Policy and Management Framework

RATCH realizes the importance of information technology, computer network, and artificial intelligence, which are tools to improve operational efficiency and effectiveness and pave way for excellence. With a commitment to drive business in the digital era to create innovation and value for stakeholders, in 2025, the Company reviewed and promulgated the revised Information Technology Security, Cybersecurity, and Responsible Artificial Intelligence. Application Policy to ensure greater alignment with relevant legal principles and international standards. Under the policy, RATCH is committed to safeguard information, systems and AI application with governance and responsibility, to ensure secure, transparent and reliable application and management of technology.

Policy and Management Framework

Guidelines on Generative AI application

RATCH has established guidelines and educated employees on the responsible, cautious, appropriate and effective use of Generative AI in compliance with relevant laws, regulations, announcements and rules. The guidelines also address the prevention of data leakage and misuse of information when using Generative AI, which could potentially impact individuals, the Company, society and the country as a whole. The guidelines are as follows:

1
Employees should study and understand Generative AI before use
2
Use Generative AI in a responsible, ethical, and honest manner, in compliance with applicable laws and regulations, and the Company’s rules, announcements and orders.
3
Do not input, use, or disclose the Company’s confidential information, including sensitive internal information or information that may affect the Company’s operations.
4
Generative AI must not be used as a substitute for human judgment in high-risk situations
5
Do not use Generative AI to create false or misleading information, or content that may harm individuals, the Company, or society.
6
Do not use personal data without data subjects’ consent or in violation of the Personal Data Protection Act B.E. 2562 or other applicable laws.
7
Do not use Generative AI to create content that infringes any trademark or intellectual property rights, including the unauthorized reproduction, copying, or modification, or use of content belonging to another person or entity.
8
Do not input the Company’s internal or confidential information.
9
If it is necessary to use the Company’s internal information with Generative AI, such use must comply with the Company’s requirement and must receive prior approval from user’s supervisor on a case-by-case basis.
10
Do not input information that may affect the security of the Company’s information technology system.
11
Review and verify any source code generated by Generative AI before use to ensure its accuracy and to check thoroughly for potential vulnerabilities.
12
Notify a supervisor when observing a security breach related to the use of Generative AI, in accordance with established procedures, and immediately follow the operational procedures for managing security incidents.
13
The Company continuously monitors the use of Generative AI to safeguard cybersecurity, information technology systems and the Company’s information.
14
Review content generated by Generative AI before use or public dissemination to reduce or prevent unfair bias, discrimination, or impacts on the rights of individuals or groups, as well as to uphold the principles of equality and human rights standards.
15
When using or disseminating content generated by Generative AI, users must use only the Generative AI technologies approved by the Company.
16
Users and individuals involved in the use of Generative AI technology must inform their superiors about the objectives, scope and nature of collaboration. Users must immediately notify their supervisors in the event of errors or issues, including situations where imported data may have a negative impact on individuals, the Company, or society in order to enable timely correction.
17
When using content generated by Generative AI, users must include the statement “This content is generated with AI assistance.” to ensure transparency and avoid misunderstanding among recipients.
18
Generative AI applications or technologies approved by the Company are for business use only and must be accessed using the Company’s email and approved by the AI & Data Analytics Division. In case of doubts regarding data security, users must consult their supervisors or relevant officers before taking any action.

Structure of IT security and cybersecurity oversight

Structure of IT security and cybersecurity oversight

Management of IT and cybersecurity risks

Scope and categories of IT risks

RATCH classifies risks associated with information technology, computer networks and artificial intelligence into 4 categories as follows:

Scope and categories of IT risks

Risk management process

The information technology, computer networks and AI risk management process consists of 4 elements, as follows:

Scope and categories of IT risks

Risk identification and management

The Company identifies, assesses and prioritizes IT risks based on the impact on IT security and operational continuity, and implements appropriate control measures as outlined below:

Risk category/issue Preventive and control measures
Physical and environmental risks

Connection of insecure mobile devices to the Company's network system
  • Establish the computer usage policy and guidelines as well as a log system to record usage data.
  • Prepare Virtual Local Area Network (VLAN) for connection to the Company's network, separately for internal and external users.
  • Inspect and control the usage of outsiders' computer, mobile phones or other devices.
  • Prepare a plan for the connection system and monitor access from BYOD devices to ensure identity verification and security.
Software and applications risks

Gaps caused by end-of-life software (EOL)
  • Upgrade software or applications prior to the end of life.
  • Monitor the status of software and applications to ensure they are updated to the latest versions.
Network-related risks

Theft/attack and use of the Company's Virtual Private Network (VPN)
  • Determine how to use the VPN system, requiring user authentication to access it.
  • Establish a 2-step authentication system for the Company's VPN.

Management of risks associated with third party and IT suppliers

The measures to tackle risks related to suppliers in the supply chain are as follows:

Technology service providers
  • Specify selection criteria requiring suppliers to possess cyber security certification and disclose their records of cyber incidents or cyberattacks.
  • Define work requirement in contracts, including data encryption, data breach alert systems, emergency response plans (such as the ability to switch to alternative suppliers if the contracted party’s system malfunctions or early warning mechanisms in the event of data breach), recovery procedures, monitoring, and supplier performance reviews.
Other suppliers
  • Establish a supplier selection process and ensure that the signed contract comply with the Company’s privacy policy and guidelines, including Non-Disclosure Agreement (NDA), Data Processing Agreement (DPA) and Service Level Agreement (SLA). In an event of any changes to services related to key systems, the Company will reassess the supplier’s security level and revise the contract in accordance with applicable laws or regulations.
  • Define the roles and responsibilities of the Company representatives regarding information technology, cyber security, and artificial intelligence in line with the Company’s IT security policy, personal data protection policy, and data governance policy. Such representatives shall sign an acknowledgement form and strictly comply with these requirements throughout the duration of their contracts.

Mitigating Risks in Information Technology System Security

Risk prevention measures

Risk prevention measures

Strengthening prevention measures

Measure Method
1. Security Operations Center (SOC)
  • Engage external experts to support the monitoring, detection, analysis, and responses to cyberattacks as well as, the 24-hour safeguarding of the Company’s systems and data.
2. Server and equipment update/upgrade
  • Apply updates to servers and equipment
  • Maintain key systems and equipment on a monthly, quarterly or biannual basis.
3. Employee training to raise awareness of information technology, computer networks and artificial intelligence
  • Communicate or disseminate work-related knowledge, news updates, or incident alerts on the first and 16th of each month concerning, such as phishing email that may contain viruses or malware in order to prevent deception or data damage, as well as patch management updates to address security vulnerabilities in operating systems, applications or programs.
4. Penetration Testing (Pentest) by a third party
  • Test systems directly connected to the Internet to identify security vulnerabilities to cyberattacks.
  • Conduct phishing simulation to assess and improve employee awareness of cyberattacks and record response statistics.
5. Vulnerability Assessment Scan (VA Scan) for applications and servers
  • Conduct annual scans to evaluate the effectiveness of corrective measures for high-risk issues. The most recent scan identified no vulnerability requiring remediation.

Cybersecurity Management

Cybersecurity Management

Responsibilities

Risk Management Working Committee
  • Follow up on IT security and cybersecurity measures twice a year
Internal Audit Department 1. Review compliance with following policies/standard practices;
  • Information Technology Security Policy
  • Efficiency and adequacy of risk mitigation and security systems
  • Emergency response plan in light of disasters
  • Exercise of emergency plan under the Business Continuity Plan
  • Security measures for computer equipment
  • Assessment of security risks of the IT system
2. Report the cyberthreat watch on an annual basis
Business Solution Division and Security Operations Center Monitor, track, screen, prevent and respond to cyberattacks, originated internally or externally; and monitor IT systems such as Intrusion Prevention System, Firewall and Cybersecurity Protection System.
External Auditor Review the IT system control and access to programs and data relating to folder management, user access modification and user revocation, etc. The annual review is included in the annual audit of the Company’s financial statements.

Cyberattack response plan

RATCH has established and implemented the cyberattack response measures to ensure that relevant personnel are able to respond to and address threats in a timely and appropriate manner. The measures cover situation assessment, action planning, damage control, and internal and external communications. They aim to contain incidents, mitigate impacts, and facilitate rapid recovery. The Cybersecurity Incident Response Plan is regularly exercised, enabling participants to learn from simulation, strengthen the Company’s resilience, and reduce cyberattack risks.

Cyberattack response plan

Cyberattack recovery

To avoid operational disruption from cyberattacks, crises or disasters, RATCH prioritizes maintaining business continuity and restoring IT system within a short period. The Business Continuity Plan (BCP) and IT Disaster Recovery Plan (DRP) have been established, together with the detection and assessment of potential information technology and cyber risks. These plans are reviewed and exercised at least once a year to ensure their effectiveness during emergency incidents. The backup system is also tested at least annually to strengthen the system availability and resilience, enabling a rapid recovery of operations.

Response to IT and Cybersecurity Disasters and Emergency Incidents

RATCH has established the backup center and recovery plans for disasters and emergency incidents relating to IT security and cybersecurity, in preparation for emergencies that may affect the IT system's capabilities and effectiveness. The response process is as follows:

Response to IT and Cybersecurity Disasters and Emergency Incidents

IT security and cybersecurity incident tracking

Detection of breaches and incidents on information technology and computer networks

RATCH maintains a detection process to monitor breaches and incidents on computer networks and information technology. The results are reported to Management and the Risk Management Working Committee on a quarterly basis for further submission to the Risk Management Committee, the Corporate Governance and Sustainability Committee and the Board of Directors.

Detection activities conducted in 2025 by the internal audit team and external experts identified no breaches of IT security or cybersecurity guidelines and no incidents affecting the IT infrastructure.

Detection checklist Unit Year
2025 2024 2023
Breaches of or Non-compliance with IT security and cybersecurity guidelines
Total number of data breaches or cyber incidents Times 0 0 0
Total number of customers and employees affected by data breach Person 0 0 0
Total amount of fines/penalties relating to data breach or other cyber incidents Baht 0 0 0
IT Infrastructure Incidents
Total number of IT infrastructure incidents Times 0 0 0
Financial impact caused by such incidents Baht 0 0 0

Information Security Awareness and Training

RATCH places importance on enhancing employees’ knowledge, understanding, and awareness of cyber security at all levels through continuous knowledge sharing and training. This helps employees remain vigilant against cyber threats in today’s business environment, as individuals play a critical role as the organization’s first line of defense. All employees are informed of appropriate guidelines for protecting data and information technology systems, which serves as a cornerstone in strengthening cybersecurity and ensuring readiness to manage risks in a sustainable manner.

Topic Cybersecurity for the organizational protection
Objective
  • To build awareness of current cyber threats faced by the Company
  • To communicate the Company's cybersecurity policy and future direction
No. of participants (person) 40
% of applicability in daily routines (medium-high) 100
Benefits
  • Understanding and awareness of carefully and responsible use of IT equipment
  • Understanding in cybersecurity incidents response procedures

Whistleblowing channel

RATCH has established whistleblowing channel to receive reports or complaints from stakeholders regarding potential violation or non-compliance with the Code of Conduct, data breaches or data leakage, cybersecurity incidents, actions or activities that may pose cyber risks, suspected corruption, or any conduct that violates applicable laws or may cause damage to the Company’s information technology system or reputation. The Company places great importance on the confidentiality of complainants and has established appropriate procedures for receiving, investigating and responding to such reports. Stakeholders may contact the following channels to submit inquiries or file complaint: