Risk and Crisis Management & Cybersecurity and Data Privacy

Impact on Business (GRI3-3)

Risk and crisis management, along with cybersecurity and data privacy protection, are material issues that directly affect the Company’s business operations, corporate credibility, and stakeholder confidence across the value chain.
If risk management is ineffective, it may lead to operational, financial, and reputational damage, as well as a loss of trust from investors, customers, business partners, employees, and regulatory authorities. Conversely, systematic risk management helps reduce the severity and likelihood of incidents that may impact renewable energy projects, supports business continuity, and enhances the Company’s ability to adapt to uncertainties in policies, technologies, and the business environment.
Accordingly, CKPower places strong emphasis on cybersecurity and data privacy protection to ensure that critical information is properly safeguarded. This strengthens stakeholder confidence that sensitive data is managed appropriately, while reinforcing trust, credibility, and long-term relationships, which are key factors in maintaining competitiveness, supporting sustainable growth, and creating long-term business value.

Challenges and Opportunities (GRI3-3)

Cybersecurity and personal data protection risks are becoming increasingly complex with the growing use of digital technologies, which may affect business continuity, the reliability of information systems, and stakeholder confidence.

Nevertheless, these challenges present important opportunities to further strengthen risk management and crisis response systems in a more robust and systematic manner. Therefore, CKPower closely monitors emerging threats, implements security measures aligned with international standards, and fosters a corporate culture of data security awareness to support long-term business resilience and competitiveness.

Commitment (GRI3-3)

CKPower is committed to systematic and integrated risk management, cybersecurity, and data protection. This encompasses policy formulation, governance structure, risk management processes, performance monitoring, and the management of emerging risks to support the stability and continuity of business operations.

The Company also prioritizes fostering an organizational culture of risk management and information security through communication, learning, and the enhancement of personnel capabilities at all levels. These efforts enhance decision-making capabilities and contribute to the Company’s sustainable growth in the long term.

Operational Guideline (GRI3-3, 201-2)

Risk Management

CKPower implements enterprise risk management (ERM) in line with the international COSO-ERM 2017 Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which provides guidance for managing enterprise risk within the Company’s risk appetite and risk tolerance. The Company has also established a risk management policy and a Risk Management Working Group comprising executives from key functions, including business planning, engineering, operations and maintenance, and power plant management. The Working Group is tasked with preparing annual risk mitigation plans to manage CKPower’s strategic, operational, financial, and compliance, ESG, and emerging risks. Risk management outcomes are reported on a quarterly basis to assess and monitor risk management measures, keep enterprise risk within the approved risk appetite, and ensure preparedness as well as appropriate and timely responses to changes that may affect business operations. The Corporate Governance, Risk Management, and Sustainable Development Committee convenes at least four meetings a year to consider various issues on its agenda and steer comprehensive risk management.

Risk Management Policy
Download
Four Risk Categories under Assessment
1
Strategic Risk
2
Operational Risk
3
Financial Risk
4
Legal and Regulatory Compliance Risk
Risk Management Structure (GRI2-12)

With regard to CKPower’s risk management structure, the Board of Directors has charged the Corporate Governance, Risk Management, and Sustainable Development Committee with the duties of considering and approving the risk management activities of the Company and its affiliates, as well as establishing policies, giving recommendations, and reviewing the effectiveness of risk management. In addition, CKPower has tasked the Internal Audit Department with monitoring and reviewing its risk management process to provide an additional layer of oversight independent from the Risk Management Working Group to further increase confidence in the suitability and effectiveness of CKPower’s risk management. This structure demonstrates CKPower’s commitment to systematic and transparent risk management in line with good corporate governance practices.

Risk Management Process (GRI201-2)

The risk management process is utilized to identify, analyze, and manage potential risks in the Company’s business operations. To ensure effective risk management, CKPower’s risk management process consists of the following six steps:

1
Preparation:
Gathering and preparing basic risk-related information
2
Risk Identification:
Discovering and identifying potential risks arising from business activities and processes
3
Risk Assessment:
Analyzing and evaluating the severity and likelihood of risks
4
Control Identification:
Considering measures for controlling and mitigating risk impacts
5
Risk Profile:
Creating an overview of risks and prioritizing risk issues
6
Risk Monitoring:
Continuously examining and tracking risk management implementation

Crisis Management and Business Continuity

To instill confidence in stakeholders across the value chain, ensure business continuity, and uphold good corporate governance, CKPower has formulated a business continuity policy, a business continuity plan (BCP), an emergency response plan, and a crisis management plan in anticipation of potential risks that may disrupt business continuity.

In addition, as part of business continuity management, annual training and drills are conducted to enhance the ability to respond effectively to emergencies or crises. These management processes address a full range of risks, including power production and distribution from various energy sources. By adhering to international standards, these operational procedures ensure business continuity and stability while meeting stakeholder needs in a sustainable manner.

Risk Management Performance in 2025

While most risks were at moderate levels, three very high-risk issues were identified:

  1. Cybersecurity risks
  2. IT system disruption risks
  3. Equipment and machinery unavailability risks

To address these risks, the Company carefully developed a mitigation plan with clearly designated risk management responsibilities. The plan includes specific timelines and monitoring processes for each risk category to ensure the effective management of all risk scenarios and minimize potential business impacts.

Emerging Risks in 2025

CKPower prioritizes the identification and management of emerging risks that may affect business operations in the short, medium, and long term. These risks may impact business continuity, competitiveness, and the sustainability of the organization, representing both challenges that must be addressed and opportunities that may arise through effective risk management.

Based on a comprehensive risk assessment and analysis, the Company has identified the following significant emerging risks​ which must be monitored and handled appropriately to foster organizational growth and sustainability over the long term.

Emerging Risk Timeframe of Impact Description Potential Impact on Business Management/ Opportunity
Evolution of energy technology Short term to long term Energy technologies are increasingly evolving in response to changing energy consumption patterns and emerging innovations, such as renewable energy, energy storage systems, green hydrogen, and green ammonia. These developments may affect future investment decisions and competitive opportunities. Delays in adapting to new technologies could result in reduced competitiveness and increased costs for technological development or legacy system upgrades.
  • An exploration team has been established to study emerging energy innovations and related regulations, as well as to explore opportunities for pumped-storage hydropower development and potential demand for large-scale energy storage systems.
  • CKPower studies relevant regulations, requirements, and laws in Thailand and the ASEAN region to identify new opportunities and minimize potential constraints on business operations.
  • CKPower has identified business model resilience as a material topic and developed a five-year strategic framework (2022–2026) with defined implementation guidelines and designated responsibilities for driving and monitoring progress.
Cybersecurity and personal data protection Short term to long term Cyber threats may cause critical company information, such as financial and other sensitive data, to be leaked or lost, which could lead to data recovery costs and reputational damage. Increased expenses for data recovery, reputational damage, and negative impacts on stakeholder confidence.
  • Comprehensive information system and cybersecurity policies and practices have been established, including information security policies, IT usage authorization policies, IT security management system manuals, and IT practice guidelines.
  • CKPower adopts ISO/IEC 27001:2022 and the NIST Cybersecurity Framework 2.0, with annual assessments conducted by both internal and external auditors (Tier 3 level).
  • Cybersecurity and data protection awareness is enhanced for executives and employees through continuous training and communication.
  • Regular phishing email testing is conducted to improve control measures and strengthen employee capabilities.
Fostering a Corporate Risk Culture

To promote an organization-wide risk management culture, CKPower has established policies and operational guidelines and uses key performance indicators (KPIs), consisting of leading and lagging indicators, to assess and monitor performance, create motivation, and instill confidence in the Company’s efforts to achieve its goals through effective risk management. To foster an enterprise risk management culture within CKPower Group, initiatives have been undertaken to build awareness among personnel through training sessions and talks. Key activities for the promotion of a risk management culture in 2025 are summarized below.

  1. Training and Talks
    • CKPower organized a training session on “Sustainability Trends and ESG Risks 2025” for the Board of Directors, conducted by ERM (Siam) Limited, with the objective of enhancing understanding of sustainability trends and raising awareness of sustainability risks, which are key strategic risks for the Company. The training also emphasized sustainability-related financial disclosure standards (IFRS S1) and climate-related disclosure standards (IFRS S2), as well as the implementation of policies into practice through sustainable operations, including stakeholder engagement planning. The training formed part of the Company’s ongoing efforts to build awareness and preparedness among all directors to support effective risk management in alignment with the Company’s long-term sustainable development approach.

      Training Topic : Sustainability Trends and ESG Risks 2025

    • • CKPower organized a training session on personal data breach risk management for executives and employees, conducted by DBC Group Co., Ltd., to strengthen the organizational culture of personal data protection and information security. The training focused on building fundamental knowledge of the Personal Data Protection Act (PDPA), the roles and responsibilities of executives and employees in complying with the law, and the assessment of personal data risks within operational processes across different departments. It also covered preventive measures, management approaches, and response procedures in the event of personal data breach incidents in order to enhance awareness and the capability to manage personal data risks appropriately.

      Training Topic : Personal Data Breach Risk Management

  2. Communication Through Various Channels
    • Compliance Journal
      CKPower continuously communicated information on risk management and good corporate governance through internal communication channels. In 2025, the Compliance Journal was published to raise awareness of key issues, including anti-corruption practices, good corporate governance principles, personal data breach risk management, and laws related to business operations. The content was presented in an easy-to-understand format with relevant case studies, while quizzes and games were used to engage directors, executives, and employees and assess their understanding.
    • E-Learning Courses
      CKPower has developed E-learning courses for employees at all levels to promote self-directed learning on crucial topics including:
      1. Managing legal risks associated with the Personal Data Protection Act (PDPA)
      2. Legal compliance risks
      3. Risk mitigation protocols
      4. Cybersecurity risks
      5. Guidelines for self-protection against cyber threats
      6. Climate change risks

The e-learning system enables employees at all levels to access comprehensive risk-related information and knowledge, appreciate the importance of legal compliance and best practices, and effectively apply this knowledge to reduce operational risks.

The Company’s efforts to cultivate a robust risk management culture have enhanced its preparedness to appropriately handle changes and challenges and promoted long-term organizational growth by encouraging all employees to play a role in driving business sustainability across all dimensions.

Cybersecurity and Personal Data Protection

Cybersecurity Policy

CKPower has established information technology policies aligned with its corporate governance framework, along with security practices that support intellectual property and copyright protection. The Company has also established the Information Technology Security Guideline to enhance the security of access to and control over the use of the Company’s information and communication technology systems, which are disclosed on the Company’s website.

The Company continuously promotes cybersecurity awareness among directors, executives, and employees through training and communication to ensure proper understanding and compliance with the Computer Crime Act B.E. 2560 (2017), as well as other relevant laws and regulations related to information technology. In addition, the Company regularly reviews and updates its cybersecurity policies and guidelines to ensure they remain up to date and aligned with international standards.

Furthermore, the Company adopts the NIST Cybersecurity Framework (CSF) 2.0 to strengthen its capabilities in preventing, detecting, and responding to cyber threats, in alignment with the ISO/IEC 27001:2022 standard, for which the Company has been certified.

Information Security Policy
Download
Cybersecurity and Personal Data Protection Risk Management Process

CKPower systematically manages cybersecurity and personal data protection risks, beginning with the identification and assessment of risks to determine the necessity and priority level for risk management in each area. Appropriate risk management approaches are then established, taking into consideration the business context and potential impacts on the organization.

The decision-making process covers risk mitigation, risk control, and reasonable risk acceptance. Risks that are within acceptable levels are recorded and documented transparently, while risks requiring mitigation are consolidated into a Risk Treatment Plan, which must be reviewed and approved by management to reflect clear governance oversight. The plan is then implemented, monitored, and regularly reviewed to support the stability, resilience, and long-term sustainability of the Company’s business operations.

Cybersecurity Management

CKPower places strong emphasis on preparedness for cyber threats that may result in the loss of critical company data. Cyber risk management is implemented in alignment with the Company’s enterprise risk management policies and is integrated into its business continuity management framework to ensure the continuous availability of information systems. The Company also complies with relevant laws, regulations, and standards, including the ISO/IEC 27001.

To strengthen the data security system, mitigate risks, and protect data from theft, CKPower has established a monitoring protocol, preventive control measures, and a response process for incidents that may impact the integrity of the information systems, as well as clearly assigned responsible parties and reporting channels to ensure that incidents and vulnerabilities related to the security of the information systems are promptly reported and addressed correctly, efficiently, and in a timely manner.

In addition, the Company prepares information security performance reports and incident reports, which are regularly presented to the Steering Committee for consideration and continuous improvement of security measures. The management framework is as follows:

  1. Identify: Identify information security risks.
    Conduct and regularly review information security risk assessments by identifying information assets, business processes, and associated risks in order to prioritize appropriate protection measures.
  2. Protect: Establish standards for system protection.
    Implement technical and administrative control measures such as Access Control, Patch Management, and Data Protection. Deploy and operate Endpoint Security solutions, including EDR, XDR, and MDR, to prevent cyber threats and monitor abnormal activities. Provide information security training and awareness programs for employees.
  3. Detect: Establish processes for anomaly detection.
    Establish real-time threat detection through EDR/XDR and MDR services. Engage external service providers to conduct regular Vulnerability Assessments (VA) to identify system vulnerabilities. Monitor and review system logs to detect events that may impact information security.
  4. Respond: Establish incident response processes.
    Establish an Incident Response Plan (IRP) and define procedures for managing cybersecurity incidents. Maintain an Incident Response Team that collaborates with MDR service providers to resolve incidents and limit their impact. Incidents are reported and reviewed to identify root causes and prevent recurrence.
  5. Recover: Establish a recovery process to restore business continuity or normal operations.
    Establish and regularly test Backup and Disaster Recovery (DR) plans to ensure business continuity. Conduct post-incident reviews to improve information security processes. Lessons learned and assessment results are used to continuously enhance the Information Security Management System (ISMS).

Personal Data Protection

Personal Data Protection Policy

Recognizing the importance of personal data protection, CKPower has formulated an external personal data protection policy in accordance with the Personal Data Protection Act B.E. 2562 and other relevant laws to instill confidence in the safety of personal data. The policy delineates the definition of personal data, types of personal data, purposes of personal data collection, use, and disclosure, entities or individuals to whom the Company may disclose information, duration of data retention, personal data storage formats, and rights of data owners. Additionally, CKPower has appointed a Data Protection Officer to oversee compliance with applicable laws and requirements and established procedures for handling complaints and complaint management processes related to its data processing activities. Guidelines for personal data security have also been developed to prevent loss of personal data or unauthorized or unlawful access, use, alteration, modification, or disclosure of personal data.

Personal Data Protection Management

As personal data protection management is of paramount importance, CKPower has defined access rights to personal data, information, information processing systems, and other information technology assets according to business purposes on a need-to-know and need-to-use basis to ensure that all access to such data is for business purposes and is conducted within a secure framework.

In addition, access rights are organized hierarchically, and all executives and employees must comply with them, to prevent leakage of vital data, whether personal data or information, to external parties. This has been clearly stipulated in the Business Code of Conduct, whereby all executives and employees are required to comply with these requirements and not to disclose any confidential information obtained during the performance of their duties for personal gains or the benefits of others. These measures reflect CKPower’s commitment to personal data and information protection against unauthorized access, which fosters confidence among all stakeholders over the long term.

External Personal Data Protection Policy
Download
Cybersecurity and Personal Data Protection Auditing

Information Security Management System (ISMS) Auditing

CKPower conducts annual internal audits of the Information Security Management System (ISMS) to ensure that control objectives, control measures, processes, and operational procedures are aligned with information security requirements. The system is also continuously assessed and maintained to ensure that it achieves its objectives and complies with ISO/IEC 27001 standards as well as relevant laws and regulations.

External Accreditation and Auditing

CKPower was certified to the ISO/IEC 27001:2013 Information Security Management System standard by BSI (British Standards Institution)​ in 2022. Additionally, assessments by external parties are regularly conducted to analyze vulnerabilities and strengthen the security of the Company’s information systems in line with international standards and applicable laws.

Personal Data Protection Policy

CKPower recognizes the importance of respecting personal privacy and ensuring the proper handling of personal data in compliance with relevant laws. The Company has established a Personal Data Protection Policy and information security practices that align with the guidelines for listed companies issued by the Stock Exchange of Thailand. In addition, the Company promotes the use of information technology systems supported by systematic monitoring and cybersecurity risk management processes.

ISMS Training and Knowledge Enrichment

CKPower has defined roles and responsibilities for securing information assets to ensure that critical data and information systems are appropriately protected. The Company also provides training programs such as ISMS Intensive Training and ISMS Security Awareness Training to enhance employees’ knowledge and awareness of information security, accessible through email and the CKPower Mobile Application, enabling learning opportunities across all levels of the organization.

System Efficiency Assessment

CKPower regularly assesses the efficiency of its information security systems and power plant operation systems to ensure the security of its information systems and reliability of power plant operations, thereby strengthening stakeholder confidence in the business operations.

These measures reflect CKPower’s commitment to maintaining robust information system security and personal data protection, supporting transparent and stable business operations in the long term.

Cybersecurity Awareness 2025 Training

ISO/IEC 27001:2022

Cybersecurity Incident Management and Response Plan

In 2025, the Company encountered one cybersecurity incident. However, all incidents were effectively and promptly managed, with no personal data leakage reported. The Company implemented systematic threat detection and response measures, while further strengthening cybersecurity controls and continuously improving its risk management plans to prevent potential incidents in the future.

The Company’s cybersecurity and personal data protection risk management approach in 2025 included the following key measures:

  • Establishing an Information Security Policy to define operational frameworks aligned with international standards.
  • Adopting ISO/IEC 27001:2022 and the NIST Cybersecurity Framework (CSF) 2.0 in the Company’s information security management system, with regular annual assessments conducted by both internal and external auditors.
  • Providing Cybersecurity Awareness Training for employees at all levels at least once a year to enhance awareness and strengthen preparedness in responding to cyber threats.
  • Continuously developing and improving the Cyber Incident Response Plan to keep pace with evolving cyber threats.

These measures not only strengthen the security of the Company’s information systems but also reinforce stakeholder confidence while supporting a stable foundation for the Company’s long-term business operations.

Long-term Targets, 2025 Targets, and 2025 Achievements (GRI3-3)

Risk Management
Risk and Crisis Management & Cybersecurity and Data Privacy
Risk Management
(GRI 201, GRI 308, GRI 414, GRI 418)
Long-term Targets
A risk management culture is fostered across CKPower Group
100%
2025 Targets 2025 Achievements
100%
 The directors undergo training on Sustainability Trends and ESG Risks 2025.
100%
100%
 The executives and employees receive risk-related communication.
100%
100%
 The executives and employees recognize and understand the principles of good corporate governance.
100%
SDGs
Cybersecurity (GRI418-1)
Risk and Crisis Management & Cybersecurity and Data Privacy
Cybersecurity
(GRI 103, GRI 418)
Long-term Targets
A cybersecurity culture is fostered across CKPower Group
100%
2025 Targets 2025 Achievements
No
case
 Cybersecurity breaches or other cyber threats
1
case
No
case
 Data leakage, theft, or loss
No
case
No
 Customers or employees are affected by data leakage.
No
0
THB
 Fine for data breaches or cyber threats
0
THB
Personal Data Protection (GRI418-1)
Risk and Crisis Management & Cybersecurity and Data Privacy
Personal Data Protection
(GRI 418)
Long-term Targets
A culture of personal data protection is fostered across CKPower Group
100%
2025 Targets 2025 Achievements
No
complaints
 Complaints on personal data breaches from individuals or external.
No
complaints
85%
 Executives and employees of CKPower Group in Thailand participate in training related to personal data protection.
87.85%
No
complaints
 Complaints on personal data breaches from regulatoryauthorities
0
complaints

Sustainability report 2025