Sea Oil Public Company Limited and its subsidiaries ("Company") recognize the importance of cybersecurity and personal data protection as critical factors in ensuring business continuity and maintaining the trust and confidence of customers, business partners, shareholders, and all stakeholder groups.
As technology continues to evolve and cyber threats become increasingly sophisticated, the Company has established policies, controls, and risk management processes to identify, assess, monitor, and mitigate information technology and personal data risks. These measures are designed to reduce the risk of data loss, data breaches, unauthorized access, and information system disruptions, while promoting cybersecurity awareness and responsible data management throughout the organization.
Targets and Performance
Targets
- 100% of employees complete and pass the IT Security Awareness training and assessment program.
- 100% of employees complete and pass the Personal Data Protection Act (PDPA) training and assessment program.
- Zero personal data protection (PDPA) complaints.
Performance in 2025
- 100% of employees complete and pass the IT Security Awareness training and assessment program.
- 100% of employees complete and pass the Personal Data Protection Act (PDPA) training and assessment program.
- Zero personal data protection (PDPA) complaints.
Board of Directors
The Board of Directors is responsible for establishing policies and overseeing the management of information technology, cybersecurity, and personal data protection risks. The Board also monitors the implementation of related measures to ensure compliance with applicable laws, regulations, and relevant standards and practices.
Audit and Risk Management Committee
The Audit and Risk Management Committee is responsible for overseeing, monitoring, and reviewing the adequacy of the Company's internal control system, cybersecurity risk management, and personal data protection processes. The Committee also monitors the Company's preparedness for cyber threats and information security incidents and reports its findings and recommendations to the Board of Directors on a quarterly basis.
Information Technology Department
The Information Technology Department is responsible for implementing the Company's cybersecurity policies and controls, managing information technology infrastructure, monitoring security events, administering user access rights, and overseeing data backup and system recovery processes in the event of an emergency. The Department also reports cybersecurity and information security matters to the Audit and Risk Management Committee on a quarterly basis.
Internal Audit
The Internal Audit function is responsible for conducting audits in accordance with the Risk-Based Internal Audit Plan, assessing the adequacy and effectiveness of cybersecurity and personal data protection controls, and monitoring the implementation of corrective actions for identified findings. Audit results and key observations are reported to the Audit and Risk Management Committee on a regular basis.
PDPA Working Team
The PDPA Working Team is responsible for driving compliance with the Personal Data Protection Act (PDPA). Its responsibilities include reviewing and updating policies, procedures, and documentation related to personal data protection, monitoring compliance with applicable data privacy laws and requirements, and promoting communication and awareness of personal data protection practices among employees throughout the organization.
Cybersecurity Policy and Practices
The Board of Directors of Sea Oil Public Company Limited recognizes the importance of managing and maintaining the security of the Company's information technology systems. The Company is committed to ensuring that its information technology systems are supported by effective internal controls and that information remains accurate, reliable, secure, and available to support efficient and continuous business operations.
To this end, the Board has established a Cybersecurity Policy and related guidelines, which are communicated to directors, executives, employees, and relevant parties for implementation throughout the organization. The Company also conducts an annual review of its cybersecurity policies and information security standards to ensure their continued effectiveness and alignment with evolving business requirements, technological developments, and emerging cyber threats.
The Company has established an information security governance structure covering both internal operations and interactions with customers and external parties. Roles and responsibilities for information security oversight and decision-making have been clearly defined. The Company also requires the protection of confidential information and the secure handling of customer and third-party data.
For additional information on the Information Technology Management and Security Policy, please refer to the Company's website.
Data Privacy Policy and Practices
Sea Oil Public Company Limited and its subsidiaries ("Company") recognize the importance of personal data protection and respect the privacy rights of data subjects. The Company has therefore established a Personal Data Protection Policy to serve as a framework for governing personal data protection, safeguarding privacy rights, and managing personal data in compliance with the Personal Data Protection Act B.E. 2562 (2019) and other applicable laws and regulations.
For additional information, please refer to the Company's website.
The Company recognizes information technology and cybersecurity risks as key enterprise risks and incorporates them into its Enterprise Risk Management (ERM) process. The Company continuously identifies, assesses, monitors, and manages risks arising from technological developments and cyber threats, while implementing appropriate controls and mitigation measures to reduce potential impacts on business operations, corporate reputation, and stakeholder information.
The Company has established risk management and response measures, including:
- Annual information technology risk assessments.
- Penetration testing conducted by independent external specialists.
- Assessments of the effectiveness of cybersecurity protection systems.
- Continuous monitoring and surveillance of information security events.
- Regular reviews of risk controls and risk management practices.
For additional information, please refer to the Company's 2025 Form 56-1 One Report under the section "Risk Management."
The Company has established a Cyber Incident Response Plan and a Business Continuity Plan (BCP) to address incidents that may affect information systems or business operations.
The plans define procedures for incident reporting, response, system recovery, and crisis communication. The Company also conducts regular testing and reviews of these plans to assess their effectiveness and ensure the timely recovery of critical operations while minimizing potential impacts on the business.
The Company has established a Privacy Center as a centralized platform for communicating its Personal Data Protection Policy, Privacy Notices for relevant stakeholder groups, and channels through which data subjects may exercise their rights in accordance with applicable data protection laws.
Data subjects may exercise their rights under the Personal Data Protection Act (PDPA), including the rights to access, rectify, erase, object to, or withdraw consent for the processing of their personal data through the channels provided by the Company. These mechanisms promote transparency and strengthen confidence in the Company's personal data management practices.
For additional information, please refer to the Company's website: https://www.seaoilthailand.com/th/privacy-center
In 2025, the Company recorded zero complaints relating to personal data privacy violations and PDPA compliance matters.
IT Security Awareness Program
To support the Company's information security policy and promote awareness of the importance of using information technology systems in a secure, appropriate, and responsible manner, the Company conducts an Information Security Awareness Program on an annual basis. The program aims to ensure that all employees are aware of potential cyber threats and understand appropriate practices for the use of information technology within the organization. Employees are encouraged to apply the knowledge gained in their day-to-day work, contributing to a secure, sustainable, and internationally aligned information security culture across the Company.
In 2025, 100% of employees completed and passed the IT Security Awareness training and assessment program.
Personal Data Protection Act (PDPA) Training and Awareness Program
The Company conducts annual refresher training under its Personal Data Protection Act (PDPA) Awareness Program to enhance employees' knowledge, understanding, and awareness of personal data protection requirements under the Personal Data Protection Act B.E. 2562 (2019). The program also reinforces employees' roles and responsibilities in the collection, use, disclosure, and retention of personal data in compliance with applicable laws, the Company's policies, and established best practices.
The training helps reduce the risk of personal data breaches, strengthens the confidence of customers, business partners, employees, and other stakeholders, and supports the Company's commitment to good corporate governance and sustainable business practices.
In 2025, 100% of employees completed and passed the Personal Data Protection Act (PDPA) Awareness Program.
The Company regularly monitors, reviews, and evaluates the effectiveness of its cybersecurity and personal data protection controls to ensure compliance with applicable policies, laws, and relevant standards. The assessment results are used to strengthen control measures and enhance the Company's ability to respond to evolving cyber risks and emerging threats on an ongoing basis.
The Company conducts regular assessments and monitoring of information technology risks, testing and reviews of key control measures, and ongoing oversight of Cybersecurity and Data Privacy performance. Significant risk issues are reported to management and the Audit and Risk Management Committee on a regular basis.
In addition, information technology, information security, and personal data protection processes have been incorporated into the Company's two-year Risk-Based Internal Audit Plan (2025–2026). The audits are designed to assess the adequacy and effectiveness of internal controls and to monitor the timely implementation of corrective actions arising from audit findings on an ongoing basis.
Under this plan, the Company conducted an audit of its Personal Data Protection processes in 2025 to assess compliance with the Personal Data Protection Act (PDPA), internal policies, and control measures relating to the collection, use, disclosure, and protection of personal data.
For 2026, the Company has scheduled a Cybersecurity audit to evaluate the effectiveness of its cybersecurity risk management framework, cyber threat prevention measures, information system access controls, user access management processes, data backup and recovery procedures, and readiness to respond to information security incidents.
In addition, the Company has engaged information technology service providers that are certified to ISO/IEC 27001, the internationally recognized standard for Information Security Management Systems (ISMS), to support the security of the Company's information systems and information assets.
Findings, observations, and recommendations arising from monitoring, audit, and assessment activities are incorporated into the continuous improvement of control measures and operational processes. These efforts support the ongoing enhancement of cybersecurity and personal data protection practices, while strengthening the confidence of customers, business partners, shareholders, and all stakeholders.
