Why is this Important?

At present, the energy and utility businesses are experiencing escalating privacy protection and cybersecurity challenges. These issues significantly impact stakeholder confidence in energy and utility businesses, which are pursuing digital and technology advancements to remain competitive with modern innovations, thus making them the targets of cybercrimes. EGCO Group has established cybersecurity policies to safeguard the company’s data, ensure the ability to counteract and limit the risks of cyber threats, and adopt appropriate risk management approaches. Furthermore, the Company’s cybersecurity strategies are designed to defend against cyberattacks, sabotages, espionage, and errors, as well as adhering to the Cybersecurity Act B.E. 2562 (2019) and Personal Data Protection Act B.E. 2562 (2019). The 3 fundamental components for data security are:

C
CONFIDENTIALITY

Confidentiality of information

I
INTEGRITY

Maintaining data integrity

A
AVAILABILITY

Availability of information

Furthermore, EGCO Group conducted security awareness training for executives every year to reduce the risk of data leaks from cyber threats. EGCO Group also established a working group on policy and guideline development on personal data protection to manage, monitor, and assess the impacts, as well as to implement relevant actions on personal data protection that are within the regulatory frameworks.

Sustainability Material Topic: Data Security & Privacy

Stakeholder Impact on Materiality Topics

Business Partners

Management Approach

Privacy Protection and Cybersecurity Target

Long Term Target
  • 80% of employees undergone training to raise their awareness on data security and privacy concerns, focusing on high-risk and relevant stakeholders.

2023 Target
  • Improve the data security system of Khanom Power Plant, Banpong Power Plant, and Klongluang Power Plant to comply with ISO 27001 standard

  • Improve the information management system including Log Management Replacement and Datacenter Monitoring Replacement.

  • Arrange IT security awareness training sessions for employees and executives to increase awareness of cybercrimes and reduce the risk of sensitive business data leakage.

  • Conduct penetration testing & business continuity plan testing

2023 Performance
  • Certified ISO/IEC 27001:2013

  • Training sessions on Personal Data Protection Act B.E. 2562 (2019) preparedness were arranged

  • Improved IT management system including Log Management Replacement and Datacenter Monitoring Replacement

  • Firewall upgraded

  • Conducted 2 cyber security awareness training sessions for employees twice i.e. hybrid and e-learning sessions

  • Conducted phishing mail attack testing and all systems recovery testing twice a year

  • Collaborated with a consultant to conduct penetration testing and vulnerability assessment. The data security system has been upgraded to ensure compliance with relevant standards

Privacy Protection and Cybersecurity Governance

The risk Oversight Committee stipulates an internal audit policy regarding risk management activities as well as investigates IT development-related operations regularly.

Explore more
Cybersecurity Measures

EGCO Group stipulated and published IT security and cybersecurity policy for every employee, including external parties providing services for EGCO Group, to use as an operational guideline on IT-related tasks, ensuring full compliance with related laws.

Explore more
IT Security/ Cybersecurity Process & Infrastructure

EGCO Group’s IT Security System was certified ISO/IEC 27001:2013 which covers processes such as grievance management, change management, document control, asset utilization monitoring, etc.

Explore more
Data Privacy Protection

EGCO Group places great importance on the data protection and privacy of employees, customers, suppliers, and every stakeholder. The Company stipulated strict internal data abuse prevention guidelines as well as established and announced the data privacy protection policy publicly.

Explore more

Related Documents

Policies, Requirements and Performance

  • Sustainability Manual
  • Personal Data Protection Policy
  • Personal Data Protection Act (PDPA) Statement
  • End User Security Guideline
  • Information Technology Development and Cyber Security Oversight Committee
  • Privacy Notice for External Data Subjects
  • Consent Form for External Data Subjects
  • Application Form for Exercise of the Rights of Data Subject
  • Personal Data Breach Notification Form

Performance Data

Updated as of April 2024

The information reported above was prepared in accordance with the Global Reporting Initiative Standards (GRI Standards). It has been audited by an external party and has received limited assurance through the 2023 Annual Report.