Data Privacy and Cybersecurity

1. Policy and Scope of Application: BAM has established and adopted a Personal Data Protection Policy in full alignment with the Personal Data Protection Act (PDPA), reflecting its commitment to legal compliance and corporate governance excellence. To ensure the integrity, the Company has extended the scope of oversight beyond internal departments to include business partners, suppliers, and third-party data processors. This expansion ensures that robust and standardized data protection measures are implemented across the entire Value Chain.
2. Roles and Responsibilities: To ensure structured oversight and accountability, BAM has established a formalized governance framework as follows:
   •    Data Controller: BAM serves as the Data Controller, assuming responsibility for defining the purposes and methodologies of data processing with full transparency. All processing activities are conducted strictly on a lawful basis or within the specific scope of informed consent obtained from the data subject. This ensures that data utilization remains consistent with the intended purpose and upholds the rights of the data subject. 
   •    Data Protection Officer (DPO): BAM has appointed a DPO to provide advisory and monitor compliance with legal requirements. The DPO's mandate includes overseeing risk management related to personal data processing and reporting any non-conformities to executive management. Furthermore, the DPO serves as the primary liaison with the Office of the Personal Data Protection Commission (PDPC) and external regulatory agencies to ensure that the Company maintains full adherence to relevant laws and international data protection standards.

 3.  Regulatory Compliance Framework: BAM ensures sustained adherence to the Personal Data Protection Act (PDPA) through a systematic and integrated operational framework as follows:
       •    Lawfulness & Security: Apply appropriate legal bases for all data processing and establish standardized technical and organizational security measures to protect data integrity (Data Security).
       •    Transparency: Notify data subjects through comprehensive Privacy Notices to ensure a clear understanding of the purposes and details of data processing prior to or at the time of collection.
       •    Records of Processing Activities (RoPA): Update the Records of Processing Activities (RoPA) on a regular basis to ensure data flows are documented and ready for regulatory inspection.
       •    Risk Management (DPIA): Conduct Data Protection Impact Assessments (DPIA) for processing activities that present a high risk to the rights and freedoms of data subjects.
       •    Third-Party Management: Execute Data Processing Agreements (DPA) with suppliers and external service providers to control risks and clearly define the scope of legal responsibility.
       •    Data Subject Rights: Provide accessible channels and structured processes to support the exercise of data subject rights within the timelines and conditions mandated by law.
 

BAM RECEIVED PRIVACY SELF-ASSESSMENT EXCELLENCE AWARD 2025
One of three private sector organizations to receive the award among 42 participants from government and private sectors.

        BAM prioritizes IT Risk Management and Governance to elevate and refine operational processes in alignment with its corporate strategy. To ensure appropriate and timely responses to emerging incidents, the Company has established robust policies, guidelines, and measures, complemented by a continuous compliance review process that adheres to international standards. Furthermore, the Company has defined a strategic framework for IT risk management and regulation. This strategy focuses on the secure application of technology and proactive defense against evolving cyber threats, particularly those arising from the widespread integration of Artificial Intelligence (AI) in daily operations. The approach consists of the following four steps:

1.    Governance, Risk Identification, and Strategic Objectives

        BAM has established a robust IT risk management and security governance structure by adopting the Three Lines Model. This framework ensures a clear separation of duties and distinct accountability. Within this framework, Information Technology practitioners and system users act as the First Line by managing day-to-day internal controls; the units responsible for IT risk oversight and regulatory compliance serve as the Second Line; and the internal audit function operates as the Third Line to provide independent assurance. The Board of Directors holds the authority to approve risk management policies, ensuring all operations align with the corporate framework, while the Risk Oversight Committee is tasked with supervising and monitoring risk performance to ensure consistent adherence to established goals and policies.
        BAM has established comprehensive IT risk management policies and guidelines that encompass the risk reporting process, assessment, and management strategies. This is achieved by evaluating the probability and impact of potential risk scenarios while defining clear target risk levels and risk appetite. The assessment framework considers technological complexity across operational, strategic, reputational, and legal domains, requiring close coordination between technology operators and system users to establish internal control measures. These measures align with international standards, specifically the NIST Cybersecurity Framework and ISO/IEC 27001:2022, ensuring continuous monitoring of technology risks through Information Technology Key Risk Indicators (IT KRIs). Furthermore, the Company performs Inherent Risk (IR) assessments and an annual Risk Management Capability (RMC) assessment covering six key areas: Strategic, Operational, Technology, Reputational, Cyber, and Compliance risks. The Company also conduct IT risk assessments, analyze risk trends, and enhance processes for monitoring and evaluating the organization's IT Key Risk Indicators (IT KRIs). Following the review of IT Key Risk Indicators (IT KRIs) for 2025, as approved by the Risk Management Committee, the following six indicators have been established:
        •    KRI 1: IT Project Management Success Rate
        •    KRI 2: Cyber Threat Prevention Effectiveness
        •    KRI 3: Core Transaction System Recovery Time
        •    KRI 4: Incident Resolution Rate Within SLA
        •    KRI 5: Critical System Downtime Rate
        •    KRI 6: Electronic Personal Data Breach or Leakage Incidents

        As the development and application of Artificial Intelligence (AI) may introduce new impacts and risks, BAM maintains rigorous risk monitoring and management to ensure effectiveness. Appropriate control measures are established across the entire AI lifecycle. Risk assessments evaluate multidimensional factors, including impact on people, society, the economy, AI model reliability, and resulting outputs, ensuring that AI-related risks remain within acceptable levels.
        In 2025, BAM proactively oversaw, monitored, and provided advisory support for IT risk assessments in strict accordance with the ISO/IEC 27001:2022 international standard. This process involved a comprehensive review of risk scenarios against assessment criteria to determine and implement risk mitigation measures proportionate to the identified risk levels. The Company maintains ongoing collaboration with relevant agencies to monitor the progress of improvement plans and verify that all operations consistently meet the required standards.
        In addition, BAM places significant importance on managing risks associated with stakeholders, by conducting comprehensive risk assessments of all third-party IT service providers. These providers are categorized into three distinct risk tiers, High, Medium, and Low, based on their operational importance and potential risk. This classification framework allows the Company to prioritize services and carry out appropriate risk management. 

2.    Cybersecurity Protection, Monitoring, and Threat Awareness ((Protect and Detect)

        BAM has implemented measures to prevent cybersecurity risks, including organizational risks, information asset usage risks, and technical and physical access controls, such as Multi-Factor Authentication (MFA). These measures include assigning system access rights based on roles and responsibilities and maintaining data security. Additionally, the Company addresses risks from external factors that may affect the organization, such as risks from third-party service providers, through IT outsourcing risk assessments and monitoring vulnerabilities from malicious actors. The Company conducted Vulnerability Assessments and 2025 Penetration Testing (both internal and external networks) to proactively identify threats and continuously enhance incident detection capabilities.
        Additionally, BAM continuously enhances security for threat prevention and monitoring by providing Zero Trust Network Access (ZTNA) tools to control system access and prevent risks where potential threats may be detected. Data security measures, such as encryption and Data Loss Prevention (DLP), have been implemented alongside systems to collect data from critical systems and detect anomalies in real time, such as Security Information and Event Management (SIEM). These tools enable the Company to quickly detect and respond to threats, minimizing potential impacts on all stakeholders.

3.    Emergency Response and Recovery Capability (Response and Recovery)

        To prepare for responding security incidents and assessing the impacts of potential irregular incidents that may affect business operations, BAM conducted cyber drill exercises to test its cyber threat response plan. These exercises included two phishing simulations, with progressively realistic email content to align with current threat landscapes.
        BAM also conducts information security and cybersecurity incident response exercises in accordance with the operational plan to enable rapid management and resolution of unexpected issues and incidents, minimize damages, and ensure effective coordination. Furthermore, the Company emphasizes continuous monitoring to prevent recurrence through testing scenarios involving Advanced Persistent Threat (APT) attacks. The test scenario begins with a phishing email that lures users into opening malicious attachments, allowing threat actors to gain access to internal systems, achieve partial system control, deploy ransomware across the network, and ultimately steal and exfiltrate critical data (data breach) to external parties.
        In addition, BAM conducted 2025 Disaster Recovery Plan (DRP) testing to address new threats and ensure systems can be restored to normal operational status within the specified timeframe. The test details are as follows:
        •    Format: Simulation
        •    Scenario: An earthquake at the headquarters (Data Center) rendered systems inoperable, necessitating migration of operations to the Disaster Recovery (DR) Site.
        The readiness assessment also evaluated the management of irregular incidents that could impact operations, such as system failures, crashes, or service unavailability. BAM also conducted detailed risk assessments, monitored system usage, and implemented a Business Continuity Management (BCM) framework. These actions ensure that the organization can respond effectively to emergencies and maintain operational resilience.

4.   Building an Appropriate Organizational Cyber Culture (Cyber Behavior and Culture Awareness) 

        BAM has established clear objectives and operational targets to drive sustainable organizational growth. This includes the application of technology and innovation to streamline workflows and support broader digital transformation. To reinforce this, the Company is committed to fostering a robust cyber-corporate culture by promoting digital literacy. The Company provide continuous cybersecurity awareness initiatives to equip employees at all levels with the practical knowledge and skills required to defend against cyber threats. Key learning activities include:

        •    Security Behavior and Culture Program (SBCP)
              As part of the organization's sustainability plan, BAM launched the "Cyber Playground," an interactive e-learning platform that utilizes gamification, combining puzzle-solving with simulated learning scenarios. Employees assume the roles of staff members navigating real-world cyber threat environments. (See Figure 1)
 

The Cyber Playground features two primary learning stations:
        •    Station 1: Phishing Defense
             This station provides interactive training on how to identify suspicious emails and apply secure password management techniques. (See Figure 2) Participants are trained to identify realistic phishing emails, manage secure passwords, and execute comprehension tests designed to reinforce secure information habits and reduce the likelihood of successful cyber-attacks. 
 

        •    Station 2: Secure Data Handling
             This station focuses on data classification, the protection of personal data, and the consequences of data breaches.  (See Figure 3) The objective is to ensure employees apply correct data management practices, mitigate risks, and embed a culture of personal data protection across the organization.
 

        •    New Technology Management Training
              BAM organizes training on the Risk Management of New Technologies, covering information technology security and IT risk management for employees at all levels and relevant stakeholders. To ensure comprehensive learning, the Company invites expert speakers with specialized knowledge in various fields of modern technology, such as:
              1)    A course on new technology risk management entitled “AI & ME: The Next Prompt – Ready to Use” (See Figure 4) aims to enhance awareness and understanding of security in digital technology usage. This training prepares the workforce to respond to current incidents and anticipate threats that may arise in the future. Additionally, it strengthens foundational knowledge regarding applications and the specific risks that Generative AI may pose to the organization.
 

              2)    “Cyber Security Awareness” Course, with the topic “Cyber Survivor” (See Figure 5): This course aims to facilitate the exchange of professional experiences among information technology workers while communicating appropriate operational procedures to prevent and respond to threats. This program is designed to equip personnel with the knowledge to identify fraud and participate in deterring threats that may affect the Company. Key learning areas include detection methods, threat reporting protocols, and the procedures for requesting investigations into behaviors suspected to be cyber threats. 
 

        In 2025, BAM identified emerging technological risks with the potential for both short-term and long-term impacts. A primary concern is cyber theft, where unauthorized actors may attempt to access the Company’s sensitive information. Additionally, the incorrect use of new technologies by employees could lead to the transmission of false information, including misinformation and disinformation, as well as inaccurate outputs from AI technology. While some of these represent long-term risks, the potential for impact increases as technology advances. These emerging risks jeopardize the Company’s critical information and increase the likelihood of data leakage. To address these challenges, the Company manages emerging technological risks through the following strategic actions:

1.    Cyber Espionage Risks
       Impact on the Company:
       The exposure of sensitive customer credentials, such as usernames, passwords, and other personally identifiable information, poses a critical breach. If such data is leaked onto the Dark Web or published on public domains, it constitutes a major breach of BAM's information security. Beyond the immediate loss of data, these incidents severely damage customer confidence. Furthermore, BAM may face significant fines and legal penalties for non-compliance with personal data protection laws. 
       Remediation Approach:
       BAM has established comprehensive measures and practices for information security and cybersecurity to defend against cyber espionage threats. These include implementing robust access control management systems, conducting regular and systematic vulnerability assessments, and providing ongoing security awareness training to educate employees on the importance of data protection and safe computing practices.

2.    Misinformation and Disinformation Risks
       Impact on the Company:
       The creation of inaccurate or false information, including distorted content, may lead customers and stakeholders to receive misleading data. This can result in flawed decision-making and the unintentional spread of falsehoods, which directly impacts BAM’s operations. Furthermore, such incidents can cause significant reputational damage and lead to a loss of trust among customers and stakeholders. 
       Remediation Approach:
       BAM provides comprehensive data management training for employees, emphasizing the cautious use of information and the necessity of verifying accuracy before use or dissemination. Additionally, the Company develops innovative learning communication tools to enhance employees' ability to evaluate data integrity. These initiatives focus on verifying sources and ensuring the reliability of information before dissemination or integration into work processes.

3.    Adverse outcomes of AI Risks
       Impact on the Company:
       The reliance on outputs from Generative AI (Gen-AI) without verification or evaluation of data accuracy may result in the dissemination of distorted or false information, leading to flawed decision-making and compromising the overall integrity of the data supporting BAM's operations.
       Furthermore, processing confidential or internal information, such as customer data or proprietary documents, through personal Gen-AI accounts presents significant security threats. These include the risk of data leakage, the unintended use of proprietary information for model training, and inadvertent access by external parties. Such incidents can lead to critical breaches of information security, violations of personal data protection requirements (PDPA), and severe damage to BAM’s reputation.
       Remediation Approach:
       BAM has established guidelines for the use of Generative AI technology to enable employees to utilize Gen-AI appropriately, safely, and in accordance with ethical principles. These guidelines emphasize the responsibility to verify the accuracy of outputs before applying them to actual work and prohibit the use of internal company information, customer data, or any sensitive information with AI technologies outside the Company's control.
       Additionally, BAM provides training on managing risks associated with Gen-AI technology to enhance knowledge and understanding of potential risks arising from its use. This helps reduce risks and promotes safer and more appropriate usage practices.

 

1. Personal Data Protection Training and Awareness Building 
   1)    Standard Knowledge Assessment 
          Employees participated in the knowledge assessment, covering 85.46 percent of the target group. To ensure that employees have an accurate understanding of their work, BAM has organized a knowledge assessment through the “Cyber Playground” system under the topic “Secure Data Handling”. This assessment was designed to evaluate the capability and readiness of employees to maintain personal data security in accordance with the Company's established standards.
   2)    Data Protection Awareness Promotion  
          Disseminating 12 publicity materials through continuous monthly communication. To ensure employees recognize the importance of personal data, BAM has continuously disseminated knowledge regarding operational guidelines and risk management. This is achieved through various communication channels, such as infographics and video clips, to create a clear understanding and encourage employees at all levels to strictly comply with the Personal Data Protection Policy.
    
2. Reviewing and Updating Processing Activity Records
          The personal data processing activities are 100% fully reviewed and recorded. BAM prioritizes the review and updating of the Records of Processing Activities (RoPA) to ensure they remain accurate and up-to-date. This process ensures that all procedures for processing and disclosing personal data are transparent and fully compliant with legal requirements. 
    
3. Risk and Impact Assessment (DPIA)
           Two Projects have fully passed the Data Protection Impact Assessment (DPIA) criteria. BAM prioritizes proactive risk management prior to commencing operations by requiring a Data Protection Impact Assessment (DPIA) for every new project or whenever significant changes occur in data processing workflows. This systematic approach allows the Company to analyze and mitigate potential risks to the rights and freedoms of data subjects in the most effective manner.
    
4. Consultation and Knowledge Promotion
           Providing consultation and recommendations on personal data protection for  12 total cases. The Data Protection Officer (DPO) proactively provides expert consultation to various departments to mitigate personal data risks. This includes documenting case studies and common inquiries to develop specialized knowledge-sharing materials, such as infographics and Q&A series. These resources are disseminated through internal communication systems to provide clarity and drive the continuous improvement of employee operational standards.
    
5. Data Breach Preparedness and Response
           The success rate of response drills according to the annual plan was 100 percent. To ensure BAM remains prepared to protect personal data in all situations, the Company has established a Business Continuity Plan and a Data Breach Response Plan. The Company conducts regular drills to test employee understanding and evaluate crisis management readiness in accordance with international standards.
    
6. Management and Monitoring via Key Indicators Dashboard
           100% completion of reporting according to the annual work plan. To effectively monitor and review compliance with Personal Data Protection laws, BAM has implemented a Key Indicators Dashboard to track the progress of data processing activities across critical areas. This tool serves to visualize performance against legal benchmarks and internal policies, enabling the Data Protection Officer (DPO) and executive management to supervise and manage personal data risks with high precision.
    
7. Compliance Oversight and Monitoring
           The completion rate for the annual compliance review was 100%. BAM attaches great importance to the rigorous supervision of activities involving personal data processing, particularly within critical functions such as customer relations and litigation management. These reviews are strictly conducted in accordance with legal requirements, internal regulations, and the Company’s Privacy Policy to ensure comprehensive adherence to data protection standards.
    
8. External Collaboration and Data Protection Networks
           Participating in two collaboration projects with regulatory agencies. BAM is committed to elevating personal data governance standards by participating in key initiatives under the supervision of the Office of the Personal Data Protection Commission (PDPC): the Privacy Maturity Model and the Privacy Index. Furthermore, in 2025, the Company conducted a comprehensive self-assessment in preparation for the PDPA Certification Mark application, with the objective of achieving formal certification by 2026.