The Bank considers IT risks, including risks from cyber threats, as the key risks that need to be managed prudently. We have put in place a framework for managing IT security and cybersecurity that conforms to international standards. In addition, the Bank has adopted modern technology to monitor and detect unusual situations or events that may damage the Bank's data and information systems. We have also established security standards for all data collected through the Bank’s services while our systems are regularly assessed against these security standards, both before and after customers use a service.
We received four accolades for our cybersecurity commitment in 2023 from the Prime Minister Awards: Thailand Cybersecurity Excellence Awards 2023 organized by the National Cyber Security Agency (NCSA), namely: 1. Cybersecurity Performance Excellence Awards 2023, Critical Information Infrastructure (CII), 2. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure for Banking and Finance, 3. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure Agency Cybersecurity for Cooperation, and 4. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure Agency for Capacity Development.
Cybersecurity Governance Structure
To ensure the effectiveness of our IT security and cybersecurity in accordance with the Bank’s policies and principles, we have clearly defined the scope of responsibility for relevant parties from the Board of Directors to managerial level as follows:

Information Security and Cybersecurity Policy and Measures
We have prepared an Information Security and Cybersecurity Policy that is in line with the international standard ISO/IEC 27002 as a guideline for managing information security and handling cyber attacks. We also published the Information Security and Cybersecurity Handbook to provide employees with clear guidance on how to perform their duties in accordance with the Bank's policy. We review the said policy every year to keep it up to date with new technologies and cyber threats. During 2023, we revised the Information Security and Cybersecurity Policy by incorporating topics on Artificial Intelligence Adoption and Threat Intelligence Program. In addition, the Bank has Information Security and Cybersecurity Policy and Measures been certified for various international security standards, including ISO/IEC 27001:2013 for the Bank of Thailand’s Automated High-value Transfer Network (BAHTNET) and the Imaged Cheque Clearing and Archive System (ICAS), and is in the process of being certified for the Payment Card Industry Data Security Standard.
To enable employees to work more flexibility and to respond to the work from anywhere practice, we have established security procedures for using mobile devices and accessing information via external devices that are in line with the Information Security and Cybersecurity Policy and other related policies. Furthermore, we have gradually installed security systems into our equipment to enhance cybersecurity and personal data security while we regularly scan for malware on devices. In 2023, we investigated data leaks from various sources such as the dark web, GitHub and Pastebin, along with analyzing the data and notifying data subjects to facilitate proactive defensive actions.
Monitoring Cybersecurity
We have established clear guidelines for monitoring cybersecurity incidents that may affect information security as well as setting response times for the escalation of incidents and notification of related parties so that incidents can be managed and any resulting damage controlled in a timely manner. At the same time, we focus on enhancing the knowledge and skills of relevant employees to ensure preparedness in preventing and responding to cyber threats at all times. In 2023, we organized training to promote skills and knowledge in various areas including Secure Software Development, Threat Hunting, and PCI Professional Training, as well as sending employees to participate in cybersecurity competitions at the international level and banking sector level to strengthen their technical analysis through simulated situations.
Employees who encounter a dubious incident related to IT security and cybersecurity can report the incident to the Service Desk through the provided channels. In 2023, the Bank had no case of information security breaches or other cybersecurity incidents.

Preparation for the Cybersecurity Incident Response Plan
The Information Technology Security Management unit conducts a cybersecurity drill of the Bank’s cyber threat response plan at least once a year and adjusts the scenario for the cybersecurity drill every year to ensure that employees and applicable technologies are ready to counter cyberattacks in different forms. Apart from internal practices, cybersecurity drills are regularly conducted with other banks under the Thailand Banking Sector Computer Emergency Response Team (TB-CERT). These activities continually help improve our cybersecurity process to combat cyber threats more effectively. In 2023, we organized two drills of the cybersecurity incident response plan: one drill at the Bank level for an incident that occurred to external service providers which had an impact on the Bank's services, and the other at the banking sector level for an incident of attacks on sensitive personal data storage systems.
To ensure that the Bank's information technology systems are well protected and can prevent potential threats in a timely manner, we arrange an external independent auditor to examine our IT security management processes twice a year. The audit covers IT General Control and Application Control. At the same time, we have established a process for managing vulnerabilities along with conducting a Vulnerability Analysis for important work systems as well as carrying out a Penetration Test led by both internal and external experts on an annual basis. Moreover, we regularly test the responses of our personnel on cybersecurity by simulating phishing emails and sending to directors, executives and employees every year. Testing results are applied to improve employee communications to heighten their awareness of how to spot and handle phishing emails. During 2023, we conducted tests by sending phishing emails with different topics and content throughout the year. The results showed that fewer employees were deceived while more reports of suspected phishing emails were received.
Collaboration with External Agencies to Build Cybersecurity
To promote cybersecurity, we have collaborated with both local and international external agencies including TB-CERT, the Thai Computer Emergency Response Team (ThaiCERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) with the objective of exchanging information related to cybersecurity and cyber threats and to enhance our ability to respond to cyberattacks. In 2023 we participated in brainstorming discussions on guidelines to prevent or reduce the risk of scams through Facebook and Google platforms, as well as developing a process for reporting incidents to Facebook to strengthen its ability to combat fake pages including jointly testing Safe Browsing with Google.