Positive and Negative Impacts

Impact of Topics Over Time

Short Term	Medium Term	Long Term
Medium	Medium	High

Management Approach

Digital and Cybersecurity Governance Framework

PTT has established a comprehensive governance framework for managing the organization’s digital operations, ensuring the proper management of resources. The responsibility for digital governance is defined at all levels of the organization, starting with the PTT Board of Directors, which annually reviews the Company’s vision, direction, strategies, policies, and key plans, while also evaluating potential risks. Dr. Nattapon Nattasomboon, an independent director and Deputy Permanent Secretary of the Ministry of Digital Economy and Society, who has relevant expertise, contributes at the management level. At the senior management level, the Senior Executive Vice President of Corporate Strategy, equivalent to the Chief Information Security Officer (CISO) or Chief Security Officer (CSO), serves as the Chairperson of the PTT Group Digital Steering Committee. This committee sets the strategic direction, policies, and digital objectives for the PTT Group, overseeing and aligning digital initiatives across PTT Group companies. The committee drives the implementation of policies, standards, management mechanisms, and digital management systems across the Group, covering areas such as project development management, data governance, digital operations oversight, and information security. It ensures that these initiatives are carried out effectively and efficiently throughout the Group. The committee also provides guidance and recommendations to various units under its oversight, reviews, tracks progress, and evaluates the results of digital initiatives. The committee's role is similar to that of a "Cybersecurity/Information Security Committee." Meetings are held at least twice a year or as needed. At the operational level, the Digital Strategy Department is tasked with ensuring that PTT’s digital strategy aligns with the defined direction, policies, strategies, and objectives.

PTT has established a robust process to ensure the efficiency and transparency of its operations, while strictly adhering to relevant laws, regulations, and policies concerning digital technology development. The Company has implemented policies on digital governance, information security management, and cybersecurity, all endorsed by the Chief Executive Officer and President. These policies are designed to help PTT effectively leverage digital technologies to enhance operational efficiency, create added value, and support continuous business growth. The overarching objective is to foster agility, transparency, and security, aligned with best practices in corporate governance, to position PTT as a high-performance. These efforts also drive collaboration across PTT Group businesses, supporting the long-term sustainability of the energy and petrochemical value chains. Furthermore, they enable PTT to seize opportunities for new business models through the application of cutting-edge technologies and innovations, thereby boosting competitiveness, improving operational quality, and ensuring the organization remains adaptive to fast-evolving global trends. In addition, PTT has established a set of digital standards that serve as operational guidelines for employees at all levels. These standards ensure optimal performance across various areas, including IT infrastructure, software, system protocols, infrastructure security, training, and Service Level Agreements (SLAs). This approach guarantees maximum efficiency and effectiveness for the organization. Simultaneously, PTT rigorously manages cybersecurity risks, which are considered a critical component of the Company's risk management framework (operational risk). This involves implementing control measures/plans to mitigate the likelihood of risks, developing comprehensive mitigation plans, and using Key Risk Indicators (KRIs) to track progress. Regular updates on these initiatives are reported to the Enterprise Risk Management Committee, the Corporate Risk Management Committee, and the PTT Board of Directors in accordance with established timelines.

Leveraging Digital Technology in Business Operations

PTT is committed to enhancing Operation & Efficiency by integrating digital technologies and AI across its operations. This is part of a broader strategy to build a Learning Organization and drive Digital Transformation, with the aim of delivering quick, impactful results. By prioritizing initiatives that foster early adoption, PTT aims to establish a strong organizational culture, raise awareness, and encourage employees to embrace change in pursuit of sustainable growth. PTT has established a strategic direction for the development and enhancement of its digital technology framework, with the primary objective of improving operational efficiency (Productivity Improvement) by optimizing processes and integrating digital technology. The strategy for Digital Transformation focuses on reducing costs, enhancing operational performance, lowering expenses, and creating long-term business opportunities for the organization. This is achieved by reengineering workflows with digital technologies while concurrently improving the overall processes (Reprocess).

PTT’s Digital Transformation strategy is structured around three core areas:

1. Strategy
   

   This focuses on defining the vision and mission of the Digital Transformation journey, ensuring they are aligned with PTT’s overarching organizational vision. Key components include:
   - Vision and Value Creation: Driving the vision to create business value through the efficient use of data and AI. This is supported by building robust infrastructure, such as PTT Cloud & Platform, to enable seamless digital integration across all facets of the organization.
   - Culture & Talent Development: Cultivating a culture of innovation and continuous learning while enhancing employees' digital and AI capabilities.
   - Governance, Risk, and Compliance (GRC): Implementing control measures and governance to ensure that digital operations adhere to established standards and regulations.

2. Enablement 
   

   This area focuses on preparing the resources and developing the necessary infrastructure to facilitate smooth and effective Digital Transformation. Key initiatives include:
   - Fit-Gap Assessment: Evaluate the existing capability gaps to identify areas needing improvement, and develop strategies to enhance the organization's capabilities to meet strategic objectives effectively.
   - Resource Acquisition and Development: Strengthen technological infrastructure and allocate human resources efficiently to support the organization’s digital transformation, while eliminating redundancies in processes.

3. Deliveries
   

   This focuses on delivering tangible, measurable outcomes from the Digital Transformation initiatives by effectively integrating people, processes, and digital technologies. Key actions include:
   - Developing Use Cases and Applications: Building targeted solutions and applications across various business functions, such as procurement, marketing, supply chain, and finance, to optimize efficiency and support business growth.
   - Workstream Grouping: Organizing specialized teams, e.g., PTT Digital, RAISE, Mekha-V, based on their areas of expertise to ensure smooth collaboration and quick response to emerging organizational needs.

Information Security and Cybersecurity

To safeguard against the rising risks of cybercrime and data breaches, PTT has implemented robust security measures. As a Critical Information Infrastructure (CII) entity in the energy and public utilities sector, PTT is mandated by the Cybersecurity Act, B.E. 2562 (A.D. 2019), to adhere to comprehensive governance and management practices for both information and cybersecurity systems. These practices are designed to align with national standards and frameworks set forth for government agencies and critical infrastructure organizations. Key focus areas are:

1. Supporting all business processes to ensure sustainability
   1) Risk Identification (Identify)
   2) Risk Prevention Measures (Protect)
   3) Cyber Threat Detection and Monitoring Measures (Detect)
   4) Incident Response Measures upon Detection of Cyber Threats (Response)
   5) Recovery and Restoration Measures for Damage from Cyber Threats (Recovery)
   6) Effective Governance (Governance)
2. Execution of Cybersecurity Audit Plans
3. Cybersecurity Risk Evaluation
4. Development of Cyber Threat Response Plans

These initiatives are aligned with the cybersecurity framework developed by the U.S. National Institute of Standards and Technology (NIST). The Company has implemented comprehensive information security and cybersecurity policies, encompassing both Information Technology (IT) and Operational Technology (OT). This ensures that PTT's information systems are safeguarded against cyber threats and managed with effective cybersecurity risk management. These measures are designed to be in full compliance with international standards and best practices.

PTT has implemented the Information Security Management System (ISMS) standard, specifically ISO/IEC 27001, and the Privacy Information Management System (PIMS) standard, ISO/IEC 27701.

PTT has appointed PTT Digital Solutions Co., Ltd. as the cybersecurity service provider for the PTT Group. The Company operates a Cyber Security Operation Center (CSOC), which monitors and detects cyber-attacks across the PTT Group 24/7. The CSOC utilizes cutting-edge technology and is staffed with internationally-certified professionals to ensure effective threat detection and response.

In addition, PTT has established a comprehensive Business Continuity Management (BCM) plan, a Disaster Recovery plan, and a Cybersecurity Incident Response plan to ensure preparedness for potential disruptions in information systems and cyber-attacks. These measures are in place to build confidence among stakeholders regarding PTT’s ability to handle such challenges. PTT requires the testing of readiness and understanding at least three times a year, which includes business continuity plan drills conducted at least once a year to assess readiness and understanding of emergency and crisis response, with each year featuring different simulated scenarios, disaster recovery plan drills conducted at least once a year to test the functionality and readiness of backup systems, and cybersecurity incident response drills conducted at least once a year to assess response capabilities, understanding, and roles in the event of a cyber threat.

In 2024, PTT carried out four drills, including two disaster recovery exercises, one national-level cybersecurity incident response tabletop exercise, and one PTT-specific cybersecurity tabletop exercise. Insights and feedback from these exercises have been utilized to refine and improve operational processes.

Additionally, PTT actively collaborates with the Thailand Computer Emergency Response Team (ThaiCERT) and other global communities to exchange up-to-date cybersecurity information and intelligence.

To strengthen awareness, PTT organizes bi-monthly cybersecurity awareness training sessions and phishing mail tests for all employees and contract staff. Employees who do not pass the tests are required to complete additional training through E-learning. This approach ensures that employees remain well-informed about the impacts of cyberattacks.

Personal Data Privacy Notice Form

PTT highly values the protection of personal data belonging to customers, partners, and business associates. To comply with personal data protection laws, PTT has established clear procedures for handling personal data. A Personal Data Privacy Notice form has been developed to inform individuals about how their personal data is processed. The details of this can be accessed on the Company’s website at https://pttpdpa.pttplc.com/Privacy/106107.

Key Initiatives and Improvement Reviews

AI Transformation Project

To enhance operational efficiency, develop new products and services, boost competitiveness, and improve customer service across PTT’s business units and its subsidiaries (PTT Group), PTT has adopted Generative AI technology within the Operational Excellence Department. This initiative has resulted in the development of a knowledge retrieval platform that integrates with the organization’s Enterprise Data Platform, which is governed by standardized management procedures. The platform significantly improves data access and analysis by accurately understanding and interpreting content in both Thai and English. Over 80% of users have positively accepted the platform, which provides accurate and useful responses to inquiries related to Operational Excellence. Additionally, the platform correctly cites the relevant data sources linked to its answers, enabling users to verify the origin of the provided information.

Digital Citizen Project

To enhance essential knowledge and skills for applying digital technologies according to business objectives, and to develop the competencies of employees at all levels while promoting the concept of Digital Citizenship, PTT has launched targeted initiatives. These include courses aimed at building foundational digital knowledge, such as cybersecurity awareness, and courses to develop basic skills for using tools like collaboration platforms. Additionally, the project focuses on advanced skills, such as data analysis, automation, and predictive modeling. In 2024, PTT further expanded these efforts by introducing training on AI/Generative AI technologies, helping employees leverage AI/Generative AI/Machine Learning to boost work efficiency. The training is customized to fit the content and learning styles, and employee success is measured via post-training tests, where at least 80% accuracy is expected. These results will be tracked as part of each employee's learning and development record. To ensure effective digital capability utilization, PTT also conducts awareness-building activities such as phishing mail tests and targeted communications campaigns.

Powering Digital Organization with ERP Project (POWER)

As PTT’s current Enterprise Resource Planning (ERP) system, SAP ECC 6.0, approaches the end of product support, the Company has launched a project to evaluate key factors, create a comprehensive plan, and prepare for the development of SAP S/4HANA. This new system will address current technology limitations and incorporate advanced intelligent technologies, such as AI and Machine Learning, while also supporting Big Data and business networks. These enhancements will enable efficient processing and swift access to large volumes of data. In 2024, the project progressed successfully, achieving its goals of designing and refining operational processes that align with PTT's future operational strategy. The initiative includes restructuring operations, reducing redundancies, using automation to increase accuracy, and integrating data to support organization-wide decision-making. The optimized processes are expected to drive significant productivity improvements by reducing time and costs, minimizing errors in previous workflows, and increasing resource efficiency. Key areas impacted include asset management, supply chain management, and human resources management. The project is scheduled for completion by 2025.

Enterprise Architecture Project

PTT has initiated a comprehensive review and analysis of its Information Technology (IT) architecture with the aim of integrating digital technologies across every facet of the organization. This includes optimizing work processes, product development, marketing strategies, organizational culture, and future growth objectives. The project ensures that all these efforts follow a unified set of principles and standards. The scope of the enterprise architecture has been broadened to account for potential changes in the organization's infrastructure. This governance process mirrors the approach of the Change Approval Board (CAB), ensuring that any proposed changes undergo thorough impact assessments on systems and processes. The Enterprise Architecture Working Group plays a critical role in overseeing the management of digital technology projects, adhering to PTT’s established guidelines. This approach helps strike a balance between embracing new technology and maintaining system security, reliability, and efficient management of existing resources.

IT Resource Optimization Project

This initiative focuses on optimizing the use of Cloud resources to better align with the organization’s actual operational needs. By enhancing the efficiency of digital infrastructure resources, the project incorporates a robust monitoring process to track resource usage. Additionally, automated measurement systems are deployed to analyze usage volumes. The project also involves recommending adjustments to application owners, identifying opportunities to improve resource utilization, such as reducing the size of underutilized resources or deactivating unnecessary ones. All proposed changes require approval from application owners to ensure alignment with business objectives and to minimize any potential disruption to system operations. This optimization strategy is projected to significantly reduce Cloud-related expenses while laying the groundwork for broader resource optimization initiatives across other areas within PTT.

Security and Efficiency Enhancement^{SDGs 16.10}

PTT has integrated the Security Service Edge (SSE) system alongside an upgrade to the Virtual Private Network (VPN) for organizational devices, enhancing security measures for system access both internally and externally. SSE is designed to meet the security needs of modern digital organizations, incorporating advanced technologies such as unauthorized access prevention, application monitoring, and real-time threat detection. Furthermore, SSE allows comprehensive control over data access across the system, even when users connect via external networks. These enhancements not only bolster the security of PTT’s systems but also improve the user experience for employees, eliminating the need for manual VPN connections each time they access the system. This reduces the complexity of setup and connection while also mitigating risks associated with forgetting to activate the VPN when working remotely.

Phishing Test Campaign^{SDGs 16.10}

PTT is committed to raising awareness among employees about cyber threats through regular phishing email tests. These tests simulate deceptive emails designed to trick users into opening attachments or entering personal credentials, such as usernames and passwords, which significantly increase organizational risk. PTT conducts these tests every two months and follows up with immediate feedback to help employees recognize and respond to phishing attempts. To further enhance awareness, employees can report any suspicious emails via multiple channels, such as the PTT Digital Contact Center, including phone, email, Line Official Account (OA), or by using the automatic reporting function available in the organization's email application.

Information Security Testing Outcomes

PTT has established a requirement to conduct readiness and understanding tests at least three times a year. These include business continuity plan drills conducted at least once a year to assess readiness and understanding of emergency and crisis response, with each year featuring different simulated scenarios, disaster recovery plan drills conducted at least once a year to test the functionality and readiness of backup systems, and cybersecurity incident response drills conducted at least once a year to assess response capabilities, understanding, and roles in the event of a cyber threat.

In 2024, PTT carried out four drills, including two disaster recovery exercises, one national-level cybersecurity incident response tabletop exercise, and one PTT-specific cybersecurity tabletop exercise. Insights and feedback from these exercises have been utilized to refine and improve operational processes.

Additionally, PTT actively collaborates with the Thailand Computer Emergency Response Team (ThaiCERT) and other global communities to exchange up-to-date cybersecurity information and intelligence.

To strengthen awareness, PTT organizes bi-monthly cybersecurity awareness training sessions and phishing mail tests for all employees and contract staff. Employees who do not pass the tests are required to complete additional training through E-learning. This approach ensures that employees remain well-informed about the impacts of cyberattacks.

Awards and Recognition

ISO/IEC 27001:2022 Certificate (For the 14th consecutive year) ISO/IEC 27701:2019 Certificate ISO/IEC 38500:2015 Certificate Prime Minister's Awards: Thailand Cybersecurity Excellence Award 2024, Excellence Level, for Organizations with Outstanding Advancements in Cybersecurity Thailand Digital Excellence Awards 2024 in the category of End-to-End Digital Transformation

Future Implementations

Digital Transformation Project

The objective is to assess the potential for integrating digital technologies within PTT to identify opportunities for cost reduction and enhanced operational efficiency. This will be accomplished by streamlining workflows with digital solutions, coupled with process optimization (Reprocess) and restructuring digital subsidiaries. The aim is to establish effective enablers with an appropriate business model. PTT targets having 50% of its employees equipped with digital skills by 2026, and 100% by 2029. In addition, PTT is committed to reducing costs and improving efficiency in tandem with other initiatives such as the OpEx program and carbon emission reduction plans, ensuring that development remains continuous and in alignment with organizational goals.

Cybersecurity Enhancement Project

This project is focused on preparing and responding to cyber threats, with an emphasis on ensuring swift recovery to normal operations (Cyber Resilience) across three key areas. These include continuously raising cybersecurity awareness at all organizational levels—starting with executive tabletop exercises and extending to comprehensive training and communication for all employees from their first day at PTT. The project also involves improving cybersecurity governance processes, such as developing extensive cybersecurity protection plans that cover both IT and OT, vulnerability management, and evaluating the organization’s cybersecurity preparedness. Furthermore, the project will integrate advanced technologies to enhance security capabilities, including simulating attack scenarios and ensuring that personal devices meet the same stringent security standards as corporate systems.