Information Technology Security, Cybersecurity, and Artificial Intelligence Policy

Announcement of RATCH Group Public Company Limited

No. 5/2025

Re: Information Technology Security, Cybersecurity, and Artificial Intelligence Policy

RATCH Group Public Company Limited (the “Company”) recognizes the importance of information technology, network systems, and artificial intelligence as tools to enhance the efficiency and effectiveness of its operations toward organizational excellence. The Company is committed to driving its business in the digital era to create innovation and value for stakeholders, as well as sustainable organizational growth, while upholding secure, ethical, well-governed, and responsible protection of data, systems, and the use of Artificial Intelligence (AI).

The Company has therefore established this Information Technology Security, Cybersecurity, and Artificial Intelligence Policy in alignment with applicable laws and international standards to ensure that the use and management of such technologies are secure, safe, transparent, and reliable. This Policy repeals the Announcement of RATCH Group Public Company Limited No. 2/2019 Re: Network and Computer System Usage Policy dated 17 April 2019; and the Announcement of RATCH Group Public Company Limited No. 2/2021 Re: Information Technology Security Policy dated 15 January 2021.

Objectives of the Policy

To establish a framework for managing information technology, cybersecurity, and the use of Artificial Intelligence (AI) to safeguard the confidentiality, integrity, and availability of the Company’s data and information.
To prevent and respond to all forms of cyber threats, reduce risks and impacts on the Company’s information assets, and ensure business continuity in alignment with the Company’s strategies and objectives.
To govern the management of information technology, cybersecurity, and AI usage in compliance with the Computer-Related Crime Act B.E. 2550 (2007) and its amendments, the Cybersecurity Act B.E. 2562 (2019), the Personal Data Protection Act B.E. 2562 (2019), and other relevant laws.
To align information technology, cybersecurity, and use of AI technology management practices with international standards such as NIST Cybersecurity Framework, OECD AI Principles, and other related international practices.
To ensure that such operations comply with the Company’s regulations, policies, announcements, and orders, and that information technology, cyber, and AI technology usage are appropriately utilized to support business operations and risk management in accordance with good corporate governance principles.

Scope of the Policy

This Policy applies to the Company’s Board of Directors, executives, employees, entities under the Company’s management control, and persons within the supply chain who are involved with the Company’s assets and systems. It covers all information technology systems, organizational data and digital assets, and devices connected to the Company’s network, without limitation as to location or time of use.
The Company promotes and supports awareness of information technology security, cybersecurity, and responsible AI technology usage among the aforementioned groups. Any prior announcements, rules, orders, or practices that conflict with this Policy shall be superseded by this Policy.

Definitions

“Company/Organization” means RATCH Group Public Company Limited.
“Policy” means the principles relating to information technology security, cybersecurity, and Artificial Intelligence (AI) established by the Company, approved by the Chief Executive Officer, and formally announced for enforcement.
“Guidelines” means operational practices relating to information technology security, cybersecurity, and AI technology usage established and announced by the Company for strict compliance.
“Entities under the Company’s management control” means entities over which the Company has control or authority, whether through holding more than 50% of shares with voting rights or controlling the majority of voting rights at shareholders’ meetings, including authority over management decisions and operations, and where information technology and/or network and computer systems, and/or AI systems are jointly utilized.
“Supply Chain” means the network of relationships among the Company, its business partners, contractors, and relevant parties involved in the management of information technology security, cybersecurity, and AI of the Company and its controlled entities.
“Information” means data, news, records, histories, textual content, computer programs, computer data, images, sounds, symbols, and other marks, whether stored in a format directly understandable by individuals or through computers or other means.
“Information System” means a system that collects, stores, processes, and distributes data to generate useful information for decision-making and operations of individuals or the organization. It comprises several key components including hardware, software, data, people, processes, and networks. Its main function is to transform raw data into meaningful information to support management and achieve organizational objectives.
“Information Technology” means technology used in business operations, including data/information, operating systems, application systems, database systems, hardware, and communication network systems.
“Information Technology Security” means the protection of information systems and data to ensure confidentiality, integrity, and availability at all times, preventing unauthorized access, alteration, or destruction of data through administrative, technical, and physical measures to respond to threats.
“Cyber” means data and communications arising from services or applications of computer networks, internet system, telecommunications networks, including normal services of satellites, and other similar interconnected systems.
“Cybersecurity” means measures or actions established to prevent, respond to, and reduce risks from all forms of cyber threats, both internal and external, which may impact the Company’s operations, national security, economic security, military security, or public order.
“Cyber Threat” means any unlawful act or action carried out using computers, computer systems, or malicious programs intended to cause damage or abnormality to computer systems, computer data, or related information. It refers to a danger that adversely affects the operation of a computer, computer system, or other related data.
“Artificial Intelligence (AI)” means technology developed to enable computer systems, robots, machines, or electronic devices to exhibit human-like characteristics or behaviors as defined by human objectives, such as learning, perception and response to the environment, reasoning, and problem-solving.

Key Policy Guidelines

The Company shall manage information technology security, cybersecurity, and AI usage in compliance with applicable laws, governmental regulations, the Company’s related policies, and internationally recognized standards such as ISO/IEC 27001, NIST Cybersecurity Framework, and OECD AI Principles.
The Company shall establish guidelines on information technology security, cybersecurity, and the use of AI technology for relevant parties to adhere to in their operations. These guidelines aim to prevent threats and reduce risks from intruders in the use of the Company’s information technology, cyber, and AI technology.
The Company shall establish guidelines on information technology security, cybersecurity, and AI technology usage to support business operations, business development, and comprehensive and appropriate risk management, as follows:
1. Establish a systematic management structure for information technology security, cybersecurity, and the use of AI technology, clearly defining the roles, responsibilities, and duties of all relevant parties at every level to ensure effective governance of information technology, cyber systems, and the use of Artificial Intelligence (AI).
2. Establish processes for risk identification, risk assessment, and the determination of acceptable risk levels, including the management of risks related to information technology, cybersecurity, and AI usage. This includes conducting surveys and maintaining an inventory of information technology assets, as well as assessing risks that may affect the security of systems and data, in order to develop appropriate prevention plans aligned with the level of risk and to address potential cyber threats that may arise in the future.
3. Emphasize the implementation of control measures to prevent unauthorized access to or use of data, as well as to prevent data loss or destruction, by adopting appropriate technologies such as access control systems, endpoint protection systems, and data encryption. In addition, provide continuous training to employees to enhance awareness of information technology, cyber, and the use of Artificial Intelligence (AI).
4. Establish systems and processes to monitor and detect abnormal events, and to manage information technology security breaches or potential cyber threats that may occur within the information technology systems in real time. This includes using tools capable of analyzing cyber threats and providing early warnings, enabling timely response and risk management to minimize potential impacts on the organization. Additionally, continuously improve processes to ensure effectiveness, enabling the organization to contain incidents, implement corrective actions, mitigate impacts, provide remediation, and promptly recover business operations and information assets.
5. Establish guidelines and response plans for cyber threats and the use of Artificial Intelligence (AI) technology that cover cyber threat levels and AI usage, reporting procedures, review processes, impact containment, and system recovery. In addition, appoint a Cybersecurity Incident Response Team (CIRT) to ensure that corrective actions and situation control are carried out systematically, minimizing potential damage to the greatest extent possible.
6. Establish a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) for information technology systems to ensure that the organization can resume operations quickly and continuously following a cyber threat. The recovery plans shall be regularly reviewed and updated, incorporating lessons learned from past incidents to systematically improve management practices.
The Company shall establish criteria for the use of AI technology in alignment with ethical principles, applicable laws, and appropriate and verifiable guidelines, that are in line with the OECD AI Principles.
The Company shall establish a process to regularly promote awareness of information technology security, cybersecurity, and the responsible use of AI technology among the Board of Directors, executives, employees, entities under the Company’s management control, as well as relevant parties throughout the supply chain.

Governance and Policy Review

The Information Technology and Cybersecurity Risk Management Working Committee has duties as prescribed in RATCH Group Public Company Limited’s Order No. C.13/2025, to ensure governance and oversight in compliance with this Policy.
A review of this Policy and related guidelines shall be conducted at least once a year to ensure that the principles of this Policy remain aligned with the Company’s context and business operations at that time, or whenever there are changes in relevant laws, technologies, or threats.

Penalties

Any person who violates, fails to comply with, or breaches this Policy shall be subject to disciplinary action under the Company’s work regulations. If such action constitutes a legal offense, legal penalties may also apply.

For the acknowledgement and compliance of all.

Announcement Date: 17 October 2025

Chief Executive Officer

Back

Other Policy

The Corporate Governance Policy

The Company’s Group sets practice guideline at the international standard to promote transparent and effective management and operations that lead to reinforcement of trust among shareholders, investors and all stakeholders; and to pursue the principles of Good Corporate Governance of listed companies.