Cyber Security and Privacy Protection

Strategy

B.Grimm Power adheres to the highest security standards. Our policies, procedures, information technology infrastructure and operational framework comply with applicable laws, regulations and international standards, such as the cyber security management framework of the U.S. National Institute of Standards and Technology (NIST) and Information Security Management System (ISO/IEC 27001: 2022). We monitor and respond to cyber threats 24/7 via our Cyber Security Operations Center (CSOC), hotline +66(0) 2821 6900 or email csirt@bgrimmpower.com, to ensure that incidents are properly responded in a timely manner. When CSOC is notified of or detects an unusual cyber security incident, it will perform investigation, severity assessment, damage control, situation remediation and issue further preventive measures. (In case of critical incident being detected, CSOC must report to the B.GRIMM CSIRT Steering Committee for supervision and solution). The Corporate Communications team then proceeds to report the incident to employees and related parties.

Cyber Security Management Framework

Source : the U.S. National Institute of Standards and Technology

Policy and Commitment

Governance Structure

Our Data Protection Officer (DPO) is responsible for formulating data privacy protection policies and regulations that comply with legal requirements. The DPO manage data privacy risks, collaborate with various internal divisions to safeguard data privacy, and respond to incidents of data privacy breaches. Additionally, the Internal Audit Division performs an annual review and assessment of our data privacy efforts to ensure compliance with the Personal Data Protection Act. They focus on investigating potentially risky data-handling activities, offer recommendations on data privacy protection measures, and support campaigns to raise employee awareness of applicable laws.

Strategy

B.Grimm Power has established a data classification policy outlining definitions, rules, regulations, responsibilities, and class-based access rights. The policy defines four data classifications: public, internal use, confidential, and restricted. In addition, we actively manage the risks associated with data privacy protection in product and service design, system and application development, software upgrade and any project involving personal data. We employ the following strategies:

1) We have adopted the Privacy by Design and the Privacy by Default principles to identify the data privacy risk factors and prevention or mitigation measures.

2) We require a Privacy Impact Assessment (PIA) to identify risks and potential impacts on personal data and implement relevant control measures.

3) We assess our compliance with applicable laws and regulations. Our data privacy complaint channel is at dpo@bgrimmpower.com responded by our Data Protection Officer. The process for responding to data breach incidents is as follows:

CSOC detects an incident or receices

an incident report from various channels, including the DPO

CSOC investigates the incident

to determine the severity level, damage control, situation remindtiation, issue preventive measures, and report back to the DPO.

The DPO reports the incident

to the Board of Directors and the Personal Data Protection Committee within 72 hours.

The Corporate Communications team

Communicates with employees and related parties.

We promote awareness and a corporate culture of cyber security and data privacy. All employees are required to undergo training and pass a relevant test every year. They are to familiarise themselves with the applicable policies and strictly adhere to cyber security and data privacy rules, regulations and best practices. We have a zero-tolerance policy for violators and will take the appropriate disciplinary and legal action based on the nature and severity of the offence.

Information Technology Infrastructure and Cloud Security

• In 2023, we conducted 2 cyber drills with a focus on responding to personal data leaks that continued from the previous year. These drills addressed threats from unauthorised personnel and malicious actors exploiting systems without multi-factor authentication. Additionally, we simulated responses to scenarios involving employee credential information, such as usernames and passwords, being posted for sale on the Dark Web/Deep Web.
• We conducted vulnerability assessments and penetration tests (pentests) annually to identify vulnerabilities in system access and address these vulnerabilities to strengthening our defenses against attacks. These assessments are conducted by both internal teams and external experts, which covered over 40 projects in 2023.
• Vulnerability Assessment was conducted to evaluate and identify risks from vulnerabilities found in operating systems, software, or network infrastructure such as Computerise Operation Monitoring systems (COMs), Black/Gray Box Pentest systems, Server fault locator (SEFL) systems, Common Power Plant Information (PI) systems and Oracle EBS on Cloud systems.
• Penetration testing includes both infrastructure and application pen testing, further helps us understand and mitigate potential attack vectors.
• We expanded the use of Multi-Factor Authentication (MFA) to verify and authenticate individuals' identities using multiple factors, controlling access to systems, software, and various data, including newly implemented systems in 2023.
• We conducted annual cyber security audits of cloud service providers to ensure their security robustness. We also regularly test the security of data usage and applications on the cloud for continuous assurance.
• We assessed the organisational website's security from an external perspective using Security Scorecard. This comprehensive evaluation process covers various aspects of Domain Name Server (DNS) management systems, providing an overview of security aspects and guiding future improvement plans.
• We have established regulations and guidelines to support work-from-home and work-from-anywhere arrangements. These aim to maintain tight cybersecurity and data privacy while promoting flexibility and efficiency in remote work. This includes managing internal computer systems (endpoints) through measures like installing antivirus software on all computers and setting access permissions for internal systems. In 2023, we implemented an Endpoint Detection and Response (EDR) system to detect cyber security anomalies, collect and analyse data, and identify threats, enabling prompt and effective prevention of security breaches.
• We operate in accordance with established standards, both for infrastructure operations and information technology security systems. For newly built or merged power plants like BPAT2-3 in 2023, we ensured their system structure and operating framework align with B.Grimm Power's basic standards.

Audit

We demonstrate our commitment to cybersecurity and personal data protection through consistent assessments and certifications. In 2023, our information security management system has achieved certification according to the international standard ISO/IEC 27001:2022 and undergoes regular external audits. We also leverage expertise from external specialists to conduct risk assessments following the standards of the U.S. National Institute of Standards and Technology (NIST). This comprehensive approach ensures our ability to rigorously maintain cybersecurity and promptly respond to any incidents. We also continuously review our personal data protection policy, focusing on verifying its completeness and alignment with the Personal Data Protection Act. In 2023, the internal audit department has performed the audit, covering the relevant policies and procedures among employees. Overall, we did not find any complaints related to personal data breaches and there were no significant incidents threatening information system infrastructure or cyber security breaches that could lead to damages, fines or legal actions against B.Grimm Power in 2023.