PTG has determined plans to develop cybersecurity competencies and capabilities for 2023. The plans bridge over goals, strategies, related projects, and operating procedures, which are consistent with Gartner Institute's cybersecurity research article “Top Strategic Technology Trends for 2022 ”. Examples of these are the Uplift Cyber Security project, the Security Operations Center (SOC) project, and Staff Email Phishing Tests, etc. The projects shall be cascaded and communicated to the public via appropriate platforms in the future to ensure that all stakeholders can gain confidence, being certain with the Company’s commitment to overseeing and preventing cybersecurity threats in a concrete way, as well as with executives’ and the Board of Directors’ support for both terms of budget and policies. IT security governance is classified into 3 levels: supervision level, management level, and operational level.

PTG has an information security supervisory system in place, which is divided into 3 levels, namely supervisory level, management level, and operational level.

PTG's IT policy, which resonates with the regulations defined by the departments responsible for business governance, Thai laws, and international standards, namely ISO 27001:2013, has been constantly audited and verified by the Internal Audit Department and external auditors based on the international standards. Moreover, the Company has formulated IT security policies or guidelines, which are part of the IT policies so that its personnel and associated parties realize the importance of maintaining the security of information systems and become aware of their duties and responsibilities, as well as guidelines to limit risks that may occur.

In addition, there are operations, monitoring, control and supervision of IT security, which have been practically conducted based on the Information Technology Policy enforced by the IT Department on the work system in the IT ecosystem, on a regular basis. These are, for example, Penetration Test and Information System Vulnerability Assessment, etc.

Furthermore, to prepare a plan to deal with and solve potential cyber-attacks, IT vulnerability degrees are determined and divided into 4 levels: Critical, High, Medium, and Low with plans, work procedures, responsible parties, as well as methods of communicating with and reporting to relevant parties for acknowledgement, in correspondence with the actual severity level if an actual event takes place.

Apart from the measures mentioned above, Company’s employees can inquire about or report abnormal activities, and notify potential damage caused by any attack related to cybersecurity to the "IT Service Center". There are IT Officers to handle incoming cases and take actions based on the designed process and procedures as promptly as possible (incident report and escalation process). Each reported case shall be communicated and reported to relevant parties for further action, that is, from the operational level to the relevant c-class executive. Results shall be followed up and monitored until the problem is completely solved.

Cyber Drills and Business Continuity Management

PTG requires a regular test interval of business continuity plans (BCP) in part of IT systems and cybersecurity, i.e., at least once a year. In 2022, the Company has extended the test requirement to relevant departments including Operations Department (10 areas), Sales Department, Accounting and Finance Department, and its subsidiaries. From the test, it appears that the main server at the headquarters was attacked by an external cyberattack, causing the SAP system to not work. The cross-site data center to backup area will be carried out by the Information Technology Department, where the relevant departments operate according to the business continuity plan and the IT disaster recovery plan. From the test, it was found that the information technology department had already fixed the server that was attacked by cyberattacks. which can restore all data and check that the information in the system is correct and complete, all departments can return to work as usual.