Cybersecurity and Information Security
EGAT is one of the critical information infrastructure (CII) agencies in the energy and utilities sector. Therefore, it is essential to ensure cybersecurity and information security in its operations to prevent any impact on its activities and on related stakeholders.
| Targets for 2024 | Performance |
| ● Number of serious digital law violations: 0 incidents | ● Number of serious digital law violations: 0 incidents |
Policy and Commitment
In 2024, EGAT revised its cybersecurity and information security policy, mandating that key units responsible for EGAT’s core missions and technology infrastructure oversee and manage cybersecurity and information security. This includes identifying and preventing risks, monitoring and detecting cyber threats, responding to incidents, and maintaining and recovering from damage caused by cyber and information threats.
Additionally, EGAT has implemented other related policies and measures, such as the personal data protection policy, personal data security measures, and privacy notices for activities involving personal data.
Operational Structure
To ensure the effective implementation of cybersecurity and information security operations, and to manage related risks in alignment with EGAT’s mission, the organization has established several relevant committees and working groups. These include the EGAT Digital Committee, the Cybersecurity Management Working Group, the Sub-working Group on Cybersecurity Risk Management and Compliance, and the Sub-working Group on Cybersecurity Operations.
Management
EGAT has developed short-, medium-, and long-term plans to enhance human resource capabilities, improve work processes, and appropriately procure and manage technology. Various training programs on cybersecurity and personal data protection have been provided to relevant employees. Additionally, EGAT has prepared documentation and agreements related to cybersecurity and personal data protection for its partners to acknowledge, in order to promote compliance with EGAT’s policies and practices.
EGAT also holds meetings and/or briefings to inform partners about operational updates that may affect or relate to their processes. Furthermore, EGAT conducts reviews of operational procedures to support technological improvements in monitoring activities involving partners or other stakeholders, aiming to prevent security breaches.
In 2024, EGAT carried out several key cybersecurity and information security initiatives, including:
- Aligned internal processes and practices with the Cybersecurity Act B.E. 2562 and the Personal Data Protection Act B.E. 2562 to build stakeholder confidence
- Prepared risk assessment reports and cybersecurity/information security risk management plans, submitted to EGAT’s Cybersecurity Management Working Group, Digital Committee and the Governor for approval, and forwarded to the National Cybersecurity Committee
- Executed cybersecurity and communication plans effectively, with no serious incidents or violations of the Personal Data Protection Act
- Conducted external audits under ISO 27001 for digital infrastructure services, and internal audits by the Office of Internal Audit to ensure compliance with the Cybersecurity Act, B.E. 2562 (2019)
- Surveyed and analyzed cybersecurity operations, leading to improvements in personnel, processes, and technology, with progress reported to senior management
- Participated in the Government Platform for PDPA Compliance (GPPC), a joint initiative by the PDPA Committee and the Digital Economy and Society Committee, to promote implementation of the Personal Data Protection Act, B.E.2562 (2019). As part of the initiative, EGAT staff attended a training course on PDPA knowledge for practitioners, with five employees successfully completing and passing the assessment.
Violation of Customer Privacy
| Item | 2024 | 2023 | 2022 | |||
| From outside parties | From regulatory bodies | From outside parties | From regulatory bodies | From outside parties | From regulatory bodies | |
| Number of substantiated complaints concerning breaches of customer privacy and losses of customer data | 0 | 0 | 0 | 0 | 0 | 0 |
| Number of identified leaks, thefts, or losses of customer data | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 |