Governance

Information Security Management

Through a resilience technology approach, BCA's security system isdesigned to protect the entire value chain

Information Security Policy

BCA established Information Security Policy in accordance with the company's business processes and in compliance with relevant regulations and standards related to information security. The policy represents the commitment of BCA to implement and maintain standards for protecting information security systems.

BCA is committed to the following principles of information security:

Continuous Improvement

BCA will continuously improve information security systems to adapt the evolving cybersecurity threats and to enhance our security posture. This includes regular assessments, updates, and the adoption of best practices in information security.

Data Integrity & Protection

BCA are dedicated to ensuring the integrity and protection of data. This involves maintaining robust security controls that protect data throughout its lifecycle. BCA implement measures to prevent breaches and only authorized users can access or modify sensitive information.

Monitoring and Response

BCA will actively monitor the information security threats and respond promptly to any incident. Our response plan will include identifying, assessing, and implementing mitigation strategies to our information systems.

Responsibility

BCA establishes individual responsibilities for the entire workforce pertaining to information security. All employees have varying degrees of responsibility for safeguarding our information assets, regardless of their specific roles within the organization. This includes proactive in identifying and reporting suspicious activities that is directly connected to 24/7 Security Monitoring Center.

BCA conducts regular phishing simulations for all employees to ensure they are equipped with the knowledge and skills to recognize and respond to potential threats. By fostering a culture of shared responsibility, BCA aims to enhance our overall security posture and ensure that every team member contributes to the protection of our information systems.

Third-Party Information Security

BCA is committed to establish information security requirements for third parties, including suppliers and partners, to ensure the protection of our information assets. BCA conducts cybersecurity due diligence on third parties before starting the cooperation, to ensure their readiness and compliance with BCA standards. By clearly defining these expectations, we aim to mitigate risks associated with external relationships and safeguard shared infrastructures and data. This proactive approach ensures that all third parties adhere to the same high standards of information security that we uphold within our organization, thereby enhancing our collective security posture and protecting sensitive information from potential vulnerabilities.

Information Security Management

The resilience of information technology infrastructure and architecture is the main foundation for maintaining the security, stability, and operational sustainability of digital banking. Through a resilience technology approach, BCA's security system is designed to protect the entire value chain, from applications and networks to data, from potential threats such as viruses, malware, vulnerability exploits, and data leaks due to internal control weaknesses.

To anticipate incidents related to information security, BCA has established Business Continuity Management and Business Continuity Plan (BCP) that regularly performs tests to ensure their effectiveness. BCA implements structured information security incident handling procedures in four stages

Throughout 2025, there were no incidents of data breaches, either from internal sources or from third parties or vendors.

Information Security System Monitoring

BCA prioritizes the security and integrity of our IT infrastructure and information management systems. We have implemented a comprehensive monitoring framework that includes:

Conducting regular internal audits of IT infrastructure and information security management systems, at least every three years to identify potential vulnerabilities and ensure that our systems are operating effectively and securely.

In addition to our internal audits, we engage independent external auditors to evaluate our IT infrastructure and information security management systems. We adhere to the internationally recognized standards during these audits as follows:

Reporting Indications/Potential Cyber Incidents

BCA has established a clear reporting mechanism that requires employees to immediately report any information security incidents, vulnerabilities, or suspicious activities to Security Monitoring Center (SMC) through each employee’s Information Asset Owner (IAO), email, or hotline that operated 24/7. SMC classifies and handles incidents based on their severity, escalating reports to senior management or regulatory authorities when necessary. The entire process is documented and tracked to ensure that risks are promptly identified and effectively managed.