Sustainability report 2020

Data Privacy In May 2020 the bank issued a Data Governance Policy. In compl iance with the Data Privacy Module of the Personal Data Protection Act (PDPA) B.E. 2562, this policy safeguards the use of customer data and ensures compliance with regulatory and legal requirements. It also defines clear roles and responsibilities regarding data management, data privacy and data security. The policy applies to all employees of the bank as well as its subsidiaries and third parties. The bank’s highest governing body, the Board of Directors, is responsible for the internal control and effective implementation of the policy. In addition, the three lines of defense model has been incorporated into the data governance structure to ensure checks and balances. As securely managing and safeguarding our customer’s personal data is of pivotal importance to our business, data security is embedded into our risk management. Therefore, the bank has zero tolerance towards any violations. Should there be any breaches within the organization, cases are pursued in line with our disciplinary regulations and action and punishment procedures. Additionally, three key new roles – Data Protection Officer (DPO), Bank-Wide Data Executive (BDE), Data Executive (DE) – have been established by each business unit to ensure bank-wide implementation of the policy in compliancewith the PDPA and relevant laws, i.e. the Computer Crime Act. Another checks and balances mechanism is our internal audit – an independent function of the bank responsible for auditing business processes and procedures to ensure effective policy. To ensure transparency and that customers are informed of their rights, the privacy policy is publicly available on the bank’s website (www.tmbbank.com/en/policy). Moreover, the bank has set up a direct channel for inquiries about the collection, use and disclosure of personal data, and the rights of customers. Customers can contact the bank through DPO@tmbbank.com or Contact Center 1558. Raising awareness andunderstanding among employees about data privacy and our Data Governance Policy is vital, and efforts are ongoing to ensure they understand the importance of this issue. In 2020 there was a mandatory training course that introduced PDPA to all employees – both existing and new – to ensure they are fully aware of its contents and implications. In 2020 100% of employees completed the training. Cybersecurity TMB has a clear management structure, complete with dedicated governing boards and management committees supervising information security and cybersecurity. The Board of Directors have ultimate responsibility for the bank’s direction and strategy but have delegated the IT Oversight Committee to oversee and monitor the bank’s IT operations and information security management. Amanagement-level committee, the IT Non-Financial Risk Committee oversees and manages IT risk management, including cybersecurity risks, IT availability, and significant IT incidents, across the bank to ensure safekeeping of our systems and operations. At the executive management level, the Chief Technology and Operating Officer is responsible for overseeing information security management within the company. To make sure our practices comply with our policies and standards, the audit function reviews cyber security performance and recommends further improvements. The pandemic has created new challenges and forced us to adopt a new work-from-home operating model. This transition has led to a greater focus on cybersecurity due to the higher exposure to cyber risks and attacks. In response to this business disruption, the bank has promptly developed work from home and Virtual Private Network (VPN) frameworks, protocols and procedures. These enable employees working remotely to ensure business continuity while maintaining the security and confidentiality of our systems. Furthermore, the IT and Information Security teams have collaborated with a third party, the Thailand Banking SectorComputerEmergencyResponseTeam(TB-CERT), to actively track the activities of over 130 threat groups and understand as much as possible about each as a preventative measure. At the same time, the bank has raised the security standards with intensive monitoring and stringent preventativemeasures on data leakage and cyberattacks, especially phishing scams, which was the top cyberattack during the COVID-19 crisis. Monitoring reports were given on a daily basis directly to the Chief Executive Officer and Chief Technology and Operation Officer. In order to prevent potential security risks, bank-wide communication on the topic was crucial to notify and inform all employees of both potential threats and the protocols for how to identify and manage them. To prepare for integration an information security system blueprint was created in 2020 and is expected to be implemented in 2021-2023. The key focus of the 2020 integration plan is on the synergy of information security standards and controls, on merging the infrastructure systems of the two banks and on consol idating databases. The system integration has been prepared to support customer migration of both banks to themerged bank through co-location branches, TMB/TBANKATMs, and the digital capabilities of TMB TOUCH. Our mobile bankingsecurity is inalignmentwith theBankof Thailand’s Guiding Principles for Mobile Banking Security, and we are continuously raising our security levels so that we can maintain the trust of customers. 49 I n t r odu c t i o n Cu s t ome r s En v i r o nme n t a l & So c i a l I mp a c t s Pe op l e Go v e r n a n c e App e nd i x Su s t a i n a b i l i t y Re po r t 2 0 2 0

RkJQdWJsaXNoZXIy ODEyMzQ3