104                l  Introduction  l  Nature of Business  l  Organisation and Shareholding Structure  l  Business Review  l Corporate Governance l Financial Statements l Other Information l





            training and improving the personnel’s technological knowledge; (4) setting out   are plans to provide additional security technologies to reduce the risk of other
            guidelines and measures for emergencies and interruption in operations and   threats that will arise in the future as well as establishing a backup center
            services; (5) closely monitoring and following the situation to mitigate potential   (Disaster Recovery Site) according to ISO/IEC 27001 standards to reduce
            risks and find appropriate preventive measures and guidelines; (6) modifying   the risk of business interruption which may affect the business operations,
            the preparation plans to mitigate the impact on the operations and services and   credibility, and reputation of the Group.
            to allow for swift and effective controls over the situation; and (7) encouraging
            cooperation among external agencies to prepare for disruption and effective   • The risk of future pandemics
            technology risk management.
                                                                                      An epidemic is a social risk arising from natural and unpredictable factors. When
                                                                                      it occurs, it has a huge impact on people’s lives, including the perspective of
            In addition, BTS Group has implemented strict measures to prevent unauthorised   society in change of lifestyles – whether influenced by media or increasing
            and unlawful access to, use of, or disclosure of its information, namely (1) setting   awareness of health issues, impact on businesses and the economy. The effects
            up a data security management system and operational workflow in case of   of these factors could last up to 3-5 years and the appropriate measures to
            a threat to data security; (2) setting out data recovery measures; (3) testing   alleviate such situations are challenging. As a result, there will be delays in
            the data security management system and penetration test on a regular basis to   economic growth in which various industries in the economy will be affected,
            inspect and improve the measures; (4) constantly training the employees and   especially within the mass transit industry carrying large number of passengers
            improving their knowledge concerning the data security policies and operational   as evident by the COVID-19 pandemic. In 2020/21, the number of trips in
            workflow; (5) update the central data platform that could be accessed, backed   the main Bangkok Mass Rapid Transit system decreased by 47 percent from
            up and recovered from various channels, e.g. using cloud system; (6) constantly   the previous year and negatively impacted the revenue of the Company, indicating
            update antivirus software especially ransomware and malware detection system   the epidemic has continued to affect the usage of public transport. It has altered
            together with system testing and malware database updates; (7) setting up   consumer perspectives in several areas, including increase in concerns of health
            a Data Sharing mechanism transfers the Personal Data to either domestic or   and safety issues from the spread of diseases on the mass rapid transit system
            a foreign country such as Data Encryption, Data-in-Transit Encryption and HTTP   due to high number of passengers in confined spaces and ticket purchase
            Encryption.                                                               patterns via online platforms. Therefore, the Company has implemented stringent
                                                                                      health and safety measures such as limiting the number of passengers, regularly
            In order to maintain the security of its information technology as well as   cleaning and disinfecting trains, and providing hand sanitisers for passengers
            the trust placed in the group by all the stakeholders, the Company, BTSC and   on platforms. If the Company is unable to meet passenger expectations, it may
            VGI PCL (VGI)  are currently certified under the ISO 27001:2013 Standard (Information   result in a decrease in number of ridership, consequently affecting the revenue
            Security Management System) by the British Standards Institution (BSI).   and overall operating results of the Group.


            The Group has established working procedures and installed modern security
            systems to accommodate the modification of the emerging threats and there