The Company recognizes cybersecurity and personal data protection as essential enablers of trust among customers, suppliers, and stakeholders. The Company is therefore committed to conducting its operations in compliance with applicable laws and international standards, while continuously enhancing technology, information systems, and internal control processes to effectively prevent, detect, and respond to cybersecurity threats.
The Company integrates cybersecurity and personal data protection risk management into its corporate governance and enterprise risk management frameworks to ensure that operations are conducted in a secure, transparent, and auditable manner. In parallel, the Company promotes knowledge, awareness, and an organizational culture that emphasizes data confidentiality, data integrity, and the protection of customer privacy, which are fundamental to the Company’s long-term sustainable business operations.
Positive Impacts: Effective management of cybersecurity and personal data protection enhances customer and business partner confidence, supports the continuity of digital business operations, and mitigates financial risks arising from cyber incidents.
Negative Impacts: Cyberattacks or personal data breaches may have significant adverse impacts on the Company’s financial position, reputation, and stakeholder trust, as well as expose the Company to legal risks and penalties resulting from non-compliance with personal data protection laws.
Positive Impacts: Efficient and secure management of information technology systems improves energy efficiency in data centers and digital infrastructure, contributing to reduced resource consumption and minimizing environmental impacts from organizational operations.
Negative Impacts: Reliance on energy-intensive technology systems and data centers may increase operational costs and greenhouse gas emissions if energy efficiency management is not implemented in parallel with strengthening cybersecurity measures.
Positive Impacts: Personal data protection and cybersecurity reinforce trust among customers and society in the use of digital financial services, promote safe access to services, and support overall confidence in the financial system.
Negative Impacts: Cyber incidents or data breaches may affect customers’ privacy, security, and quality of life, potentially cause public concern and undermine societal trust in the Company if appropriate communication and remediation measures are not effectively implemented.
Positive Impacts: Promoting respect for human rights through the protection of personal data and privacy rights of customers and employees, in accordance with international principles and applicable laws, helps mitigate reputational risks and supports responsible business conduct.
Negative Impacts: Personal data breaches or inappropriate use of data may infringe upon individuals’ privacy rights and dignity, leading to legal and trust-related risks if robust governance systems, internal controls, and clear accountability are not adequately established.
The Company has established policies and regulations on data protection and information security systemsÊto serve as a framework for managing information technology risks and personal data protection at an appropriate level, in compliance with applicable laws and relevant international standards. These policies and regulations cover the operations of the Company, employees, contractors, customers, and stakeholders involved in accessing or processing the Company’s data. Such policies and regulations are reviewed and updated regularly at least once a year and are subject to consideration and approval by the Board of Directors to ensure their appropriateness, relevance, and effectiveness in addressing continuously evolving cybersecurity risks.
The Company placed the highest importance on the governance of data and information security systems. The Board of Directors has oversight and accountability at the policy level for the organization’s information security and cybersecurity matters and has delegated operational oversight responsibilities to the Information Security Committee (ISC), chaired by the Chief Executive Officer (CEO) and composed of senior executives from relevant functions. Roles and responsibilities of the Information Security Committee (ISC) as follow:
The Company has established an Information Technology Security Division (CISO Division) to manage and strengthen information security. The Division reports directly to the highest executive responsible for information technology, whose role is equivalent to that of the Chief Information Officer (CIO). The CISO Division is responsible for formulating cybersecurity strategies and implementing measures relating to cybersecurity, risk management, security incident response, and compliance with international standards under a structured and clearly defined governance framework. This approach reflects the integration of cybersecurity as a core component of the Company’s information technology strategy and its sustainable business operations.
In addition, the Company has established an organizational structure to support effective information technology governance and risk management based on the Three Lines of Defense model, with clearly defined roles and responsibilities. The structure consists of business units responsible for IT operations, IT governance and IT risk, and IT audit.
The Company has implemented risk management measures and tools, along with a clear incident response process. The Company conducts system testing at least once per year to mitigate the risks of information technology disruptions and cyber threats, while ensuring readiness for emergency situations. In addition, the Company regularly reviews and reinforces employees’ awareness and understanding of information security. Key security practices include the following.
The Company prioritizes the safety and privacy of customer and stakeholder data. The Company has established a Personal Data Protection Policy, along with practices and measures related to the protection and security of personal data across all its operations, including those of its subsidiaries and stakeholders, such as customers, employees, shareholders, and business partners. All employees are required to strictly adhere to these guidelines. Failure to comply may result in disciplinary actions or legal consequences. To ensure the effective implementation of the Personal Data Protection Policy, the Company has established mechanisms such as the following.
In addition, the Company informs data subjects about the processing of their personal data in the following areas.
For additional information, please refer to https://www.ktc.co.th/en/about/data-protection-notice under “Company’s Data Protection Notice under the Personal Data Protection Policy of Krungthai Card Public Company Limited”.
In 2025, the Company identified 12 incidents involving customer privacy breaches resulting from the leakage of personal data, which were reported as errors originating from the Company or external service providers. These incidents were reported to the Information Security Committee (ISC) and/or the regulatory authority to ensure proper supervision and monitoring of corrective action in accordance with the guidelines prescribed by law or company regulations. The Company implemented systematic corrective and preventive measures, including reviewing operational processes, strengthening internal controls, and enhancing awareness among employees and external service providers regarding the importance of personal data protection, the potential impacts of data breaches, and the need for strict compliance with proper procedures. In addition, the Company emphasized relevant disciplinary measures and continued to develop and improve its systems to enhance monitoring and data risk prevention capabilities, in order to prevent similar incidents from recurring in the future.
The Company manages cybersecurity and personal data protection in accordance with international standards and has obtained ISO/IEC 27001:2022 certification for the Information Security Management System (ISMS) and ISO/IEC 27701:2019 certification for the Privacy Information Management System (PIMS). These certifications reflect the Company’s responsibility, transparency, and reliability in data management, which form a critical foundation for conducting financial business operations. The Company has continuously maintained these certifications for a period of six consecutive years, demonstrating its strong commitment to protecting the data of customers, suppliers, and stakeholders, as well as to systematically and sustainably mitigating risks arising from cyber threats.
In addition, the Company is currently in the process of obtaining PCI DSS (Payment Card Industry Data Security Standard) certification to enhance the security of card payment data and to continuously strengthen confidence in digital financial transactions.
ISO/IEC 27001: 2022 Information Security Management System (ISMS) for all processes
ISO/IEC 27701:2019 Privacy Information Management System (PIMS) for all processes
The Company is committed to raising awareness of cyber threats and the importance of data security by continuously providing information technology security and personal data protection training to the Board of Directors, executives, employees, as well as suppliers and outsources. These efforts aim to enhance security standards and ensure strict compliance with applicable requirements.
The Company has implemented an organization-wide training program to enhance knowledge and understanding of ISO/IEC 27001:2022 and ISO/IEC 27701:2019, as well as laws related to personal data protection, through the Company’s internal e-Learning platform. The training program is divided into two modules, including Introduction to ISO/IEC 27001:2022 (ISMS) and ISO/IEC 27701:2019 (PIMS) and practices for compliance with the standards.
This program is a mandatory training course for new employees as part of the onboarding process, and the content is reviewed and provided to employees across the organization on an annual basis.
A total of 1,822 persons participated in the training, representing 100% of all employees
100% of participants successfully passed the post-training assessment
The Company conducted a training program to enhance cybersecurity awareness and understanding among all employees, with a focus on recognizing cyber risks that may affect personal data, corporate information, and the Company’s business operations. The training covered key topics including awareness of email phishing threats, protection of critical information, development of skills to respond to suspicious incidents, enhancement of cybersecurity practices within the organization, and techniques to avoid becoming victims of online fraud. The program aims to strengthen employees’ knowledge, awareness, and preparation to effectively respond to cyber threats, foster a culture of information security, and support stable and sustainable business operations in the long term.
A total of 1,818 persons participated in the training representing 100% of employees
In collaboration with the Technology Crime Suppression Division of the Royal Thai Police, the Company implemented proactive measures to strengthen cybersecurity protection for consumers through the organization of the 20th KTC FIT Talk: “Cyber Threat Awareness: Protecting Identity and Financial Assets in the Digital World.” The forum aimed to provide knowledge and insights into the evolving landscape of financial cyber threats, which have become increasingly sophisticated, ranging from phishing and call center scams to the use of artificial intelligence, deepfake technology, and agentic AI in attacks on financial transactions. The initiative also promoted collaboration among the public sector, private sector, and media in building digital resilience for Thai society. This initiative reflects the Company’s comprehensive role in safeguarding customers’ financial security through fraud intelligence sharing, 24-hour real-time transaction monitoring, the development of secure products and technologies such as KTC Digital Card, and continuous public awareness communication, with the objectives of mitigating cybercrime risks, strengthening confidence in the digital financial system, and supporting the sustainable growth of Thailand’s digital society and economy.
