Cybersecurity and Data Privacy

SCG places great emphasis on protecting cybersecurity to prevent risks arising from losses of essential data, which would negatively impact credibility and business operations. SCG Privacy Policy has thus been instituted as a framework for personal data management to ensure that the rights of customers, shareholders, employees, and other stakeholders will be fully protected in compliance with personal data protection laws. 

SCG commitment towards a Cybersecurity and Data Privacy has been addressed in SCG Sustainable Development Framework in order to set standard and unify practices across all operations in SCG. 

Information Security & Cybersecurity and Data Privacy Governance and Policy 

Oversight at Board level 

SCG demonstrates strong governance over cybersecurity and data privacy through robust Board-level oversight and clearly defined accountability structures, aligned with international standards and best practices and expectations from stakeholders. 

At the Board level, the Audit Committee plays a critical role in overseeing cybersecurity and information security risks as part of the Company’s enterprise risk management framework. The Committee assures that SCG has in place comprehensive risk management, internal control, and monitoring processes covering both operational technology and information technology systems. This includes safeguarding the integrity, availability, and confidentiality of data, as well as maintaining secure and resilient communication network systems in line with internationally recognized standards. 

Cybersecurity is treated not only as an operational issue but as a strategic risk area, with regular reporting to the Audit Committee on key risk exposures, incident management, system vulnerabilities, and mitigation measures. The governance approach also covers data privacy and protection, ensuring that personal and sensitive data are handled in compliance with applicable regulations and global data protection principles, including transparency, accountability, and secure data management practices. 

Importantly, the effectiveness of oversight is strengthened by the relevant expertise of Board members, in line with leading ESG expectations that emphasize the presence of cybersecurity competence at the Board level. 

Mrs. Parnsiree Amatayakul
Independent Director, Member of Audit Committee and Remuneration Committee 
*Director qualified as an Independent Director from March 27, 2019 

Mrs. Parnsiree Amatayakul, Independent Director and member of the Audit Committee, brings significant value through her extensive experience in the information technology sector. With 30 years of experience in digital transformation and enterprise technology across ASEAN, including her previous roles as Managing Director of IBM Thailand 2011-2018 and General Manager for Enterprise and Commercial at IBM ASEAN 2019-2021, she contributes deep insights into cybersecurity, IT risk management, and digital governance.

Her background enhances the Board’s ability to critically challenge management, assess emerging cyber risks, and guide strategic responses, particularly in an environment of increasing digitalization and evolving cyber threats. This aligns with global best practices, where Boards are expected to possess adequate domain expertise to oversee cyber resilience and data protection effectively. 

Through this governance structure, SCG strengthens its ability to anticipate, manage, and mitigate cybersecurity and data privacy risks, thereby safeguarding business continuity, protecting stakeholder data, and reinforcing trust among investors, customers, and partners.

Oversight at Management level 

SCG has established a robust management-level governance structure to oversee cybersecurity, data privacy, and digital risks, aligned with leading ESG frameworks including MSCI and Sustainalytics. 

At the management level, the SCG IT Governance Committee (ITG) serves as the central body responsible for directing and supervising information security, cybersecurity, and data privacy practices across the organization. The Committee is chaired by the Vice President – Corporate Administration and comprises senior executives, including the designated Chief Information Security Officer (CISO), ensuring that cybersecurity and data protection are embedded within enterprise-wide decision-making. 

The IT Governance Committee is responsible for setting the overall strategic direction, policies, and control frameworks related to information and communication technology (ICT), ensuring alignment with SCG’s business strategy and risk management objectives. This includes the establishment and enforcement of the SCG e-Policy, which applies to all employees and is aligned with internationally recognized standards such as ISO/IEC 27001, ensuring consistency, accountability, and organization-wide compliance. 

From a risk management perspective, the Committee oversees the implementation of measures to identify, assess, and mitigate cybersecurity and data privacy risks, including protection of critical information assets, IT infrastructure, and digital platforms. Regular monitoring mechanisms are in place to ensure compliance with policies, detect potential vulnerabilities, and strengthen the organization’s cyber resilience. 

The role of the CISO, as part of the executive management team, is critical in operationalizing cybersecurity governance. The CISO is responsible for overseeing cybersecurity, IT risk management, data privacy, and digital innovation initiatives, ensuring that security considerations are integrated into technology development, digital transformation, and business operations. This aligns with global best practices that require clear executive accountability for cybersecurity and data protection. 

In addition, the IT Governance Committee plays a key role in: 

  • Defining and maintaining the organization’s cybersecurity vision, strategy, and roadmap to safeguard information assets and ensure business continuity 
  • Establishing ICT policies, standards, and operational guidelines to support secure and efficient implementation across all business units 
  • Promoting the use of enterprise-wide platforms (e.g., ERP systems, cloud infrastructure, office applications) to enhance data integrity, security, and operational efficiency 
  • Overseeing and monitoring critical IT and digital transformation projects, ensuring that cybersecurity and data protection requirements are embedded from the design stage 
  • Providing guidance and coordination through SCG IT coordinators to ensure consistent implementation across the Group 

Through this structured management governance, SCG ensures that cybersecurity and data privacy risks are systematically managed, regularly monitored, and continuously improved, supporting regulatory compliance, safeguarding sensitive data, and reinforcing stakeholder trust in an increasingly digital business environment. 

In 2025, SCG further strengthened its management-level governance framework for cybersecurity and data privacy through enhancements in policies, operational controls, and oversight mechanisms, aligned with international standards. 

1. Strengthening Policy and Control Frameworks 

SCG continuously improves its cybersecurity control environment through the update and implementation of key operational standards and procedures. In 2025, three critical standards were enhanced: 

  • Vulnerability Scanning Standard to systematically identify and remediate system vulnerabilities 
  • Data Classification and Handling Standard to ensure appropriate protection levels based on data sensitivity 
  • Security Risk Acceptance Procedure to formalize risk-based decision-making and accountability 

These updates reinforce SCG’s risk-based cybersecurity approach, ensuring that controls remain responsive to evolving cyber threats and aligned with business priorities. 

2. Cybersecurity Governance and Oversight 

At the management level, the Cybersecurity Governance Committee plays a central role in overseeing IT security practices across SCG. The Committee is chaired by the Corporate IT & BCM Office Director and is responsible for ensuring that cybersecurity measures are aligned with business strategies and capable of safeguarding operations from cyber threats. 

Key responsibilities include: 

  • Establishing and maintaining the cybersecurity framework and policies in accordance with SCG e-Policy 
  • Reviewing and approving cybersecurity implementation plans and monitoring execution performance 
  • Tracking risk exposure through Key Risk Indicators (KRIs) to ensure proactive risk management 
  • Driving cybersecurity maturity improvement and promoting organization-wide risk awareness 
  • Reporting cybersecurity performance and data privacy matters to the IT Governance Committee, management team, and Board Audit Committee, ensuring clear escalation and accountability 

To enhance operational readiness, SCG also conducts cyber threat simulations and exercises, enabling teams to test response capabilities, improve coordination, and strengthen resilience against potential cyber incidents.

3. Information Security Management System (ISMS) 

SCG maintains an Information Security Management Committee in accordance with ISO/IEC 27001, responsible for establishing and enforcing information security policies and ensuring organization-wide compliance. 

The effectiveness of the ISMS is regularly evaluated through: 

  • Internal ISMS audits 
  • Continuous monitoring of policy adherence across internal and external stakeholders 

This ensures that SCG’s information security practices remain consistent, auditable, and aligned with global standards

4. Data Privacy Governance and Protection 

Data privacy is governed through a structured framework under the SCG Risk Management Committee, which also functions as the Personal Data Protection Committee. This Committee oversees compliance with applicable data protection laws and ensures that SCG’s Privacy Policy provides a comprehensive framework for responsible data management. 

SCG’s data privacy practices are built on internationally recognized principles, including: 

  • Lawful, fair, and transparent data processing, with explicit consent obtained where required 
  • Purpose limitation, ensuring that personal data is collected and used only for clearly defined purposes 
  • Data minimization, limiting data collection to what is necessary 
  • Data subject rights, supported by systems that enable access, rectification, and deletion of personal data 
  • Transparency and accountability, including clear communication on data collection, use, sharing, and retention 
  • Third-party risk management, requiring business partners to comply with SCG’s data protection standards 

In addition, SCG has established accessible mechanisms for data subjects to raise concerns and ensures proper documentation through Records Of Processing Activities (ROPA) and privacy notices. 

The Company also commits to: 

  • Timely notification to data subjects in the event of policy changes or data breaches 
  • Maintaining robust safeguards to protect personal data throughout its lifecycle 

5. Continuous Improvement and Organizational Awareness 

SCG emphasizes continuous improvement in cybersecurity and data privacy through: 

  • Regular simulation exercises and incident preparedness programs 
  • Ongoing employee awareness and training initiatives to strengthen cyber risk culture 
  • Continuous enhancement of governance, policies, and controls to address emerging risks 

Employee Training, Awareness and Capacity Building on Cybersecurity and Data Privacy 

SCG implements a comprehensive and structured employee training and awareness program on cybersecurity and data privacy, aligned with international best practices and ESG expectations from MSCI and Sustainalytics. The program is designed as a proactive and preventative control mechanism to strengthen cyber resilience, reduce human-related risks, and ensure organization-wide compliance with security and privacy requirements. 

Mandatory Training and Organization-wide Coverage 

All employees are required to complete annual mandatory training and testing on cybersecurity, data privacy, and ethics through SCG’s e-Policy and Ethics e-Testing programs, which are integrated into the Company’s Learning Management System (LMS) and linked to performance evaluation. 

The training framework ensures: 

  • 100% employee participation and completion rate across all levels 
  • 100% passing requirement, reinforcing full understanding and accountability 
  • Role-based learning structure tailored to different employee levels (operational, supervisory, and management) 

Training content covers key areas including: 

  • Cybersecurity awareness and information security practices 
  • Data privacy and Personal Data Protection Act (PDPA) compliance 
  • Prevention of IT system failures and cybersecurity incidents 
  • SCG Code of Conduct, Anti-Corruption, and ethical business practices 

This mandatory approach ensures that employees not only acknowledge policies but are able to apply them effectively in daily operations, which is a key criterion in ESG assessments. 

Cybersecurity and Data Privacy Risk Assessment and Mitigation 

Given the increasing reliance on digital technologies and the evolving complexity of cyber threats, cybersecurity and data privacy are recognized as material enterprise risks that are actively managed within the Company’s risk management framework. 

1. Integration with Enterprise Risk Management (ERM) 

Cybersecurity and data privacy risks are fully integrated into SCG’s Enterprise Risk Management (ERM) process, covering: 

  • Risk identification and assessment across operations, including industrial control systems, IT infrastructure, and digital platforms 
  • Risk prioritization based on potential business impact and likelihood 
  • Development and implementation of risk mitigation measures 
  • Ongoing monitoring and reporting to management and governance bodies 

This structured approach ensures that cyber risks are managed consistently alongside other strategic and operational risks, in line with good corporate governance practices. 

2. Regular Risk Assessments and Independent Certification 

SCG conducts regular cybersecurity risk assessments and vulnerability testing to identify and address potential weaknesses, including: 

  • Penetration testing to simulate real-world attack scenarios and identify system vulnerabilities 
  • Risk assessments of industrial control systems (ICS) and critical infrastructure 
  • Internal control assessments aligned with international standards 

In 2024, SCG further strengthened its information security governance by achieving ISO/IEC 27001:2022 certification from the British Standards Institution (BSI). This certification demonstrates that SCG’s Information Security Management System (ISMS) meets globally recognized standards for risk management, control effectiveness, and continuous improvement, providing independent assurance on the robustness of its cybersecurity framework. 

3. Preventive and Detective Security Controls 

SCG implements a range of preventive and detective controls to mitigate cybersecurity risks, including: 

  • Multi-factor authentication (MFA) to secure access to critical systems 
  • Deployment of a Security Operations Center (SOC) for continuous threat monitoring across on-premise and cloud environments 
  • Network segmentation between industrial control systems and office IT systems 
  • Implementation of Web Application Firewall (WAF) to protect applications and sensitive data 

These controls enhance SCG’s capability to prevent unauthorized access, detect anomalies, and respond to threats in a timely manner

4. Incident Response and Business Continuity  

The SCG Business Continuity Management (BCM) Unit has established robust incident response and business continuity frameworks, including: 

  • Cyber Incident Response Plan aligned with the NIST Cybersecurity Framework 
  • Disaster Recovery Plan (DRP) to ensure continuity of operations 
  • Defined cyberattack communication protocols for timely escalation 

Regular drills and simulation exercises are conducted to ensure readiness and minimize potential disruption. 

5. Continuous Monitoring, Audit and Improvement 

SCG maintains a strong monitoring and assurance framework, including: 

  • Enhanced IT audit processes covering systems, processes, and cybersecurity controls 
  • Use of advanced technologies such as Machine Learning (ML), Robotic Process Automation (RPA), and Data Analytics (DA) to improve risk analysis 
  • Internal audit guidelines covering ERP systems, IoT security, cloud systems, and data governance 

Findings are systematically reviewed to support a proactive and preventative approach to cybersecurity risk management. 

6. Data Privacy Risk Management 

SCG has established dedicated governance and processes to manage data privacy risks, including: 

  • Appointment of a Data Protection Officer (DPO) and establishment of a Data Protection Office 
  • Implementation of a Personal Data Protection Policy aligned with applicable regulations 
  • Deployment of privacy management systems, including records of processing activities and data subject rights management 

These measures ensure the protection of personal data and reduce exposure to regulatory, financial, and reputational risks.

DOCUMENT DOWNLOAD

SCG Sustainable Development Framework
SCG Privacy Policy