The plan for developing the capabilities and potential in Cyber Security in 2024, including goals, operational strategies, related projects, and detailed steps of implementation, has been reviewed and approved by the senior management team and the company's board of directors. For example, projects such as the external storage disablement test through Post USB, Threat detection and prevention, and Email phishing tests for employees will be part of this initiative. This plan will be communicated and publicly disseminated through appropriate channels in the future to ensure that all stakeholders have confidence in the company's commitment to safeguarding and preventing cyber security threats. It will also demonstrate the support received in terms of budget and policy from the management team and the board of directors.

PTG Energy Public Company Limited governs information security in three levels: the governance level, management level, and operational level.

PTG has an information security supervisory system in place, which is divided into 3 levels, namely supervisory level, management level, and operational level.

The company has currently implemented an information technology policy that complies with the regulations of relevant regulatory authorities, Thai laws, and international standards, specifically ISO 27001:2013. This policy has been consistently reviewed and verified by both internal audit teams and external auditors, ensuring adherence to global standards.

The company has implemented a comprehensive policy for information security as part of its broader IT framework. This policy ensures that all personnel and stakeholders are aware of the importance of safeguarding information systems and their specific roles in managing potential risks. To ensure adherence, the company regularly conducts monitoring and control activities, including penetration testing, to uphold security standards.

Additionally, to prepare for and mitigate potential cybersecurity threats, the company has categorized vulnerabilities into four severity levels: Critical, High, Medium, and Low. Detailed action plans, procedures, and designated responsibilities have been established to address any incidents based on their severity.

In addition to the measures outlined above, employees can report any anomalies or security incidents caused by cyber-attacks encountered during operations through the "IT Service Center." The IT team will promptly address the issue according to the established incident reporting and escalation process. This includes clear communication and reporting to all relevant parties, from operational staff to senior management, ensuring continuous tracking and resolution until the issue is fully resolved.

Cyber Drills and Business Continuity Management

The company conducts an annual test of its Business Continuity Plan (BCP) to ensure operational resilience. In 2024, the company tested the plan with key departments, including Information Technology, Operations, Sales, Accounting and Finance, and its affiliates. The simulated scenario involved a cyber attack on the headquarters' main server, causing system downtime. In response, the relevant teams followed the business continuity procedures, while the IT department activated the IT Disaster Recovery Plan.