Policy and Management Framework
RATCH realizes the importance of information technology, computer network, and artificial intelligence, which are tools to improve operational efficiency and effectiveness and pave way for excellence. With a commitment to drive business in the digital era to create innovation and value for stakeholders, in 2025, the Company reviewed and promulgated the revised Information Technology Security, Cybersecurity, and Responsible Artificial Intelligence. Application Policy to ensure greater alignment with relevant legal principles and international standards. Under the policy, RATCH is committed to safeguard information, systems and AI application with governance and responsibility, to ensure secure, transparent and reliable application and management of technology.
More Info:
Guidelines on Generative AI application
RATCH has established guidelines and educated employees on the responsible, cautious, appropriate and effective use of Generative AI in compliance with relevant laws, regulations, announcements and rules. The guidelines also address the prevention of data leakage and misuse of information when using Generative AI, which could potentially impact individuals, the Company, society and the country as a whole. The guidelines are as follows:
Structure of IT security and cybersecurity oversight
Management of IT and cybersecurity risks
Scope and categories of IT risks
RATCH classifies risks associated with information technology, computer networks and artificial intelligence into 4 categories as follows:
Risk management process
The information technology, computer networks and AI risk management process consists of 4 elements, as follows:
Risk identification and management
The Company identifies, assesses and prioritizes IT risks based on the impact on IT security and operational continuity, and implements appropriate control measures as outlined below:
| Risk category/issue | Preventive and control measures |
|---|---|
| Physical and environmental risks Connection of insecure mobile devices to the Company's network system |
|
| Software and applications risks Gaps caused by end-of-life software (EOL) |
|
| Network-related risks Theft/attack and use of the Company's Virtual Private Network (VPN) |
|
Management of risks associated with third party and IT suppliers
The measures to tackle risks related to suppliers in the supply chain are as follows:
| Technology service providers |
|
| Other suppliers |
|
Mitigating Risks in Information Technology System Security
Risk prevention measures
Strengthening prevention measures
| Measure | Method |
|---|---|
| 1. Security Operations Center (SOC) |
|
| 2. Server and equipment update/upgrade |
|
| 3. Employee training to raise awareness of information technology, computer networks and artificial intelligence |
|
| 4. Penetration Testing (Pentest) by a third party |
|
| 5. Vulnerability Assessment Scan (VA Scan) for applications and servers |
|
Cybersecurity Management
Responsibilities
| Risk Management Working Committee |
|
| Internal Audit Department | 1. Review compliance with following policies/standard practices;
|
| Business Solution Division and Security Operations Center | Monitor, track, screen, prevent and respond to cyberattacks, originated internally or externally; and monitor IT systems such as Intrusion Prevention System, Firewall and Cybersecurity Protection System. |
| External Auditor | Review the IT system control and access to programs and data relating to folder management, user access modification and user revocation, etc. The annual review is included in the annual audit of the Company’s financial statements. |
Cyberattack response plan
RATCH has established and implemented the cyberattack response measures to ensure that relevant personnel are able to respond to and address threats in a timely and appropriate manner. The measures cover situation assessment, action planning, damage control, and internal and external communications. They aim to contain incidents, mitigate impacts, and facilitate rapid recovery. The Cybersecurity Incident Response Plan is regularly exercised, enabling participants to learn from simulation, strengthen the Company’s resilience, and reduce cyberattack risks.
Cyberattack recovery
To avoid operational disruption from cyberattacks, crises or disasters, RATCH prioritizes maintaining business continuity and restoring IT system within a short period. The Business Continuity Plan (BCP) and IT Disaster Recovery Plan (DRP) have been established, together with the detection and assessment of potential information technology and cyber risks. These plans are reviewed and exercised at least once a year to ensure their effectiveness during emergency incidents. The backup system is also tested at least annually to strengthen the system availability and resilience, enabling a rapid recovery of operations.
Response to IT and Cybersecurity Disasters and Emergency Incidents
RATCH has established the backup center and recovery plans for disasters and emergency incidents relating to IT security and cybersecurity, in preparation for emergencies that may affect the IT system's capabilities and effectiveness. The response process is as follows:
IT security and cybersecurity incident tracking
Detection of breaches and incidents on information technology and computer networks
RATCH maintains a detection process to monitor breaches and incidents on computer networks and information technology. The results are reported to Management and the Risk Management Working Committee on a quarterly basis for further submission to the Risk Management Committee, the Corporate Governance and Sustainability Committee and the Board of Directors.
Detection activities conducted in 2025 by the internal audit team and external experts identified no breaches of IT security or cybersecurity guidelines and no incidents affecting the IT infrastructure.
| Detection checklist | Unit | Year | ||
|---|---|---|---|---|
| 2025 | 2024 | 2023 | ||
| Breaches of or Non-compliance with IT security and cybersecurity guidelines | ||||
| Total number of data breaches or cyber incidents | Times | 0 | 0 | 0 |
| Total number of customers and employees affected by data breach | Person | 0 | 0 | 0 |
| Total amount of fines/penalties relating to data breach or other cyber incidents | Baht | 0 | 0 | 0 |
| IT Infrastructure Incidents | ||||
| Total number of IT infrastructure incidents | Times | 0 | 0 | 0 |
| Financial impact caused by such incidents | Baht | 0 | 0 | 0 |
Information Security Awareness and Training
RATCH places importance on enhancing employees’ knowledge, understanding, and awareness of cyber security at all levels through continuous knowledge sharing and training. This helps employees remain vigilant against cyber threats in today’s business environment, as individuals play a critical role as the organization’s first line of defense. All employees are informed of appropriate guidelines for protecting data and information technology systems, which serves as a cornerstone in strengthening cybersecurity and ensuring readiness to manage risks in a sustainable manner.


| Topic | Cybersecurity for the organizational protection |
| Objective |
|
| No. of participants (person) | 40 |
| % of applicability in daily routines (medium-high) | 100 |
| Benefits |
|
Whistleblowing channel
RATCH has established whistleblowing channel to receive reports or complaints from stakeholders regarding potential violation or non-compliance with the Code of Conduct, data breaches or data leakage, cybersecurity incidents, actions or activities that may pose cyber risks, suspected corruption, or any conduct that violates applicable laws or may cause damage to the Company’s information technology system or reputation. The Company places great importance on the confidentiality of complainants and has established appropriate procedures for receiving, investigating and responding to such reports. Stakeholders may contact the following channels to submit inquiries or file complaint: