Mitr Phol Group Sustainability

Key stakeholders: shareholders/ customers and consumers/ government and civil society sectors

Mitr Phol has deployed technology organization-wide to increase work efficiency, facilitate decision-making, create added value, and drive sustainable growth as part of its Digital Transformation Policy. Robotic Process Automation (RPA), Machine Learning, and Artificial Intelligence are deployed to improve operations in such areas as Smart Management, Smart Factory, Smart Distribution, and Smart Marketing. However, caution is necessary when using technology, as it carries risks and can harm the business unless prudent cybersecurity measures are in place.

2023 Target and Performance

Target
Performance
Timeframe for responding to a security breach
Within 4 hours
Within 4 hours
Timeframe for isolating the related server from the Company’s network
Within 1 hour after notification
Within 1 hour after notification
Evaluate cybersecurity awareness using the Phishing Simulation Test
2 times per year
2 times
Organize a Cyber Drill to prepare executives for cybersecurity incidents
1 time per year
1 time

Management Approach

Cybersecurity Management Structure

Mitr Phol’s Board of Directors places great significance on cybersecurity and information security and has thus delegated the Digital Transformation and Cybersecurity Steering Committee to work with the Risk Management Committee and the Audit Committee. The Company has appointed data protection officers (DPO) and established a dedicated cybersecurity unit within the Digital and Technology Transformation Group to manage cybersecurity and information security. The Executive Vice President of Digital and Technology Transformation is responsible for overseeing overall security management. The relevant committees on security management are as follows:

The Risk Management Committee

plays a significant role in defining policies, overseeing and supporting risk management, monitoring and evaluating performance, and providing recommendations for risk mitigation. This helps Mitr Phol Group to achieve its business goals and maximize benefits for its stakeholders. Key risks related to IT, cyber, and information security are closely monitored by the Risk Management Committee.

The Digital Transformation and Cybersecurity Committee

has duties to define policies on IT, cyber, and information security as well as oversee and support policy implementation across all business units in Mitr Phol Group.

The Audit Committee

independently reviews the Company's operations, ensuring that risk management and internal controls align with best practices and comply with relevant laws, rules, and regulations. The committee closely monitors and oversees risk management and controls related to IT, cyber, and information security as part of its audit cycle.

The Chief Information Security Officer (CISO)

A role held by the Executive Vice President of Digital and Technology Transformation, is responsible for setting technology strategies and managing digital and technology transformation operations across all units. The operations, encompassing digital transformation, systems and business solutions development, IT infrastructures, IT security, cybersecurity, and information security, ensure that business units receive the necessary support according to their needs and operations to achieve the Company's goals.

The Data Protection Officer (DPO)

is responsible for providing advice, reviewing operations, and supporting all business units within Mitr Phol Group. The DPO ensures compliance with personal data protection laws, including establishing security measures to protect personal data within Mitr Phol Group as required by law and to align with international standards.

The Cybersecurity and Information Security Unit

takes charge of planning, developing, and managing technology systems, information systems, and information (including personal data) within Mitr Phol Group to ensure security and maintain confidentiality, integrity, and availability. The unit conducts risk assessments, implements IT, cyber, and information security controls, and manages risks to maintain an acceptable level for the Company. It also monitors anomalous situations and promptly addresses them to minimize damage and restore normal operations. Moreover, the unit raises awareness among Mitr Phol Group employees, external service providers, and involved agencies.

Risk Management Framework for Cyber Threats
and Information Security

Mitr Phol has established and announced the Information Technology Policy, the Cybersecurity Policy, and the Personal Data Protection Policy, which are to be adhered to across Mitr Phol Group. The Company also established a risk management framework for digital technology and information security to achieve the following key objectives.

Effective Risk Management

Mitr Phol aligns its organizational structure with the 3 Lines of Defense model to ensure proper checks and balances. The 3 Lines of Defense comprise of:

Strengthening Cybersecurity Measures and
Fostering a Cybersecurity Corporate Culture

Mitr Phol places importance on developing all 3 domains of People, Processes, and Technology, to mitigate cybersecurity risks, safeguard personal data, and effectively address cyber threats in every aspect.

In the People domain, the following key activities were carried out:  

  • All employees at every level attended training through the e-learning platform to acquire new skills related to cyber threats, monitoring techniques, defense strategies, and appropriate responses.
  • Focus-group meetings were held to exchange experiences of real-life cyber threats with relevant departments to heighten awareness of potential threats in frontline operations.
  • Employees regularly receive Cyber Alert! notifications for cyber emergencies and essential Cybersecurity Need to Know information through emails.
  • A cyber incident response plan was rehearsed, and lessons learned from these rehearsals were used to improve the effectiveness of the incident response process.
  • Phishing Simulation Tests are conducted regularly, with the results reported to the top management of each unit. High-risk groups are required to attend focus group training and review lessons to mitigate potential risks posed to the organization.
  • A cybersecurity awareness-raising program has been conducted continuously through special talks on lessons learned from real cybersecurity incidents in the country.

  • In the Process domain, the following key activities were carried out:      

  • Policies, practices, and operational procedures were developed and announced. Training was provided to employees, executives, and stakeholders to ensure accurate and comprehensive implementation of the policies and related documents.
  • Policies, practices, and operational procedures are reviewed annually.
  • The Chief Information Security Officer (CISO) was appointed to oversee compliance with cybersecurity policies, standards, and practices, and ensure effective management of cybersecurity risks.
  • Cyber Hotline was established as a channel for incident reporting, and Cyber Alert!! for threat notifications. The Cyber Incident Response Procedure and responsible persons were also designated to facilitate efficient collaboration among relevant departments.
  • Cyber Drills are conducted annually.
  • The Cyber Incident Ticket Management system was implemented to collect statistical data for risk analysis, devise plans and measures to prevent recurrence, and share insights gained for continuous learning and improvement.
  • Cyber operations were monitored and evaluated by internal units and external agencies to ensure alignment with the standards of the federal agency, the National Institute of Standards and Technology (NIST).

  • In the Technology domain, the following key activities were carried out:

  • Multi-factor authentication was utilized to enhance security when accessing critical systems.
  • A Cloud Management Gateway and System Center Configuration Manager are employed to centrally oversee software installations and updates, ensuring that the software on computers and critical systems remains up-to-date.
  • Employees are allowed to bring their own devices for work according to the BYOD Policy (Bring Your Own Devices) while they must maintain data security and block any unauthorized system access.
  • Data Labeling was implemented to classify document confidentiality levels and regulate access control permissions.
  • Data Loss Prevention is deployed to safeguard data from loss or leaks through emails and file-sharing systems.
  • Network access control is applied to allow only authorized devices to connect to the Mitr Phol network.
  • The Managed Security Service Provider and SOC are employed to gather and analyze network traffic to promptly identify unusual activities.
  • Database encryption was implemented to secure sensitive data in the key database.
  • Firewalls were installed for Industrial Control Systems to protect plant networks from external threats.
  • USB Blocking Software was installed to prevent unauthorized data transfers to external storage.
  • Vulnerability Assessments and Penetration Tests were regularly performed to detect and assess system vulnerabilities, particularly through simulated external attacks and testing the system's security readiness.

  • In 2023, the Company did not experience any data security breaches, and no customers or employees were affected by personal data breaches.

    Related Policy and Statements

    Cybersecurity Policy

    Personal Data Protection Policy