Why is it important
In today's rapidly evolving digital landscape, information technology plays a critical role in business operations, while cyber threats have become a significant and complex challenge for organisations worldwide. Neglecting cyber security and personal data protection not only risks compromising stakeholder trust and corporate reputation but may also disrupt business continuity. Recognising these risks, B.Grimm Power prioritises cyber security and data protection by implementing internationally recognised standards and regulatory-compliant frameworks. Regular assessments and reviews are conducted to ensure proactive risk management. Additionally, the company promotes a Cyber Security Culture across the organisation, equipping employees with the awareness and capability to anticipate, respond to, and recover from cyber security and information threats effectively, ensuring long-term resilience in business operations
Management Approach and Strategy
Cyber Security
Policy and Commitment
B.Grimm Power takes information and operational technology security seriously to ensure timely and effective responses to cyber threats. To govern all aspects of information security management across the organisation, we have established a comprehensive policy aligned with Thailand’s Cybersecurity Act B.E. 2562 (2019) and ISO/IEC 27001 standards. This policy is further supported by a suite of sub-policies and practical guidelines. For more details, please refer to our summary version of the Information Technology Security Policy.
Governance Structure
B.Grimm Power has established a dedicated Digital and Cyber Security Governance Body as follows;
- The Digital Transformation Committee is established as a sub-committee of the Board of Directors of B.Grimm Power. The committee shall ensure that digital initiatives align with organisation’s strategic goals and long-term vision. It provides guidance, oversight, and evaluation of digital strategies to enhance operational efficiency, innovation, sustainability, and competitiveness, while also ensuring that cybersecurity, data privacy, and digital risk management are effectively addressed across the organisation. The committee reports annually to the Board of Directors annually.
- The Co-Heads of B.Grimm Digital and Energy Solutions division, reporting directly to the Co-President – Thailand Business and Energy & Industrial Solution Business, are responsible for overseeing the digital landscape and ensuring alignment between information policies and security measures. To safeguard the organisation's digital assets, they develop and implement robust cyber security strategies, conduct regular assessments, and establish comprehensive guidelines. By managing IT infrastructure and driving digital transformation, the Co-Heads also contribute to operational efficiency and employee empowerment. The division reports to the Digital Transformation Committee annually.
There are 5 key departments within the B.Grimm Digital division
1. Digital Governance: Ensures that information management aligns with organisational goals and security standards.
2. Cyber Security: Protects digital assets by preventing, detecting, and responding to cyber threats. This department consists of 3 main teams:
- Security Operation Center (SOC) Team: Monitors, detects, investigates, and responds to cyber security threats in real-time.
- Blue Team: Focuses on defending the organisation by identifying vulnerabilities, hardening defenses, and ensuring systems are secure.
- Red Team: Simulates attacks to identify vulnerabilities and test the effectiveness of the organisation’s security measures.
3. Digital Transformation: Leverages technology to improve business processes and efficiency.
4. Digital Operations: Manages IT infrastructure and systems, providing technical support to employees.
5. Digital Technology: Researches and implements new technologies to drive innovation and business growth.
Strategy
B.Grimm Power adheres to the highest security standards. Our policies, procedures, information technology infrastructure and operational framework comply with applicable laws, regulations and international standards, such as the cyber security management framework of the U.S. National Institute of Standards and Technology (NIST) and Information Security Management System (ISO/IEC 2700:2022). We continuously monitor and respond to cyber threats 24/7 via our Cyber Security Operations Center (CSOC), hotline +66 9 2271 2668 or email cybersecurity@bgrimmpower.com, to ensure timely and proper incident response. When CSOC is notified of or detects an unusual cyber security incident, it will perform investigation, severity assessment, damage control, situation remediation and issue further preventive measures. If a critical incident is detected, CSOC must report to the B.GRIMM CSIRT Steering Committee for supervision and solution. The Corporate Communications team then proceeds to report the incident to employees and related parties.
Cyber Security Management Framework
Source : National Institute of Standards and Technology (NIST) Cyber security Framework 2.0
Key Principles for Cyber Security Operations
Operational Readiness
under key principles such as upskilling, data privacy protection, system readiness, transparency and legal compliance, ensuring timely and appropriate responses to events.
Risk Management
by assessment and planning for cyber security risks, covering infrastructure, network equipment and software.
Cyber Security Culture
by raising cyber security awareness and understanding among all employees across our organisation.
Innovation
by collaborating with allies to research and innovate solutions that enhance system resilience while creating value-added opportunities and business growth.
Privacy Protection
Policy and Commitment
Governance Structure
B.Grimm Power has appointed a Data Protection Officer (DPO) responsible for developing policies and operational guidelines to ensure compliance with data protection laws and regulations. The DPO oversees personal data risk management, collaborates with internal departments to safeguard data privacy, and leads incident response efforts in the event of data breaches.
Additionally, we have established a Personal Data Protection Committee to oversee the governance, management, monitoring, and auditing of data protection practices. The Internal Audit Division serves as part of this committee, conducting annual reviews and evaluations of data security controls in compliance with the Personal Data Protection Act B.E. 2562 (2019). The committee focuses on identifying high-risk data activities, providing strategic recommendations, and raising employee awareness of data protection laws and compliance requirements.
Strategy
B.Grimm Power has established a data classification policy outlining definitions, rules, regulations, responsibilities, and class-based access rights. The policy defines four data classifications: public, internal use, confidential, and restricted. In addition, we actively manage the risks associated with data privacy protection in product and service design, system and application development, software upgrade and any project involving personal data. We employ the following strategies:
1) We have adopted the Privacy by Design and Privacy by Default principles to identify the data privacy risk factors and implement prevention or mitigation measures.
2) We require a Privacy Impact Assessment (PIA) to identify risks and potential impacts on personal data and implement relevant control measures.
3) We assess our compliance with applicable laws and regulations. Our data privacy complaint channel, dpo@bgrimmpower.com, managed by the Data Protection Officer. The process for responding to data breach incidents is as follows
CSOC detects an incident or received
an incident report from various channels, including the DPO
CSOC investigatigates the incident
to determine the severity level, damage control, situation remindtiation, issue preventive measures, and report back to the DPO.
The DPO reports the incident
to the Board of Directors and the Personal Data Protection Committee within 72 hours.
Responsible teams manage incident communication
Communicates with employees and related parties.
- People Partnership team communicates with internal stakeholders.
- Corporate Communications team engages with external stakeholders and related parties.
We foster awareness and a corporate culture of cyber security and data privacy. All employees are required to complete training and pass a relevant test annually. They are to familiarise themselves with the applicable policies and strictly adhere to cyber security and data privacy rules, regulations and best practices. We enforce a zero-tolerance policy for violators and will take appropriate disciplinary or legal action based on the nature and severity of the offence.
Performance 2024
Policy and Legal Compliance
We reviewed our operational framework, policies and guidelines to ensure compliance with applicable laws and regulations, such as the Personal Data Protection Act B.E. 2562 (2019) and the Cyber Security Act B.E. 2562 (2019), to ensure the company has complied with the law and related regulations as well as preparing for new regulations.
Training and Corporate Culture
- We specialised in developing advanced cyber security training courses, covering cutting-edge topics such as artificial intelligence (AI), deepfake technologies, and call center scams. Our programs are designed to provide in-depth knowledge and equip individuals and organisations with the awareness and strategies needed to enhance their defense against emerging cyber threats. In 2024, 919 employees participated in the training with an 88 percent pass rate among those assessed.
Information Technology Infrastructure and Cloud Security
- We conducted 2 comprehensive Cyber Drills with a focus on Cloud Security Access Service Edge (SASE) and on-premises server environments. These drills were designed to enhance cyber security preparedness, simulate real-world scenarios, and strengthen defense mechanisms against potential threats. These drills addressed critical scenarios, including defending cloud environments against DDoS (Distributed Denial-of-Service) attacks and managing on-premise server vulnerabilities in the event of a security failure. They were designed to enhance resilience, improve incident response, and fortify overall cyber security strategies.
- We have adopted advanced Security Information and Event Management (SIEM) and Security Operations (SecOps) using AI and big data analytics, the system enables real-time threat detection, seamless cloud integration, risk visibility, and automated response, reducing security team workload.
- We deployed Attack Surface Management (ASM) for comprehensive visibility into internet-facing assets, addressing gaps in discovery, vulnerability management, and threat intelligence across open, on-premises, and cloud environments. By prioritising risks and streamlining remediation, ASM strengthens security defenses and proactively mitigates threats.
- We conducted Vulnerability Assessments and Penetration Tests (Pentests) annually to identify vulnerabilities in system access and address these vulnerabilities to strengthen our defenses against attacks. These assessments are conducted by both internal teams and external experts, which covered over 11 projects in 2024.
- We have expanded Passwordless Authentication and discontinued password-setting frameworks per NIST guidelines, enhancing security and user experience by reducing reliance on traditional passwords.
- We implemented an advanced Endpoint Detection and Response (EDR) system to proactively detect cyber security anomalies, collect and analyse data, and identify potential threats. This enables prompt and effective prevention of security breaches, ensuring comprehensive protection across all sites.
Audit
We demonstrated our commitment to cyber security and personal data protection through consistent assessments and certifications. Our information security management system has achieved certification according to the international standard ISO/IEC 27001:2022 and undergoes regular internal and external audits. We also leverage expertise from external specialists to conduct risk assessments following the standards of NIST. This comprehensive approach ensures our ability to rigorously maintain cyber security and promptly respond to any incidents.
| 2021 | 2022 | 2023 | 2024 | |
|---|---|---|---|---|
| Cyber Security | ||||
| Number of information security breaches or other cyber security incidents1 (Case) | 0 | 0 | 0 | 0 |
| Personal Data Protection | ||||
| Number of substantiated complaints received concerning breaches of customer privacy2 (Case) | 0 | 0 | 0 | 0 |
1 These are defined as unauthorised access to computer data, applications, networks, devices, protected systems and data. Cybercriminals or malicious applications bypass security mechanisms to reach restricted
2 Written statements by regulatory or similar official body addressed to the organisation that identifies breaches of customer privacy, or a complaint lodged with the organisation that has been recognised as legitimate by the organisation. This includes substantiated complaints related to personal information breaches from individuals, general agencies, regulatory bodies.