Positive and Negative Impacts

PTT prioritizes the identification and realization of digitalization opportunities in all work processes to strengthen the Company’s business capacity and competitiveness. At the same time, the Company puts in place prevention and mitigation measures for potential negative impacts that may arise from cyber security threats, whether they are data breaches, ransomware, or cyber extortion. These threats do not only contribute to potential adverse impacts on the organization, but also human rights violations affecting data owners such as employees and customers. Beyond resulting in loss of image and reputation, the organization may face hacker attacks that create direct damage on operational technology (OT) systems, thus leading to potential business interruption. In light of these potential adverse impacts, cyber security has consistently surfaced in annual corporate risk assessments as one of the key corporate risks that require close monitoring. PTT closely tracks and measures outcomes related to cyber security, and has also established plans to ensure continuous efficiency improvement of risk and impact mitigation measures. The Company invests in new technologies, process efficiency improvements, and efforts to increase awareness of cyber threats among personnel within the organization

Management Approach

Driving Digital Transformation

PTT integrates digital technology across the organization through the Organization Transformation Project. The Company’s approach is to emphasize balance between capacity and efficiency development for our people and for the technology we use. In tech development, we focus on applying artificial intelligence and data within the organization to achieve desired outcomes, and developing modular technology that can be connected to the organizational platform. For people development, our efforts are focused on ensuring that all personnel have the digital talent they need to improve work efficiency, facilitate effective organizational decision-making, and maintains resilience in working under team-based settings with constantly changing variables. PTT has defined a vision for organizational digital transformation, which states that the Company “aspires to be a leader in applying digital innovation and technology to respond to rapid changes”. Additionally, PTT established a strategic direction to further develop and revise the PTT Strategic Framework for Digital Technology Development to be comprehensive of long term plans for 2023 – 2027. Short-term and long-term targets for each focus area are listed below.

• People: Build digital capacity within the organization to enable adoption of digital technology that increases business efficiency and drives growth. Develop an innovation culture to ensure that PTT remains at the forefront of digital competitiveness, and prioritize efforts to build awareness and understanding of cyber security amongst employees and relevant stakeholders.
• Process: PTT focuses on achieving outcomes under six target areas, including:

1. Support all business processes to achieve sustainability.
2. Establish cybersecurity targets that are based on the zero-trust model.
3. Apply AI technology and analytics to support business decisions.
4. Achieve digital governance processes that are fully verifiable. Explore and identify ways to apply digital technology to create business value on an ongoing basis.
5. Support the application of digital technology to new businesses.
6. Drive adoption of digital technology to enable good customer experiences.

• Technology: Aspire to become a leader in applying digital innovation to respond to rapid changes. Put in place digital enablers that support important digital work processes, including AI technology and analytics, use of the cloud platform, integration of information technology (IT) systems with operational technology (OT) systems, and ensuring security in the use of digital technologies.

In addition, PTT oversees digital governance and work processes to support the adoption of digital technology through the organization, while also managing risks from cyber security threats outlined under the Digital Policy. The Digital Policy, signed by the President and Chief Executive Officer, outlines the Company’s goal to apply digital technology to increase efficiency and create added value  to enable continuous business growth. This will support the organization in having increased agility, speed, transparency, and security. At the same time, it also supports PTT in aligning practices with good governance principles and drives us forward to achieve organizational excellence. In this way, the Company maintains readiness to build collaborative advancement within PTT Group and promote sustainability in the fully integrated energy and petrochemical business. The Company will also realize opportunities to develop new businesses through technology and innovation, strengthen competitive advantage, and improve quality and agility in aligning the business to global trends and changes in a timely way. PTT has also defined a digital standard to use as a guideline for PTT employees of all levels. This standard will enable the optimization of efficiency in all dimensions – including information technology equipment, information system standard, infrastructure security system development, training, and service-level agreement – thus contributing to business benefits and outcomes for the organization.

Information Technology and Cyber Security

To prevent cyber crimes and information leakage, which continues to proliferate rapidly, PTT has established information technology and cyber security governance and safety management systems that aligns with the cyber security standards developed by the National Institute of Standards and Technology of the USA (NIST). We have announced the Information Security Management Policy and Cyber Security Policy to ensure that the Company’s information technology systems have prevention and protection measures that are efficient and aligned with international frameworks and standards. Currently, PTT has applied the Information Security Management Systems Standard (ISMS) or ISO/IEC 27001 and the Privacy Information Management System (PIMS) or ISO/IEC 2771 for more efficiency in information security. Furthermore, the Company developed the Information Technology Security Policy to cover information technology (IT) as well as operational technology (OT), which is center to PTT’s business.

PTT has appointed PTT Digital Solutions Company to lead and provide cybersecurity services to all PTT Group companies. The Cyber Security Operation Center (CSOC) is tasked with ensuring 24-hour surveillance of cyber attacks for all PTT Group companies. The Center operates with advanced technologies such as machine learning, and is staffed with personnel who have obtained certification with international standards.

Cyber drills are consistently organized on an annual basis, with table top exercises organized at least once per year. The Digital Strategy Department, PTT Digital Company and SSHE team participate in these drills. Security incident response plans are clearly defined, and the Company hires global experts and have them on call in the event an incident occurs (incident response retainer). In parallel, PTT coordinates with the Thailand Computer Security Coordination Center (ThaiCERT) and other international communities of practice to exchange information on the most recent updates on cyber security.

Digital and Cyber Security Governance

The PTT Board of Directors annually reviews the Company’s vision, business direction, strategy, policy, and important plans. The Board also considers the key risks that may occur every year. Mr. Payong Srivanich (independent director) is one of the Board members with experience in risk management. At the management level, the Chief New Business and Infrastructure Officer (CNBO) chairs the PTT Group Digital Steering Committee.

This position is equivalent to the Chief Technology Officer (CTO) or the Chief Information Officer (CIO). The CNBO’s responsibilities include: determining PTT Group’s direction, policy, strategy, and targets on digitalization; governing and managing digital collaboration between PTT Group companies to ensure all companies are aligned; driving policies, standards, management measures, and digital management systems – including management of project development, information management, digital management governance, information security management – to optimize efficiency within PTT Group; consulting and providing advice to different teams reporting to the CNBO; and screen and monitor progress and performance of digital initiatives. The Board has meetings on the aforementioned areas at least twice a year, or on an ad hoc basis.

Cyber security, which has been consistently identified as one of the organization’s critical risks (under operational risks), is managed through measures/control plans put in place to reduce risks (mitigation plan). Key risk indicators (KRI) are also used and reported to the Corporate Plan and Risk Management Committee, Risk Management Committee, and the PTT Board of Directors.

Highlighted Initiatives and Workplans

Digital Literacy

To build employee skills and support them in adopting digital technology in their work, PTT prepared skill development plans that are comprehensive of different skill types and catered to meet individual needs. The Company designed a course that aligns with the digital competencies of each employee level. Each course is measured and assessed. For example, those who took the course should perform at least 80%. In addition, to ensure that the organization’s personnel are able to effectively apply the digital skills, PTT implemented the Digital Center of Excellence, or Digital CoE, project to promote digital citizenship within the organization and application of digital technology to increase efficiency at work. 

Furthermore, PTT is driven to foster a culture where employees and stakeholders recognize the importance of cyber security and safety. The Company builds cyber security awareness and understanding through various activities, including sending phishing mails to employees and contractors every two months. Firstly, employees are trained through an e-learning course and communicated through emails. Then, the phishing mail is sent. Finally, the results are analyzed to identify employee awareness and understanding, and progress is communicated to relevant personnel. 

Information Security and System Readiness

Following developments in government policy and the Personal Data Protection Act B.E. 2562 (2019), which outlines expected standards on the collection, use, and processing of personal data in various systems, PTT has been preparing organizational readiness in different areas since 2021. The Company announced the Data Privacy Policy and organized training for key project operators and other users. PTT also reviewed the data inventory, consent form, operational procedures in protecting personal data, and the privacy notice forms. The PTT PDPA Application was also developed as a platform with Data Leak Prevention (DLP) to support the collection of consent data from employees and all stakeholder groups.

Increasing Efficiency of Information Security

2-Factor Authentication: 2FA^{SDGs 16.10}
2-Factor Authentication (2FA) is a widely accepted method for identity verification and to prevent unauthorized access to data in the use of devices or applications. The basic principle of 2FA technology is to require an additional authentication process after password entry. This second layer of protection is done through predefined channels, such as through entering a one time password (OTP) or through an option to select “approve/deny” on an application on the data owner’s smartphone. This verifies and confirms that the user is truly the individual with the right to access. In this way, 2FA helps prevent and reduce data loss, minimize financial loss from theft, lessen data recovery costs, and avoid damage to the organization’s reputation and trust. PTT has implemented 2-Factor Authentication (2FA) for accessing emails and internal systems.

Phishing Test Campaign^{SDGs 16.10}
The Phishing Test Campaign tests and builds employee awareness of cyber threats. A phishing email is sent to deceive users into opening files or providing their username/password – both of which are behavior that implicate high risks on the organization.  Currently, PTT conducts phishing tests every two months and provides feedback to help them become aware of cyber threats and build their skills in identifying and avoiding these threats. Currently, PTT tests employees every two months and provides feedback to help them become aware of cyber threats and avoid falling prey to them easily. If an employee suspects that an email is a phishing attempt, they can report the problem or raise a concern through the Email Service Desk or the PTT Digital Call Center, or use the automatic report button in the organization's email application.

Security Program Assessment (SPA)^{SDGs 16.10}
PTT hired an external consultant to study and evaluate the Company’s existing cyber security processes. The results of the assessment then informed the development of plans to align PTT’s management systems with best practice standards.

Future Plans  

PTT has developed a Cyber Security Roadmap with a cyber security management approach that follows the Zero Trust Security Model. This Model is based on the concept of never trusting and always verifying. This includes checking privileges for personnel, processes, and technology. The Roadmap is informed by the results of the security program assessment and aims to improve work processes while driving adoption of new technology. Ultimately, these efforts serve to strengthen security standards and increase organizational capacity in protecting PTT’s systems from threats. Furthermore, the Company is also invested in designing secure cloud systems.

Certifications and Awards

ISO/IEC 27001:2013 Certificate ISO/IEC 27701:2019 Certificate ISO/IEC 27001:2013 Audit Report ISO/IEC 27701:2019 Audit Report Prime Minister Awards: Thailand Cybersecurity Excellence Award 2022

Highlighted Developments in The Past Year

Data Governance and Enterprise Data Platform Project

The Company carried out data governance initiatives, developed frameworks and processes to guide governance, and created a large-scale organizational data management system that serves as a single source of truth, accessible to all and supporting the Company in operating as a data-driven organization. PTT also built the Enterprise Data Platform and prepared tools to utilize data for business intelligence and machine learning (ML). The MLOps process was also established to integrate the repository, artifacts, pipeline, and CI/CD processes and enable rapid deployment of machine learning applications that can respond quickly to changing business factors.

Modernized Application Landscape (MAL) and Journey to Cloud Project

The Company reviewed all non-ERM applications used by PTT, including technology used to develop the applications as well as the infrastructure that supports their use. Results were then used to develop a framework and guidelines for operating these applications, as well as establishing standards for the application development process to align practices with cloud platform technology and new PTT businesses.