Cybersecurity and Privacy Protection

Cybersecurity Governance Structure

To ensure the security, effective management, and proper utilization of Central Retail's cybersecurity system and privacy protection, a governance structure has been instituted. This structure involves the Risk Policy Committee, Chief Executive Officer (CEO), Chief Information Security Officer (CISO), and the Information Technology Committee (ITC). The Risk Policy Committee oversees enterprise risk management, including risks from cybersecurity and privacy protection at the Board level. Mr. Suthisarn Chirathivat, who is the current CEO of Central Retail, and also a member of the Board of Directors and the Risk Policy Committee, which oversees and establishes strategies to manage cybersecurity and privacy protection. The CEO has an educational background in Management Information Systems (MIS) and has work experience as a Management Information System & Customer Data Services Analyst. The ITC is an executive-level committee, with the CISO leading the implementation of cybersecurity and privacy protection measures. The current CISO also has vast experience in cybersecurity and previously held as CISO at another major online retail company. Other members of the ITC include executives from different business units that ensure compliance to Central Retail’s cybersecurity and privacy protection management approach, while operating with competent employees possessing expertise necessary for implementing and communicating these measures throughout the organization and to external stakeholders. Importantly, Central Retail has appointed the Data Protection Officer (DPO) to advise, oversee and monitor Central Retail’s compliance with the Personal Data Protection Act B.E. 2562 (PDPA) and established the Data Protection Working Team dedicated to protecting personal data and handling privacy issues.

Cybersecurity Management

Central Retail has established the Information Security Mission Statement and Policy to announce its commitments in ensuring that its information system and services can meet the standards of protection expected by customers and stakeholders. Central Retail has adopted international standards such as the ISO 27001:2022, the National Institute of Standards and Technology (NIST), and Center for Internet Security Control (CIS) to provide and act as an internal policy and guidance that all employees and relevant personnels must adhere to effectively manage and protect the core systems and relevant personal data. Additionally, Central Retail conducts external audits of its information security management system to ensure compliance with these standards and continually enhance its cybersecurity posture.

Central Retail conducts regular risk-based internal audits as part of its annual audit plan to ensure the effectiveness of key operational controls, risk management practices, and regulatory compliance. These audits, carried out by the Internal Audit Department, cover a range of technology-related areas, including data protection, cloud service governance, firewall and network security, program change management, etc. The audit objective is mainly focus on evaluating whether systems and processes are properly secured, monitored, and aligned with internal policies, best practices and industry standards. Each audit is carefully designed and executed to reflect risk priorities and follows established international audit standards to ensure thorough and reliable assessments. Where gap is identified, recommendation is discussed and agreed with action plans and target date.

Central Retail has implemented a risk management approach to protect and manage the information environment to keep up with changing situations through balancing control and system usage Central Retail also prioritized sensitive data into different levels of risks, which will determine its level of protection and measures. Other cybersecurity measures include but not limited to server vulnerability management, endpoint detection response and virus protection, and data encryption. Moreover, information technology resources should have cybersecurity measures embedded into their respective lifecycles, from acquisitions to disposal. With regards to physical security, Central Retail has relocated the information systems to the data centers adhering to international standards for both procedural and security measures. This approach provides comprehensive safeguards against potential physical harm from fire, flood, and other emergencies, as well as illegal entry into the system.

To minimize information security disruption to customers and protect business performance in the event of IT outages, Central Retail conducts an annual review and drill of its Contingency Plan across all branches to ensure continued service during information system failures. The process includes reviewing incident response procedures and conducting practical drills. Central Retail recognizes that, although such incidents are rare, regular testing is essential due to the evolving nature of branch operations and demonstrates its commitment to operational readiness through this annual process.

Cybersecurity Process

Data Privacy Protection

Central Retail is dedicated to privacy protection from taking appropriate security measures (including organizational and technical measures) to prevent data leakage, and establishing the Personal Data Handling Procedure for internal use that all employees and pertinent personnels must follow to prevent breaches and misuse of personal data. In addition, Central Retail has also put in place its agreements with the suppliers to control the activities carried out by the suppliers and to ensure suppliers' compliance with privacy practice. The Personal Data Handling Procedure covers extensive topics such as recordkeeping of data processing activity, consent management system, data subject rights management, data retention, data processing agreement, personal data breach procedures, and etc. Central Retail has also made the Privacy Policy available to the public on the website and at various contact points where personal data is collected. This is to ensure transparency and to inform customers and stakeholders of their rights to data privacy. The Privacy Policy encompasses the following issues:

• Type of personal data
• Purpose of data collection, use, and disclosure
• Agencies or individuals to which Central Retail may disclose personal data
• Transfer of personal data to third countries
• Duration of personal data storage
• Security measures
• Cookie policy
• Rights of data subject
• Service points of contact regarding the exercise of personal data rights

Consent

Central Retail is committed to lawfully process personal data of customers and other stakeholders. Central Retail may further obtain a consent from the customers and other stakeholders when Central Retail cannot rely on other legal basis for collection, use and disclosure of personal data including but not limited to the processing of sensitive personal data, the processing for analysis or marketing activities etc.

In addition, Central Retail has set up channels by which data owners can file complaints, inquiries and exercise their rights regarding personal data. Cases and complaints which are substantiated will be addressed and disciplinary actions will be taken. For any questions, concerns, or would like to exercise rights regarding personal data, please contact our Data Protection Officer at:

Security Measures for Personal Data Protection

Central Retail is committed to protect the personal data by establishing effective security measures from a technical, physical and organizational point of view to prevent loss, unauthorized or unlawful access, deletion and destruction, use, alteration, rectification or disclosure of personal data.

Central Retail continuously reviews its security measures and monitors technological changes to ensure effective security protocols, considering the nature, scope, context, and objectives, as well as the level of risk associated with personal data processing.

Central Retail strengthens its cybersecurity resilience by conducting both internal and external vulnerability analyses and penetration testing, performed by qualified third-party experts. These tests involve simulated cyberattacks, where ethical hackers attempt to exploit system weaknesses, mirroring real-world threats. The objective is to identify all potential vulnerabilities and configuration issues across critical systems. Comprehensive assessments were conducted on key online platforms, uncovering areas that could potentially be exploited by attackers. While the specific findings remain confidential for security reasons, the results have been used to enhance Central Retail’s defenses. In addition to these technical evaluations, Central Retail also conducts regular audits to ensure ongoing compliance with data privacy regulations and to reinforce its business continuity planning.

To reduce risks to cybersecurity and personal data protection, Central Retail integrates these risks as part of the quarterly group-wide enterprise risk management process to ensure that these risks are monitored and managed. Central Retail provides comprehensive cybersecurity training to both executives and employees, covering key topics such as physical security, phishing, email malware protection, and secure use of AI. All employees are required to complete annual cybersecurity awareness training through C-Next platform, which includes refresher sessions on cybersecurity in remote work, responsible use of social media and the internet, and recognizing social engineering and phishing threats. In addition, all employees are required to attend Personal Data Protection Act (PDPA) training to ensure they understand PDPA principles and handle personal data appropriately and responsibly. Furthermore, PDPA representative from each Business Unit (BU) receives intensive training on PDPA requirements and personal data breach incident handling. These representatives are responsible for promptly reporting any suspected or actual data breaches, which will be escalated and addressed in accordance with Central Retail’s Personal Data Handling Procedures. . In the case that there are misconduct or breaches by employees, disciplinary actions will be taken. Cybersecurity and personal data protection is also considered as part of annual performance review of relevant employees to ensure continuous improvements of the entire system.