, and all stakeholders. Since 2022, the company has enforced its Personal Data Protection Policy to ensure that data collection, usage, disclosure, and retention are carried out securely and appropriately. The policy aligns with data protection laws in each jurisdiction, including Thailand’s Personal Data Protection Act (PDPA), and adheres to global best practices. ThaiBev is committed to ensuring that personal data is handled responsibly and transparently in accordance with international standards.

Govern

Establish cybersecurity policies, strategies, and governance frameworks that comply with laws, regulations, and organizational objectives.

Identify

Identify cyber risks, assets, and business contexts to assess and manage security priorities effectively.

Protect

Implement preventive measures to secure operations, mitigate potential cyber threats, and ensure data confidentiality, integrity, and availability.

Detect

Monitor, detect, and analyze irregular activities or cyberattacks promptly for accurate incident awareness.

Respond

Execute well-structured response plans to minimize impact, communicate efficiently, and enhance incident-handling capabilities.

Recover

Restore systems and operations to normal through well-tested and resilient recovery mechanisms.

Strategy and Group Role of Center

ThaiBev has implemented and maintained ISO/IEC 27001 certification, an internationally recognized standard for Information Security Management Systems (ISMS). This certification ensures that the company’s information security processes—including policy formulation, risk assessment, control implementation, and continuous improvement—are systematically managed and regularly reviewed across all relevant departments.

In addition, the company has adopted the NIST Cybersecurity Framework (CSF 2.0) developed by the U.S. National Institute of Standards and Technology. This framework enhances ThaiBev’s capabilities in preventing, detecting, and responding to cyber threats, ensuring robust protection of information assets across the organization. It provides a structured approach to managing cyber risks and improving the company’s resilience in the face of emerging digital threats.

In addition, ThaiBev has established a systematic digital and technology management framework, strategy, and centralized operational direction (Group Role of Center) that covers all domestic and international business units. This aims to prevent cyber threats and ensure compliance with security requirements. The company has set up the Digital and Technology Function and Digital and Technology Services Co., Ltd. to formulate strategies and operational frameworks in accordance with international standards such as ISO/IEC 27001, with a focus on cybersecurity risk management and policy development.

Moreover, the Group Role of Center comprises three key divisions:

1. Commercial, Strategy, and Governance Group
Formulates IT strategies and ensures that technology initiatives align with the company’s business goals.
2. Technical Strategy and Architecture Group
Designs and develops enterprise-wide system architecture and ensures technological consistency across the organization.
3. Solution Design and Development Group
Focuses on developing innovative and secure IT solutions to meet operational needs and enhance competitiveness.

Management of Personal Data and Cybersecurity Risks

ThaiBev recognizes that risks related to personal data breaches, unauthorized access, or misuse of information can lead to legal, financial, and reputational consequences. Therefore, the company implements robust and transparent data governance practices in compliance with applicable data protection laws, including the Personal Data Protection Act (PDPA). In the event of a cyber incident or data breach, ThaiBev follows its established procedures to report and disclose the incident in accordance with regulatory requirements and the company’s internal policies. The company’s structured approach ensures timely mitigation, prevents human rights violations, and preserves stakeholder confidence and corporate reputation.

Strategic Plans and Key Initiatives

Policy Development Plan

Establish a Digital and Technology Policy Framework to drive digital transformation and ensure compliance with applicable laws and international standards such as ISO/IEC 27001.
Apply the NIST Cybersecurity Framework to strengthen awareness and build a culture of cybersecurity responsibility among employees, ensuring readiness for emerging digital challenges.

Cybersecurity Action Plan

ThaiBev’s Cybersecurity Plan focuses on proactive prevention, real-time detection, and effective responses to protect critical data and ensure operational continuity.

Key initiatives include:

Expanding protection for Operational Technology (OT) systems with real-time monitoring capabilities.
Conducting vendor security assessments to evaluate suppliers’ compliance with cybersecurity standards.
Deploying AI and Machine Learning (ML) tools to enhance anomaly detection and reduce false positives.
Implementing IoT security measures, including encryption, device authentication, and access control.
Reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) through automated threat detection and response systems.
Ensuring compliance with ISO/IEC 27001 and NIST standards through regular audits.
Organizing cyber awareness training, phishing simulations, and cyber drills to strengthen employee readiness.

Targets

cases of information security breaches number of clients, and employees affected by the breaches
*Only includes serious cases with damages exceeding 300,000 Baht

Remark: Exclude F&N Operations

Key Projects

Throughout 2025, ThaiBev implemented several cybersecurity initiatives, including strengthening threat prevention systems and enhancing control measures in accordance with international standards such as ISO/IEC 27001 and NIST. The company also conducted risk assessments for partners and suppliers. In addition, ThaiBev developed employee capabilities through training and simulation exercises to build awareness and long-term preparedness for future cyber threats.

Governance

ThaiBev places great importance on Cybersecurity Governance in accordance with the NIST Cybersecurity Framework 2.0. The company has established clear policies, roles, and responsibilities at all organizational levels to ensure transparency and accountability in cyber risk management.

Expansion of ISO/IEC 27001 Certification Scope:
In 2025, ThaiBev expanded the scope of its ISO/IEC 27001:2022 certification to include the FYI Center, reinforcing systematic protection of critical information assets.
Certification under NIST Cybersecurity Framework 2.0:
ThaiBev achieved certification for the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), which aligns with ISO/IEC 27001 and serves as the company’s primary framework for managing cyber risks. The framework covers governance, identification, protection, detection, response, and recovery. The company continuously monitors and improves its systems to address evolving cyber threats and strengthen stakeholder confidence in the digital era.
Annual Risk Assessment and External Certification:
To ensure cybersecurity measures meet international standards, ThaiBev conducts annual risk assessments and undergoes internal and external audits at least once a year by independent bodies. These assessments help identify and resolve vulnerabilities, drive continuous improvement, and ensure compliance with global best practices.
Risk Management Strategy:
ThaiBev identifies information assets, threats, and vulnerabilities; evaluates likelihood and impact; and categorizes risk levels to develop effective mitigation plans. This structured approach enables the company to proactively manage threats, minimize vulnerabilities, and protect vital organizational data and systems.
Communication Plan:
The company maintains timely, accurate, and comprehensive communication of cybersecurity information to minimize confusion, increase transparency, enable swift incident response, and build trust among all stakeholders.
Supply Chain Risk Management:
ThaiBev has established clear cybersecurity requirements for third parties and business partners. All agreements are formally governed by contracts, and partner risk assessments are conducted regularly. Additional measures are implemented to mitigate supply chain risks, protect sensitive data, and strengthen stakeholder confidence across all levels.
Environmentally Friendly Data Center:
ThaiBev utilizes the STT Bangkok Data Center, certified under ISO/IEC 27001:2022, ensuring robust data security. The facility has also earned the LEED Gold certification from the U.S. Green Building Council, reflecting ThaiBev’s commitment to environmental responsibility and sustainability.
Personal Data Protection Compliance:
ThaiBev complies with the Personal Data Protection Act B.E. 2562 (PDPA) and the company’s internal policies to ensure systematic and transparent management of personal data. This includes oversight of data collection, consent-based data usage, access requests, and awareness initiatives. The company conducts PDPA training for new employees, annual refresher courses, and workshops to deepen practical understanding. It also maintains a Personal Data Protection Handbook written in clear, accessible language to ensure consistent privacy compliance across all subsidiaries.

Identify

ThaiBev implements the Identify function of the NIST Cybersecurity Framework 2.0 to identify and understand information assets, business processes, and potential cyber risks. This involves maintaining an asset inventory, conducting risk assessments, and prioritizing protection measures systematically to ensure efficient resource management and alignment with corporate strategies.

Information Asset Inventory:
ThaiBev regularly develops and reviews its information asset inventory under the ISO/IEC 27001 standard. Each asset has a designated owner and detailed records, including type, tag/serial number, purchase date, location, and responsible personnel. This supports effective digital management, user support, and system recovery in the event of an incident.
Cybersecurity Risk Assessment:
The company conducts comprehensive cybersecurity risk assessments to identify, analyze, and prioritize threats that may impact its systems, data, and critical infrastructure. This process includes identifying information assets, analyzing vulnerabilities, assessing likelihood and impact, and defining control measures to maintain risks within acceptable levels.
Supply Chain Risk Assessment:
ThaiBev emphasizes cybersecurity risk assessments across its supply chain, establishing clear requirements for external parties and partners under ISO/IEC 27001. This ensures that all partners maintain rigorous cybersecurity standards to protect shared information assets.

Protect

Under the Protect function of the NIST Cybersecurity Framework 2.0, ThaiBev implements preventive measures to strengthen the security of its information systems and critical data. These include access control, user rights management, data encryption, backup and recovery, and staff training to safeguard confidentiality, integrity, and availability of data.

Zero Trust Security Model:
ThaiBev applies a Zero Trust approach, requiring strict authentication and authorization for every access attempt. Access rights are granted based on necessity (least privilege principle) and centrally managed to reduce unauthorized access risks.
Secure Virtual Private Network (VPN):
The company uses Secure VPN connections to ensure data confidentiality and integrity, prevent interception, authenticate users and devices, and enforce role-based access control—supporting secure remote work environments.
Firewall Systems:
Firewalls serve as the first line of defense to control data flow, segment networks, and prevent unauthorized access. ThaiBev continuously reviews, updates, and logs firewall activities for monitoring and auditing purposes.
Access Rights Management:
The company enforces strict access control processes following the least privilege and role-based access principles. Access is immediately revoked upon employee termination, and periodic reviews ensure rights remain appropriate.
Cyber Threat Prevention and Intelligence:
ThaiBev utilizes Threat Intelligence and proactive monitoring systems such as Web Application Firewalls (WAF) to detect and block cyberattacks exploiting application vulnerabilities. OT Network Security: Operational Technology (OT) systems are protected through network segmentation, real-time monitoring, and anomaly detection to prevent cyberattacks targeting production control systems and machinery.
Email Threat Protection:
ThaiBev employs advanced email filtering systems to detect and block phishing, malicious links, attachments, and malware, preventing data breaches through email channels.
Virus and Malware Protection:
With Trend Micro Endpoint Security and Endpoint Detection and Response (EDR) tools, ThaiBev detects, prevents, and removes cyber threats promptly. The system’s threat database is continuously updated to address emerging risks.
Phishing Simulation Exercises:
Regular phishing simulations are conducted to enhance cybersecurity awareness among employees. These exercises help staff recognize suspicious emails, verify links and attachments, and report incidents correctly.
Secure Software and Hardware Management:
The company enforces strict software and hardware management measures—removing unauthorized software, maintaining hardware, and applying security patches—to minimize vulnerabilities.
IT Capacity Management:
ThaiBev practices capacity planning, monitoring, and reporting to optimize IT resources (hardware, software, and infrastructure), ensuring scalability and business continuity.
Penetration Testing:
Certified cybersecurity experts perform penetration tests to simulate internal and external attacks, identify vulnerabilities, and develop corrective actions to reduce risks of cyberattacks and data breaches.
Vulnerability Assessment:
Continuous vulnerability assessments are conducted to identify and address system weaknesses. The process includes scanning, reporting, remediation, and applying compensating controls when immediate fixes are not feasible, ensuring all vulnerabilities are effectively mitigated. Source Code Scanning: During development, source code scanning detects vulnerabilities early, allowing developers to fix issues promptly and enhance application reliability and security.
Attack Surface Management:
Using tools such as Security Scorecard and Vulnerability Assessment, ThaiBev monitors its digital attack surface—including networks, applications, and public services—to detect weaknesses, prevent data leaks, and reinforce cyber resilience.
Data Loss Prevention (DLP):
DLP systems monitor, prevent, and control the unauthorized transfer of sensitive information, protecting key organizational data from loss or misuse.
Data Backup and Recovery:
Regular data backup and restoration testing ensures data integrity and recovery capability in case of cyberattacks or disasters, reinforcing transparency and stakeholder trust.
Cybersecurity Awareness Training:
ThaiBev provides cybersecurity training for executives and employees at all levels. Participants must achieve at least 90% on post-training assessments. Over 15,000 employees were trained in the past year, fostering a strong security awareness culture throughout the organization.
Digital Communication and Skills Training:
The company also offers digital communication training to improve collaboration, safe information sharing, and accessibility under connectivity limitations. Employees’ digital skills are assessed to guide continuous learning and skill enhancement initiatives.

Detect

ThaiBev implements the Detect function under the NIST Cybersecurity Framework 2.0 to continuously monitor and identify cybersecurity incidents in a timely manner. The company employs advanced threat detection and analytics systems combined with behavioral analysis to enable early alerts and effective responses, minimizing potential damage to systems and data.

Security Monitoring:
ThaiBev conducts continuous security monitoring using Security Information and Event Management (SIEM) systems and Threat Intelligence tools to collect, analyze, alert, and respond to incidents. These measures ensure the integrity and protection of corporate data.
Centralized Log Management:
Event logs are collected, validated, stored, and analyzed centrally to enhance visibility and simplify incident investigation. Centralized log storage consolidates data from all systems, improving traceability and accelerating response times.
Firewall Activity Monitoring:
Firewall operations are continuously monitored to track network traffic, review access rules, and detect unusual activities. Logs and alerts are reviewed regularly to ensure system integrity.
Cybersecurity Threat Intelligence:
ThaiBev leverages Cyber Threat Intelligence (CTI) to monitor, analyze, and predict cyberattacks. Intelligence sources include internal monitoring tools, vulnerability databases, information-sharing communities, and external providers. Proactive threat hunting helps the company anticipate and prevent attacks, reducing detection and response times.
Cybersecurity Alert Research and AI Analytics:
ThaiBev develops AI-driven cybersecurity solutions using Machine Learning to analyze behavior, identify anomalies, and intelligently manage alerts. This reduces false positives and enhances detection accuracy, enabling faster and more contextual responses to emerging threats.
“Eagle Eye” Cyber Monitoring Center:
ThaiBev established the Eagle Eye data and infrastructure monitoring center to track real-time cybersecurity and IT infrastructure status. The platform enables immediate incident response, supports executive decision-making, and drives continuous improvement in cybersecurity operations.

Respond

ThaiBev follows the Respond function of the NIST Cybersecurity Framework 2.0 to manage and mitigate the impact of cybersecurity incidents effectively. The company maintains a formal Incident Response Plan (IRP) that includes communication protocols, root cause analysis, corrective measures, and continuous improvement processes to control situations quickly and transparently.

Incident Response Process:
ThaiBev’s Incident Response Process ensures efficient incident detection, reporting, classification, escalation, and resolution in line with international standards. All incidents are logged in the system and tracked until closure. The process is tested at least once annually and continuously improved based on lessons learned to enhance response readiness and stakeholder confidence.

Recover

In line with the Recover function of the NIST Cybersecurity Framework 2.0, ThaiBev ensures rapid recovery of systems and operations following cybersecurity incidents. The company maintains a comprehensive Recovery Plan and conducts regular Backup and Restoration Testing to ensure business continuity, minimize downtime, and strengthen organizational resilience.

Data Backup System:
ThaiBev performs scheduled data backups and regular restoration tests to safeguard against data loss from unforeseen events. These efforts ensure smooth business continuity and operational stability.
Disaster Recovery Data Center–STT Bangkok:
The STT Bangkok Data Center serves as ThaiBev’s disaster recovery site, ensuring continuity in case the primary center becomes unavailable due to incidents such as fires, floods, power failures, or cyberattacks. This minimizes disruption and maintains critical business operations.
Service Continuity Management:
ThaiBev implements Service Continuity and Disaster Recovery Management to maintain business operations even during disasters. The process includes defining policies, scope, resources, and recovery structures; risk assessment and strategy selection; plan development, execution, and testing; and regular awareness and training programs. Employees involved in business continuity planning participate in at least two drills per year, and the outcomes are documented with improvement recommendations. Progress updates and recovery statuses are communicated transparently to internal and external stakeholders.

Scope Expansion and Impact

Cybersecurity, data privacy, and risk management governance are core missions in ThaiBev’s effort to expand cybersecurity measures across its business units, including F&N, GRG, and SABECO. The goal is to establish a centralized cybersecurity standard that enhances efficiency, reduces complexity and errors, and fosters collaboration across all entities under a unified framework.

Throughout the past year, ThaiBev adopted the NIST Cybersecurity Framework as its principal cybersecurity standard, implementing consistent control measures and practices across subsidiaries. The company integrates advanced security technologies for effective cyber threat prevention and personal data protection.

Each business unit undergoes independent ISO/IEC 27001 and NIST Cybersecurity Framework standard assessments by third-party auditors to validate compliance and the effectiveness of implemented controls. This coordinated approach ensures that all ThaiBev Group entities operate with international-level security, reliability, and resilience.

Achievements

ThaiBev places the highest importance on protecting personal data, safeguarding the company’s reputation, and maintaining the trust of stakeholders—including customers, employees, and business partners. The company operates under strict precautionary principles and adheres to international standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework. In the event of a data breach, ThaiBev has a clearly defined response procedure. Relevant units are required to investigate, report, and disclose information transparently through the company’s website to ensure public accountability and openness.

To date, there have been no reports of serious data breaches as defined by the company’s criteria (financial impact exceeding 300,000 Baht).

In the past year, the company did not receive any complaints or reports related to security breaches.

This report has been reviewed through the company’s internal monitoring system, in accordance with the ISO/IEC 27001 management standard, including a comprehensive review of all relevant information.

FY2025 ThaiBev Personal Data Privacy Cases

Case Type	Total Cases	% Total cases
Personal Data Violation	0	0
Withdraw Data / Delete Data	51	12%
Personal Data Correction Request (Edit/Delete)	274	65%
Not Relevant to Personal Data	96	23%
Data Verification	0	0%
Summary	421	100%

Customer privacy breaches	Number of incidents	Remark
Total number of substantiated complaints received concerning breaches of customer privacy	0	Only includes serious cases with damages exceeding 300,000 Baht
Complaints received from outside parties and substantiated by the organization	0
Complaints from regulatory bodies	0
Total number of identified leaks, thefts, or losses of customer data	0
Number of data security breaches detected	0
Number of customers, service users, or employees affected by data breaches	0

Remark: Exclude F&N Operations

Moving Forward

As technology continues to evolve, organizations must regularly enhance their cybersecurity measures to protect information from emerging threats and reinforce stakeholder confidence. ThaiBev remains committed to developing innovations that ensure sustainable adaptation to future challenges through the following key directions:

Strengthening Information Security Governance
Establish policies, standards, and processes aligned with ISO/IEC 27001, NIST Cybersecurity Framework, and PDPA to ensure robust and transparent governance.
Expanding Compliance and Certification Scope
Continuously enhance and expand ISO/IEC 27001 certification and NIST CSF 2.0 implementation across all business units and regional manufacturing facilities.
Developing Sustainable Cybersecurity Infrastructure and Innovation
Advance cybersecurity systems with automated detection and response technologies (XDR, SIEM, SOAR) and cloud-based security to anticipate and counter new cyber threats.
Enhancing Supply Chain Cybersecurity
Conduct Cybersecurity Assessments for business partners and implement a Supply Chain Risk Monitoring System to ensure end-to-end resilience.
Fostering a Cybersecurity Culture and Employee Capability
Develop online training programs and awareness campaigns to ensure all employees understand cybersecurity risks and can respond effectively.
Integrating Cybersecurity with Sustainability Goals
Promote energy-efficient data center operations, improve data backup systems, and reduce resource usage through server consolidation and virtualization.
Adopt AI to Create Value and Ensure Responsible Governance (Responsible AI Adoption & Governance)
Leverage AI technology to create value and ensure responsible governance, while promoting the use of AI and Machine Learning for threat detection, risk analysis, system development, and enhancing data management efficiency. This includes supporting services for analysis, problem-solving, and monitoring with greater speed and accuracy. Furthermore, as AI adoption expands across multiple departments, the organization prioritizes developing an AI Governance Framework to manage risks and protect data appropriately. At the same time, it drives research and application of AI in cybersecurity to strengthen proactive threat prevention capabilities in a sustainable manner.


Read More Information about Data Security and Privacy in Sustainability Report 2025