As cyber threats become increasingly sophisticated and severe, and digital networks play a vital role as critical national infrastructure, cybersecurity and personal data protection are fundamental to sustaining trust in digital services. AIS therefore continuously enhances its security standards through sustained investment in advanced threat detection and response technologies, strengthened governance and risk management processes, comprehensive employee capability development, and strict compliance with applicable laws and regulations. This integrated approach enables the Company to maintain network continuity and stability, effectively safeguard customer data, and further develop trusted security solutions that reinforce customer confidence and support sustainable long term competitiveness.
Performance2025
Target
Management Approach
AIS has established comprehensive policies covering cybersecurity, personal data protection, data governance, and artificial intelligence (AI), along with formal privacy notices applicable across all business units and relevant external parties. These frameworks are designed to strengthen stakeholder confidence by ensuring that information systems and personal data are managed transparently, responsibly, and effectively. The Company has also implemented a clearly defined governance structure for cybersecurity and data protection, supported by dedicated functions and oversight committees that systematically supervise, monitor, and continuously enhance performance in these areas.
Cybersecurity
AIS adopts a systematic and proactive approach to cybersecurity management, encompassing preventive controls, regular testing, and continuous threat monitoring. Policies and procedures are periodically reviewed and updated to ensure alignment with relevant regulations and internationally recognized standards. The Company integrates globally accepted frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Zero Trust security principles, and ISO/IEC 27001, alongside tailored measures suited to its operational context. This holistic approach—covering technology, processes, and people—enables AIS to manage cyber risks comprehensively and effectively, while strengthening resilience against evolving digital threats.
Integrated Cybersecurity Management Framework
Technology
AIS deploys comprehensive cybersecurity technologies across devices, networks, systems, and data environments. These include intrusion detection and prevention systems, data encryption, and advanced cloud security solutions designed to enhance the Company’s ability to prevent, detect, and respond to cyber threats effectively and in a timely manner.
Process
The Company establishes structured security standards and control processes covering access management, vulnerability assessment and mitigation, and incident response. These processes are aligned with applicable laws and internationally recognized standards to ensure consistent, robust, and effective risk management.
People
Clear roles and responsibilities for cybersecurity are defined across the organization to ensure accountability and effective oversight. AIS continuously invests in capability development and fosters a strong security culture among employees and business partners, promoting the responsible and secure use of systems and data across its value chain.
Cybersecurity framework and process
Implement a cybersecurity policy aligned with globally recognized cybersecurity frameworks and standards of National Institute of Standards and Technology (NIST)
Cybersecurity enhancement with Zero Trust, which emphasizes the trust worthiness of various components in the computer system
Deploy online cybersecurity training courses that are accessible to its employees at any time
Collaborate with regulatory authorities and critical information infrastructure agencies in responding to incidents
Implement Cyber Incident Response and Escalation Process
Cyber Threat Management and Response Framework
AIS has established a Cyber Security Operation Center (CSOC) operating 24 hours a day to monitor, detect, and respond to potential cyber threats across the organization. The Center leverages real-time alerting systems in combination with User and Entity Behavior Analytics to strengthen anomaly detection capabilities and enable timely threat assessment and response.
Customer Privacy Protection
AIS has established personal data protection policies and practices in alignment with applicable laws and regulatory requirements, covering its subsidiaries as well as business partners and third parties involved in the processing of customer data. The Company implements comprehensive governance measures throughout the entire data lifecycle, including data collection, use, disclosure, storage, and disposal, in accordance with internationally recognized standards.
Personal data protection framework and process
Managing data governance
- Establish personal data protection policies for AIS Group
- Develop and publish the AIS Group Privacy Notice
- Review and/or update policies, standards, and guidelines at least once a year.
- Determine confidentiality classification, including access to sensitive information and utilizes various data protection tools and techniques to safeguard information.
- Formulate data flow specification in a system manner
- Establish customer data protection standards through a structured Data Life Cycle Management process, covering how employees and relevant third parties handle customer data throughout its lifecycle.
Awareness raising and training
- Promote awareness of personal data protection in term of data life cycle management
- Promote the principles of “Privacy by design” and “Privacy by default” for responsible product and service design
Risk follow-up and assessment
- Conduct a Data Protection Impact Assessment (DPIA) in accordance with internationally recognized standards
- Assess risk from daily operations
- Define standard contractual clauses (SCCs) with related units
- Prepare records of personal data processing
- Establish an internal audit team to construct an annual audit plan
Personal data breach prevention and response
- Establish protocol for disciplinary action in the occurrence of a personal data breach
- Establish the Incident Center to be responsible for responding to personal data breaches and cyberattacks
Data Breach Response Procedure
Complaint received from various channels i.e. Cybersecurity Operation Center, Call Center, AIS Shop, Complaint Center
Determine severity level and coordinate actions with relevant units
Relevant officers report inspection results to Incident Center
Inspection results/ resolution reported to incident reporter
Explain/ publicize understanding internally and externally. Review incident and set preventive measures
Procedure for Processing Customer Request
Certifications and Accreditations in Cybersecurity and Data Protection
Fundamental
Intermediate
Advance
International Standards Certification for Cybersecurity and Customer Data Protection
Performance Table
| Topic | Units | 2022 | 2023 | 2024 | 2025 |
|---|---|---|---|---|---|
| Personal data protection | |||||
| Number of personal data breach and data loss complaints | |||||
|
Complaints from general persons or agencies
|
Number of cases | 7 | 4 | 3 | 2 |
|
Complaints from regulatory agencies
|
Number of cases | 11 | 4 | 7 | 3 |
| Data leakage, theft, or loss | Number of cases | 2 | 1 | 0 | 0 |
| Requests for customers’ personal data from public agencies with the power and duty 1 | Number of cases | 19,454 | 19,255 | 19,854 | 24,653 |
|
% of the total number of requests
|
% | 92 | 92 | 93 | 96 |
| Network | |||||
|
Average frequency of network failure
|
Units | 0.07 | 0.09 | 0.07 | 0.15 |
|
Average length of network failure 2
|
Minutes | 38 | 37 | 72 | 223 |
Remark :
1 The Company discloses customers’ service usage information to government authorities in accordance with their legal mandates, including the Courts of Justice, the Royal Thai Police, and the Anti-Money Laundering Office, among others.
2 In 2025, the average network downtime increased due to prolonged flooding and widespread inundation across multiple areas. These events led to extended power outages, resulting in disruptions to the telecommunications network’s power supply and longer-than-usual system recovery times.
Related Document
Information concerning “Cybersecurity and Customer Privacy Protection” can be found in the 2025 Sustainability Report.
