Cybersecurity and Data Privacy
SCG places great emphasis on protecting cybersecurity to prevent risks arising from losses of essential data, which would negatively impact the credibility and business operations. SCG Privacy Policy has thus been instituted as a framework for personal data management to ensure that the rights of customers, shareholders, employees, and other stakeholders will be fully protected in compliance with personal data protection laws.
SCG commitment towards a Cybersecurity and Data Privacy has been addressed in SCG Sustainable Development Framework in order to set standard and unify practices across all operations in SCG.
Information Security & Cybersecurity and Data Privacy Governance and Policy
The oversight of cybersecurity at Board level
SCG has the Audit Committee to ensure that the Company has risk management, working, control, and supervision processes, for operations and information technology and maintaining effective communication network systems security in compliance with international standards.
The Audit Committee consist of members who has Industry Experience & Expertise relevant to IT/cybersecurity
Mrs. Parnsiree Amatayakul recently joined the Board of Directors of SCG, and holds a position of Independent Director and concurrently a member of the Audit Committee and Remuneration Committee.
Mrs. Amatayakul received a Bachelor’s Degree in Business Administration from Chulalongkorn University, Thailand and a Master of Business Administration from the Anderson School of Management at UCLA. She has also participated in Directors Certification Program (DCP 99/2008).
Mrs. Amatayakul has extensive industries knowledge, especially in information technology, risk management, marketing, accounting, finance as well as policy setting and strategic planning. Mrs. Amatayakul spent almost 30 years in the IT industry where she has worked with clients across ASEAN/SA through Digital Transformation. She was General Manager, Sales, Enterprise and Commercial, IBM ASEAN from 2019 – 2021. Prior to this, she was Managing Director of IBM Thailand from 2011 to 2018. Since 2018, she holds various positions as a member of the board for construction material, financial services, and food companies. With her extensive knowledge and direct working experience in various industries, especially in the field of information technology, Mrs. Amatayakul is a great addition to SCG.
*Director qualified as an Independent Director From March 27, 2019
Executive Management Responsibility
- SCG IT Governance Committee (ITG) to establish policies and regulations concerning the use of information and communication technology (SCG e-Policy) for all SCG employees in accordance with ISO/IEC27001 and monitor compliance to ensure common practice in the organization. The ITG is chaired by Mr. Paramate Nisagornsen who is Vice President-Corporate Administration, and SCG Executive Management team, assigned as Chief Information Security Officer (CISO), has role and responsibility in overseeing the IT, cybersecurity, data privacy, startup, and digital innovation with his skill and expertise in IT and information security as well as digitalization. Role and responsibility of the SCG IT Governance Committee have been illustrated as following;
- Establish and maintain organization’s vision, strategy, and program to ensure information assets and technologies are well protected.
- Establish policies (SCG e-Policy), strategies and operational guidelines of Information and Communication Technology (ICT) that are consistent with the business direction and strategies for effective implementation.
- Establish and identify common platform which would be beneficial to overall SCG including Enterprise Resource Planning (ERP), Office app., Cloud data and etc.
- To support and monitor important ICT projects in all business units.
- Consultation with the SCG IT Coordinator.
In 2023, the following additional actions were taken:
-
- Three operational standards and procedures were adjusted, including: 1) Vulnerability Scanning Standard; 2) Data Classification and Handling Standard; and 3) Security Risk Acceptance Procedure.
- Organizational guidelines were practiced in a variety of cyber threat simulations to improve the readiness and efficiency of operations.
- Cybersecurity Governance Committee oversee SCG’s information technology security practices and ensure that they are aligned with business directions and can effectively prevent business operations from cyber threats. Cybersecurity Governance Committee is chaired by Corporate IT & BCM Office Director Mr. Piyapon Valaikanok, which have role and responsibility as following;
- Set policy Cybersecurity framework according to e-policy.
- Consider and approve Cybersecurity implementation plan and closely monitor operating performance.
- Monitor and track operating performance according to Key Risk Indicator.
- Promote Cybersecurity Maturity and rise Risk Awareness to all employees in SCG.
- Report the operating results to the Information Technology Governance Committee, the SCG management team and Board Audit Committee.
- Information Security Management Committee in accordance with the ISO/EC27001 standard to govern and establish operational information security policy, as well as to ensure that relevant internal and external employees appropriately adhere to such policy, assessed by the Internal ISMS Audit.
- SCG Risk Management Committee functions as Personal Data Protection Committee, which is responsible for overseeing the data protection practices to ensure compliance with relevant laws and establishing SCG Privacy Policy complies with the Personal Data Protection Law to provide the framework for personal data management. The various practices and accessible mechanisms for data subjects to raise concerns about data privacy implemented by SCG include establishing a legal base for personal data processing, providing a privacy notice to data subject, preparing the records of personal data processing, developing data subject rights management system, implementing leading data protection standards. SCG Privacy Policy addressing the issue as follows;
- Commitment to notify data subjects in a timely manner in case of policy changes or data breach
- Commitment to obtain user data through lawful and transparent means, with explicit consent of the data subject where required. Data subjects can access their accounts to erase, rectify, complete or amend personal information.
- Commitment to collect and process user data that is limited to the stated purpose
- Clear terms involving the collection, use, sharing and retention of user data including data transferred to third parties
- Commitment to require third parties with whom the data is shared to comply with the company’s policy
Regular employee awareness training and development on cybersecurity issues and data privacy management
SCG has expanded investments both domestically and abroad. A key factor in its success and sustainability is employees and supplier’s ethics and integrity. In order to create understanding and evaluation of ethics in employees at all levels and suppliers, SCG has conducted various activities as part of a Proactive and Preventative System comprised of the following:
- Regularly promotes awareness on use of technology including cybersecurity issue and data privacy management among employees and suppliers through various trainings and other activities such as organizing Cybersecurity Awareness Month to ensure employees have knowledge and understanding on the effective use of technology and to protect business from cyber threats. The Company also conducted a self-phishing email simulation drill to test employees’ awareness to enable the Company to learn about the training topics on cybersecurity that employees need better understanding of, allowing for improved communication to the target audience. A test on employee awareness and understanding about the SCG e-Policy is also organized on an annual basis.
- The training and testing on Ethics e-Testing and e-Policy e-Testing are conducted annually to instill knowledge and awareness in employees at all levels and ensure that they are able appropriately apply and put into practice SCG’s 4 Core Values, Code of Conduct, Bribery & Corruption, Anti-Corruption Policy, effective use of technology to protect business from cybersecurity threats, and the Personal Data Protection Act (PDPA).
The e-Policy training and testing focusing on key cybersecurity issues related to prevent IT system failures and major information security and cybersecurity incident.
The year 2023 marked the ninth consecutive year of SCG Ethics e-Testing and the seventh for e-Policy e-Testing, both of which all SCG personnel are required take, followed by an analysis of responses and clarification for thorough and accurate understanding among employees at all levels. The tests are reviewed every year to ensure they are up to date with potential risks. Additionally, all employees completed the Ethics e-Testing and e-Policy e-Testing, with a 100% pass rate. The answers were analyzed, and the key issues were identified and communicated to employees to foster a correct understanding.
All employees are mandatory required to acknowledge SCG code of conduct and SCG e-Policy and take Ethics & SCG e Policy e-Testing which consists of training module and test module on a yearly basis to ensure their acknowledgment, awareness, understanding, and proper application of the Company’s policies. For the test module, employees must pass all criteria of all chapters, it is mandatory to get score 100% for all employees Ethics & SCG e Policy e-Testing, which is part of the employee performance evaluation linking with Learning Management System (LMS) of Human Resource Management.
All employees in relevant positions must past the SCG e-Policy e-Testing (20 questions) and Ethics e-Testing as;
- Operator, and Supervisor 1 & 2 for Basic level (20 questions)
- Supervisor 3 & 4 for Apply level (10 questions)
- All Management level up for Advance level (10 questions)
Regular cybersecurity and privacy risk assessments
In today’s world, SCG conducts business operations that rely heavily on technology and the more complicated nature of cyber threats, SCG unavoidably faces growing cybersecurity and privacy risks.
Such challenges could result in tremendous and large-scale effects on the Company such as disrupted operation if the Company could not maintain cybersecurity of industrial control systems that rely on digital technology. Another notable effect could be loss of the Company’s critical information such as product development information, trade secrets, and privacy data of customers, business partners, and employees. These could ultimately tarnish the Company’s reputation and credibility. Other potential impacts also include financial damages from paying ransom for ransomware attacks, litigation and regulatory fines, or losing revenue or profit as a consequence of failing to maintain cybersecurity vigilance.
In 2023, SCG received ISO/IEC 27001:2022 certification to enhance information security management system efficiency from British Standard Institution (BSI)
Cybersecurity and privacy risk mitigation has been integrated in enterprise risk management, comprising of risk or business opportunity identification, assessment and prioritization, response and mitigation, and monitoring and reporting and adhere to the principle of good corporate governance as follows:
- Assesses cyber risks of the computer system controlling the industrial production, service provision, and other work processes and prepares a cybersecurity risk mitigation plan that covers the key areas of SCG’s operations in Thailand and overseas. Examples include implementing multi-factor authentication to manage access to the critical information of the organization, and planning installation Security Operation Center (SOC) to monitor cyber threats on core infrastructure (network devices and security devices) both on-premise and on-cloud to enable the Company to react to the threat promptly. Other efforts include separating the networks of the industrial control system and the office system.
- Performed penetration testing where a cyber security expert attempts to find and exploit vulnerabilities in the Company’s computer system to improve the weaknesses and reduce risks from cyberattacks on the system.
- Continuously promotes awareness on the use of technology among employees through various trainings and other activities such as organizing Cybersecurity Awareness Month to ensure employees have knowledge and understanding on the effective use of technology and to protect business from cyber threats. The Company also conducted a self-phishing email simulation drill to test employees’ awareness to enable the Company to learn about the training topics on cybersecurity that employees need better understanding of, allowing for improved communication to the target audience. A test on employee awareness and understanding about the SCG e-Policy is also organized on an annual basis.
- Develop a Disaster Recovery Plan to handle emergencies, enabling users to continue working through a backup site. The Company has also prepared cyber incident response plan based on the NIST Cybersecurity Framework by the National Institute Standards and Technology, and cyberattack communication flow. Regular drills of the plans are carried out to prevent business interruptions from cyberattacks.
- Installed Web Application Firewall to increase data security and reduce risks from cyber attacks.
- Documents were compiled for various internal control and cybersecurity auditing guidelines such as the auditing guidelines for the main ERP system used by the Company, IoT security, web application security, cloud development, and data governance.
- An assessment of the information security-related internal control was conducted with reference to ISO27001 to review its adequacy and appropriateness for SCG’s business operations. Good practices were also recommended, while a Proactive and Preventive System was established to reduce risks in business operations.
- Audit operations were reviewed and adjusted in accordance with the COVID-19 situation and risk in the new normal era. Machine Learning (ML), Robotic Process Automation (RPA), and Data Analytics (DA) were utilized to improve the efficiency of risk analysis, and fieldworks were conducted only as necessary.
- IT audits were improved and divided into audits for IT systems, IT processes, and IT security. The audit processes were also designed to suit each aspect, thereby enhancing auditing efficiency.
- Appointed SCG Data Protection Officer and set up the Data Protection Office to monitor SCG business operations, provide recommendations according to related laws, establish SCG Personal Data Protection Policy, and implement data protection tools such as preparing relevant legal documents and implementing of privacy management software.
- The Business Continuity Management (BCM) Unit established a Cyberattack Communication Flow based on the NIST Cybersecurity Framework by the National Institute Standards and Technology to protect against an attack and limit the damage if one occurs. Several measures have been applied to assess risks according to their severity levels to formulate an action plan encompassings: identify, protect, detect, respond, and recover to minimize impacts on users and the business. The cases that occurred will then be recorded and analyzed to find preventive solutions.
DOCUMENT DOWNLOAD