Cybersecurity
Cybersecurity
Significance & Commitment
Due to digitalization, information technology has been evolving to facilitate cloud storage. On the other hand, the risk for cybersecurity threat becomes significantly higher. IT system disruption and data breaches, especially customer data can severely damage the Company in terms of finance, reputation, and customer trust. Therefore, it is crucial for the Company to have a preventive policy in place to ensure business continuity.
Management Approach
The Company used the “ISO/IEC 27001 Information Security Management” as a guideline for developing the Information technology and Cybersecurity Policy which is applied across the entire organization. Leaks of company data and cyber-attack on the Company’s database are considered as one of emerging risks. Therefore, cybersecurity is built into enterprise risk management. The audit committee takes responsibility to oversee cybersecurity issues, focusing on regulatory compliance and risk management associated with the digital technology utilization. Furthermore, the Company conducts the Disaster Recovery Plan (DRP) exercise annually for the Company’s critical data, namely financial data and enterprise documents. The effectiveness of response plan is then accessed by the third party as a part of the business continuity management system certification.
To ensure transparency, privacy, and the protection of all information, the Company, at the same time, has implemented the privacy policy to define the purpose of data collection, disclosure of information, and security of personal data. This is to ensure data protection to any persons disclosing their personal information to the Company, especially customers and the business partners. The Company has built the awareness of employees to be aware of cybersecurity and incident caused by cybercriminals, including employee’s role in protecting information assets stored in the Company own-commuter through various channels. Cybersecurity awareness is included in the orientation of new employees, and cybersecurity news is also regularly communicated to all employees via email.
Cybersecurity & AI Governance
The Company has implemented an Information and Cybersecurity Policy aligned with ISO/IEC 27001, covering both Information Technology (IT) and Operational Technology (OT) systems. Oversight is provided by the Global Information Security Officer (GISO) and the Information Security Management System (ISMS) Committee to ensure consistent policy enforcement and risk management across all business functions.
To further enhance digital governance, the Company introduced an AI Governance Policy outlining the ethical and responsible use of AI. Additionally, the launch of the Security Behavior and Cultural Program (SBCP) fosters a security-conscious culture across the organization. Looking ahead, the Company continues to strengthen cybersecurity and AI governance through 3 key areas:
1. Responsible AI Governance: Deployment of an AI Governance Policy with clear principles for the ethical and responsible use of AI technologies across business operations.
2. Unified Digital Governance Framework: Establishment of a unified governance framework that integrates IT, OT, and AI technologies under s single oversight structure.
3. Adoption of Global Standards: Implementation of the latest international standards, including ISO 42001:2023 AI Management System (AIMS) and ISO27001:2022 Information Security Management System (ISMS)
Together, these initiatives reflect Banpu’s commitment to building a resilient, secure, and ethically digital governance in support of long-term business sustainability.
Cyber Incident Management
Banpu strengthens our cybersecurity capabilities by enhancing the cyber incident management framework to ensure a structured, timely, and effective response to potential threats. This practical guideline defines a comprehensive process covering identification, containment, investigation, mitigation, recovery, and reporting of cyber incidents. These measures are designed to minimize operational impact, protect critical assets, ensure regulatory compliance, and support continuous improvement in the Company’s cyber resilience.
The framework is designed to ensure seamless coordination among relevant teams during cybersecurity events. It addresses emerging cyber threat scenarios such as third-party risks in the digital supply chain and AI model poisoning. The guidelines emphasize effective detection, analysis, escalation, and resolution of incidents, and reinforce Banpu’s commitment to proactive risk management and secure operations across business units.
Year in Review
In 2023, the Company has undertaken significant initiatives to enhance cybersecurity supervision. Among the important initiatives, Cyber-Physical System (CPS) Strengthening stands out as a key strategy. This approach involves a detailed cybersecurity assessment conducted in collaboration with the power business, leveraging external experts to ensure compliance with safety guidelines applicable to both information technology and operational technology. The insights gained from this assessment are used for the enhancement of people, process, and technology, ensuring a robust defense mechanism against potential cyber threats.
In addition, the Company has recently launched a Self-Hacking by White Hackers program. This initiative engages skilled, ethical hackers to identify vulnerabilities within the applications that the Company relies on. This proactive approach allows us to address and rectify security weaknesses promptly, ensuring the resilience of the digital assets. The outcomes of this program will enhance the Company’s quality assurance process, ensuring comprehensive coverage across all aspects of operations and aligning with the modern work practices.
English 
Thai