Why is it important

In today’s digital landscape, information technology plays a vital role in B.Grimm Power’s operations, while the growing use of digital and AI-driven platforms creates significant opportunities to enhance efficiency and reliability across the business. At the same time, cyber threats and data privacy risks continue to increase in complexity, including challenges arising from greater reliance on external technology providers and AI-enabled cyber threats. Failure to effectively protect digital systems and sensitive information may undermine stakeholder trust, damage corporate reputation, and disrupt business continuity. Therefore, strengthening cyber security and privacy protection is essential to support safe, resilient, and sustainable business growth.

Management Approach and Strategy

Cyber Security

Policy and Commitment

B.Grimm Power takes information and operational technology security seriously to ensure timely and effective responses to cyber threats. To govern information security management across the organisation, we have established a comprehensive Information Technology Security Policy aligned with Thailand’s Cybersecurity Act B.E. 2562 (2019) and ISO/IEC 27001 standards. This policy is supported by a suite of sub-policies and practical guidelines. For more details, please refer to the summary version of the Information Technology Security Policy.

Governance Structure

B.Grimm Power has established a clear company-wide governance and reporting structure for cyber security, ensuring effective oversight, accountability and alignment with our strategic objectives.

Board-Level Oversight

The Digital Transformation Committee, established as a sub-committee of the Board of Directors, provides oversight of B.Grimm Power’s digital agenda. The committee ensures that digital initiatives are aligned with the organisation’s strategic objectives and long-term vision. In addition, the committee provides guidance, oversight, and evaluation of digital strategies to enhance operational efficiency, innovation, sustainability, and competitiveness, while also ensuring that cybersecurity, data privacy, and digital risk management are effectively addressed across the organisation. The committee reports to the Board of Directors annually.

Management Oversight

At the management level, a dedicated Head of Cyber Defense, serving in the role of Chief Information Security Officer (CISO), is appointed to lead the organisation’s cyber security and defense function, and reports to the President – Thailand, Malaysia and Energy & Industrial Solutions Business.The Head of Cyber Defense is responsible for establishing cyber security strategies, conducting risk assessments, and ensuring the consistent, corporate-wide implementation of information security policies and controls.

Cyber Defense Organisation

B.Grimm Power has established a dedicated Cyber Defence organisation comprising the following key functions:

  • Cyber Security, including the Cyber Defense Operations and Security Infrastructure teams, responsible for monitoring, detecting, and responding to cyber threats, and strengthening overall cyber resilience.
  • Incident Response, responsible for the timely detection, response, and recovery from cyber security incidents.
  • Cyber Security Governance, Risk & Compliance (GRC), responsible for policy development, cyber risk assessment, and compliance with applicable laws, regulations, and standards.

This structure strengthens accountability and supports B.Grimm Power’s ability to manage evolving cyber risks effectively.

Strategy

B.Grimm Power’s cyber security strategy focuses on protecting critical infrastructure, safeguarding sensitive information, and strengthening the resilience of our digital operations. We align our approach with internationally recognised standards, including the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) 2.0 and ISO/IEC 27001:2022, to ensure cyber security is governed as a core business priority. This integrated framework supports a risk- and governance-led model that links cyber security with leadership oversight, business objectives, and measurable outcomes, while also enhancing our readiness to manage emerging technology risks such as AI. To maintain strong protection, we operate continuous 24/7 monitoring and incident response through our Cyber Defense Operations, which investigates cyber security incidents and escalates critical cases to the appropriate management-level governance body to ensure timely supervision and resolution. Through this approach, B.Grimm Power positions cyber security as a strategic enabler that protects trust, supports operational excellence, and sustains long-term growth for our customers and partners.

Cyber Security Management Framework

Source: National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0

To support the implementation of our cyber security strategy, B.Grimm Power operates under 4 core principles — Operational Readiness, Risk Management, Cyber Security Culture, and Innovation — which reinforce our capability to prevent, detect, respond to, and recover from cyber risks effectively

Key Principles for Cyber Security Operations

Operational Readiness

under key principles such as upskilling, data privacy protection, system readiness, transparency and legal compliance, ensuring timely and appropriate responses to events.

Risk Management

by assessment and planning for cyber security risks, covering infrastructure, network equipment and software.

Cyber Security Culture

by raising cyber security awareness and understanding among all employees across our organisation.

Innovation

by collaborating with allies to research and innovate solutions that enhance system resilience while creating value-added opportunities and business growth.

Privacy Protection

Policy and Commitment
Our Data Privacy policy covers our own operations, subsidiaries and suppliers. It specifies the types of personal data we may collect, the purposes of collecting them, customers’ rights and complaint submission or contact channels for data inquiries. This policy conforms to the Personal Data Protection Act B.E. 2562 (2019).
Governance Structure

B.Grimm Power has appointed a Data Protection Officer (DPO) responsible for developing policies and operational guidelines to ensure compliance with data protection laws and regulations. The DPO oversees personal data risk management, collaborates with internal departments to safeguard data privacy, and leads incident response efforts in the event of data breaches.

Additionally, we have established a Personal Data Protection Committee to oversee the governance, management, monitoring, and auditing of data protection practices. The Internal Audit Division serves as part of this committee, conducting annual reviews and evaluations of data security controls in compliance with the Personal Data Protection Act B.E. 2562 (2019). The committee focuses on identifying high-risk data activities, providing strategic recommendations, and raising employee awareness of data protection laws and compliance requirements.

Strategy

B.Grimm Power has established a data classification policy outlining definitions, rules, regulations, responsibilities, and class-based access rights. The policy defines four data classifications: public, internal use, confidential, and restricted. In addition, we actively manage the risks associated with data privacy protection in product and service design, system and application development, software upgrade and any project involving personal data. We employ the following strategies:

  • We have adopted the Privacy by Design and Privacy by Default principles to identify the data privacy risk factors and implement prevention or mitigation measures.
  • We require a Privacy Impact Assessment (PIA) to identify risks and potential impacts on personal data and implement relevant control measures.
  • We assess our compliance with applicable laws and regulations. Our data privacy complaint channel, dpo@bgrimmpower.com, managed by the Data Protection Officer. The process for responding to data breach incidents is as follows:
Cyber Defense Operations detects an incident or received

an incident report from various channels, including the DPO.

Cyber Defense Operations investigates the incident

to determine the severity level, damage control, situation remediation, issue preventive measures, and report back to the DPO.

The DPO reports the incident

to the Board of Directors and the Personal Data Protection Committee within 72 hours.

Responsible teams manage incident communication
  • People Partnership team communicates with internal stakeholders.
  • Corporate Communications team engages with external stakeholders and related parties.

We foster awareness and a corporate culture of cyber security and data privacy. All employees are required to complete training and pass a relevant test annually. They are to familiarise themselves with the applicable policies and strictly adhere to cyber security and data privacy rules, regulations and best practices. We enforce a zero-tolerance policy for violators and will take appropriate disciplinary or legal action based on the nature and severity of the offence.

Performance 2025

Policy, Compliance, and Governance

We reviewed and enhanced our operational framework, policies and guidelines to ensure compliance with applicable laws and regulations, including the Personal Data Protection Act B.E. 2562 (2019) and the Cyber Security Act B.E. 2562 (2019),as well as preparing for new regulations. This includes a comprehensive review and enhancement of our internal Information Technology Security Policy to strengthen cyber security governance, data protection practices, and readiness for emerging regulatory and digital risks.

Training and Corporate Culture

We strengthen our cyber security culture through structure training and continuous awareness initiatives. A new online video platform was introduced to provide practical knowledge on cyber and AI-related risks including deepfakes, call center scams, and the responsible use of generative AI tools (Large Language Models: LLMs). The programme achieved an 89 percent training completion rate, with over 89 percent of employees passing the assessment and was delivered in local languages to support consistent adoption across all regions. Regular cyber security awareness communication were conducted throughout 2025 to keep employees informed of emerging phishing and cyber threats, particularly those targeting user credentials and sensitive information.

Information Technology Infrastructure and Cloud Security
  • Cyber preparedness and threat detection
    We conducted 2 cyber drills focusing on AI-driven phishing attacks targeting user endpoints and cloud collaboration platforms such as SharePoint. In parallel, industry-leading threat intelligence was deployed to continuously monitor underground marketplaces, paste sites, blogs, forums, malware repositories, and more to help anticipate attacks and detect unknown data and credentials leaks. These initiatives enhanced employee readiness, improved early threat detection, and reduced risks related to credential theft, data leakage, and brand impersonation.
  • Incident response and cyber resilience enhancement
    We strengthened our incident response capabilities through the implementation of SOAR (Security Orchestration, Automation and Response), enabling automated workflows, faster response times, and consistent handling of cyber incidents, while reducing the operational workload for cyber defense teams. In addition, Vulnerability Assessments and Penetration Tests (Pentests) are conducted annually across critical business systems, power plant networks, and cloud environments. In 2025, 12 penetration testing projects were completed to further strengthen cyber resilience.
  • Secure access, endpoint, and network protection
    To reinforce endpoint and network security, we implemented Multi-Factor Authentication (MFA) for laptops and endpoints devices, significantly reducing the risk of unauthorized access. We also adopted a Secure Access Service Edge (SASE) platform to provide secure, reliable, and high-performance connectivity with integrated cybersecurity controls, improving security posture visibility and ensuring consistent compliance enforcement for users and branch locations.
  • Defence-in-depth for critical infrastructure
    We applied a defence-in-depth and Zero Trust approach across information technology (IT), operational technology (OT), and cloud systems at our co-generation power plants, ensuring the continuous, safe, and resilient operation of critical power infrastructure.
Audit

We demonstrated our commitment to cyber security and personal data protection through consistent assessments and certifications. Our information security management system has achieved certification according to the international standard ISO/IEC 27001:2022 and undergoes regular internal and external audits. We also leverage expertise from external specialists to conduct risk assessments following the standards of NIST. This comprehensive approach ensures our ability to rigorously maintain cyber security and promptly respond to any incidents

In 2025, our Internal Audit conducted the comprehensive information technology and information security audits assessed the adequacy and effectiveness of controls, covering access management, infrastructure security, data and system governance, oversight of external service providers, and IT asset management.

2022 2023 2024 2025
Cyber Security
Number of information security breaches or other cyber security incidents1 (Case) 0 0 0 0
Personal Data Protection
Number of substantiated complaints received concerning breaches of customer privacy2 (Case) 0 0 0 0

1 These are defined as unauthorised access to computer data, applications, networks, devices, protected systems and data. Cybercriminals or malicious applications bypass security mechanisms to reach restricted
2 Written statements by regulatory or similar official body addressed to the organisation that identifies breaches of customer privacy, or a complaint lodged with the organisation that has been recognised as legitimate by the organisation. This includes substantiated complaints related to personal information breaches from individuals, general agencies, regulatory bodies.