We consider IT risks including risks from cyber threats as key risks that need to be managed prudently. We have put in place a framework for managing information security and cybersecurity that conforms with international standards. An action plan to tackle various forms of cyber threats has been established so that we can quickly and effectively mitigate potential impacts. We have also adopted modern technology to monitor and detect unusual situations or events that may damage the Bank’s data and information systems. In addition, we have developed security standards for all data collected through the Bank’s services while our systems are regularly assessed according to these security standards, both before and after customers use a service. At the same time, we are committed to consistently developing our personnel’s cybersecurity competencies. In 2024, the Bank received Best Performance Awards 2024 for organizations that achieved ‘Excellent’ assessment result for cybersecurity advancement from the Prime Minister Awards: Thailand Cybersecurity Excellence Award 2024 event organized by the National Cyber Security Agency (NCSA). The award manifestly reflects our commitment to cybersecurity management.
Cybersecurity Governance Structure
To ensure that our information security and cybersecurity are appropriately managed and in accordance with the Bank’s policies and strategies, we have clearly defined the scope of responsibility for relevant parties from the Board of Directors level to management level as follows:

Responsible for governing and overseeing information security and cybersecurity management to be appropriate for the Bank’s business operations.
Responsible for overseeing and monitoring information technology risks including risks from cyber threats.
Responsible for ensuring that our Information Technology Division works effectively and in alignment with business operations.
Responsible for supporting the Chief Information Security Officer (CISO) who is responsible for the following:
- Defining, developing and regularly reviewing the structure, policies, standards and procedures for information security and cybersecurity.
- Assessing and monitoring the status of security control through vulnerability and threat management, as well as investigating any unusual incidents in the Bank’s security.
- Fostering a risk culture regarding information security and cybersecurity in the organization.
Cybersecurity Policy and Measures
We have established an Information Security and Cybersecurity Policy that complies with international standards and regulations as a guideline for managing information security and managing cyber attacks. We also publish the Information Security and Cybersecurity Handbook to provide clear guidelines for employees to follow. The policy is reviewed every year to ensure it is up to date with new technologies and current cyber threats. During 2024 we revised our risk management strategy and asset management principles to align with the NIST Cybersecurity Framework 2.0, adding controls on the adoption of artificial intelligence (AI), information security for cloud system services, and quantum computing security. In addition, the Bank has been certified as meeting various international security standards, including ISO/IEC 27001:2013 for the Bank of Thailand’s Automated High-value Transfer Network (BAHTNET) and the Image Cheque Clearing and Archive System (ICAS), and we are in the process of being certified for the Payment Card Industry Data Security Standard (PCI/DSS).
To support working in the digital age where employees can work from anywhere, the Bank has established regulations on the use of mobile devices, access to external data, management of e-mails, and storage of data in accordance with the Information Security and Cybersecurity Policy and other related policies. Furthermore, we have installed security systems in our hardware and regularly scan for malware on devices as well as monitoring for any potential information leakages from different sources as proactive security measures.
Monitoring Cybersecurity
We have established clear guidelines for monitoring cybersecurity incidents that may affect information security as well as setting response times for the escalation of incidents and notification of related parties so that incidents can be managed and any resulting damage mitigated in a timely manner. We regularly enhance the knowledge and skills of relevant employees to ensure preparedness in preventing and responding to cyber threats. In 2024 we offered training organized by both internal and external agencies to employees to enhance their cybersecurity-related skills. We also sent employees to participate in the Cyber Combat 2024 competition hosted by the Thailand Banking Sector Computer Emergency Response Team (TB-CERT) to strengthen their skills in handling cyber threats through simulated situations.

Employees who encounter a dubious incident related to IT security and cybersecurity can report the incident to the Service Desk through the channels provided. In 2024 there were no cases of information security breaches or other cybersecurity incidents at the Bank.
Preparation for the Cybersecurity Incident Response
The Information Technology Security Management Unit conducts a cybersecurity drill of the Bank’s cyber threat response plan at least twice a year and adjusts the scenarios for the cybersecurity drill on a regular basis. The results of the drills are used to improve the Bank’s cybersecurity incident response process to be more effective. During 2024 the Bank carried out three drills for the cybersecurity incident response plan namely, an internal drill, a banking sector drill under TB-CERT, and a drill at national level by the NCSA. Moreover, we regularly test the responses of our personnel on cybersecurity by simulating phishing emails with different subjects and content and sending them to directors, executives and employees throughout the year to test their understanding. Results are applied to heighten the awareness of employees on how to spot and handle phishing emails. Furthermore, every year a certified external independent agency examines our IT security management processes covering IT General Control and Application Control to ensure that our IT systems have a high standard of protection and are able to handle threats. We also conduct a Vulnerability Analysis for important work systems to test their vulnerabilities and conduct a Penetration Test which is led by both internal and external experts on an annual basis.
Collaboration with External Agencies to Build Cybersecurity
To promote cybersecurity, we have set up collaboration with both local and international external agencies including TB-CERT, the Thai Computer Emergency Response Team (ThaiCERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), with the objective of exchanging information related to cybersecurity and enhancing our ability to monitor and respond to cyber threats. In 2024 we participated in a seminar on cybersecurity under the topic Tomorrow’s Cybersecurity in the Age of AI. This was organized by TB-CERT to update knowledge and practices on cybersecurity in an era where AI is playing a significant role. In addition, the Bank’s executives gave lectures and exchanged knowledge at the cybersecurity workshop Capital Market Cyber Leaders 2024: Trust, Resiliency, Sustainability organized by the Securities and Exchange Commission (SEC) for directors of listed companies, and to a seminar organized by NCSA entitled the Joining Forces between the Public and Private Sectors to Drive Cloud Security to Support the Cloud First Policy.