Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

At the Board of Directors level, the responsibility for cybersecurity falls to the Director of Network and IT Solutions. Vice President (VP) of Network/IT Strategy, Technology & Architecture is responsible for Group’s overall cybersecurity strategy and governance, while our Operational Vice President (OVP) of Cyber Security is responsible for managing the day-to-day operation of Telkom’s Cyber Security Operation. Both reports directly to the Director of Network

& IT Solutions. Our Cyber Security Operation Center operates 24/7 to address cybersecurity threats and collaborates with related units to protect sensitive data. Its responsibilities include monitoring and responding to security threats and incidents, analyzing and investigating security events, conducting forensics, performing security testing and vulnerability management, and managing security threat intelligence.

Since 2022, the Telkom Group Cyber Security Squad was initiated to support cross-entity collaboration on cybersecurity. In 2024, this function was formalized as the Telkom Group Cyber Security Committee, which includes representatives from all Telkom Directorates and cybersecurity representatives from our subsidiaries. The Committee’s Management is led by the Director of Network & IT Solutions, with the VP of Network/IT Strategy, Technology & Architecture serving as Working Level Coordinator. The Committee oversees the Group’s cybersecurity governance, providing strategic direction, as well as cybersecurity related risks.

Cybersecurity risks are incorporated into our overall risk profile and our risk management team is responsible for managing these risks. Our risk management team, together with the management of each unit throughout our Group, ensures that risk assessment is carried out, establishes and executes our Risk Treatment Plan, implements controls, monitors and reviews the effectiveness of our information security system operations, and documents the results. We conduct risk assessments at least once a year, according to rules set out in our Risk Assessment Policy Standards. We also conduct internal and external audits periodically or at least once a year. Discrepancies between implementation and policy identified in the operational process and audit results are followed up with evaluations and necessary corrective steps, which are fully documented. For oversight purposes, our risk management team provides a quarterly report on our risk profile to the Planning and Risk Evaluation and Monitoring Committee, which is part of our Board of Commissioners.

Incident Management

Our Computer Security Incident Response Team (“CSIRT”) manages and responds to cybersecurity incidents. Our CSIRT is part of the Group’s Crisis Management Team (CMT), which is responsible for preparing for and responding to potential emergencies and crises that could impact our organization. The CSIRT is responsible for managing crises related to cybersecurity.

·

Composition: The CSIRT consists of designated personnel with specific roles and responsibilities related to cybersecurity incident management, such as the Coordinator and the Secretary, and multiple specific fields within it, such as Legal, Communications & Public Relations, IT & Infrastructure, among others. These designees each have designated tasks such as coordinating incident response activities, monitoring cybersecurity incident activities, supporting data management and reporting, undergoing post-incident evaluations, and ensuring all actions adhere to specific procedural and security response guidelines;

·

Procedure and coordination: The CSIRT coordinates with various departments and stakeholders within our Group to ensure a comprehensive and timely response to cybersecurity incidents, such as by allowing coordinators and other key personnel to appoint appropriate deputies for daily operations or during incident handling. This enables inter-unit and even inter-subsidiary coordination for rapid incident response. If an incident suggests potential failures in data privacy, the cybersecurity team promptly coordinates with the Data Protection Team to ensure appropriate actions are taken. In such cases, our Data Privacy Policies are applied to address the incident, ensure compliance with data protection regulations, and mitigate related risks.

·

Reporting: The CSIRT is responsible for reporting cybersecurity incidents to the relevant authorities, our management, and affected parties, as per our incident response plan, to ensure compliance with applicable regulatory requirements.

Policies and Procedures

We implement several policies and procedures designed to protect confidential information and personal data, as part of a comprehensive approach to maintaining confidentiality and preventing unauthorized access or disclosure. These policies and procedures include:

·

Encryption technology: Such policies specify the design and implementation of adequate encryption technology to secure the transmission of information according to our needs, thus ensuring that sensitive data remains confidential during communication processes. With respect to encryption, we have implemented policies regarding the management of cryptography and security of physical environments that span both digital and physical domains of information security.

·

Access control management: We have established Access Control Management standards governing physical access management, remote access management, user access management, and controls over system and application access. These standards include obligations not to share user access information (including passwords) with others and to report unauthorized use of access credentials. We adopt a structured approach to restrict and monitor who has access to specific pieces of information, thereby limiting the risk of unauthorized disclosure. Furthermore, we conduct regular review and revision of our Access Control Management standards. These reviews ensure that our access control mechanisms remain effective and in line with evolving security landscapes.

·

Confidentiality agreements: Generally, we require written permission from the relevant business unit before copying or distributing sensitive data. Additionally, our confidentiality measures extend to controlling how information is shared, both internally and externally, and ensuring that sensitive data is only used for legitimate business purposes.

·

Monitoring and reporting: Our information security policies include provisions for regular reviews of security procedures and control, as well as the effectiveness of information security control measures. These reviews are documented and evaluated to identify areas for improvement.

·

Segregation of duties: Our emphasis on ensuring segregation of duties to prevent misuse of excessive privilege and information is also a critical measure for safeguarding the confidentiality and integrity of sensitive data. By requiring multiple checks or approvals for critical actions, we aim to reduce the risk of unauthorized access or disclosures.

·

Incident response: Our information security policies include requirements for regular reviews of information security incidents and the effectiveness of its response. We also require immediate reporting in cases where sensitive data is damaged, lost, or stolen, so that we can quickly identify and mitigate any breaches of confidentiality.

Furthermore, we implement and regularly update our cybersecurity policies to align with evolving needs and industry standards and regulations. These updates incorporate changes and improvements in information security management to ensure that our practices remain effective and relevant. In order to keep our information security standards current and effective, we endeavor to adhere to international standards such as ISO/IEC 27001:2013, which are globally recognized frameworks for information security. We attained these certifications on April 12, 2022. In addition, with respect to application development, we consider the OWASP Secure Coding Practices Checklist, which provides guidance on best practices in coding to enhance application security. This checklist specifically helps developers avoid common coding pitfalls that could lead to security vulnerabilities. We also conduct vulnerability and penetration tests on the applications to ensure compliance with our cybersecurity standards.

Overall, our policies and procedures collectively form a framework aimed at preserving the confidentiality of sensitive information and preventing unauthorized disclosure through technical, administrative, and procedural safeguards.

Employees and Third Parties

We endeavor to establish clear guidelines for employee behavior and raise cybersecurity awareness among our workforce in the following ways. In addition to our own employees, we also extend our information security regulations to external parties and work partner employees. This means that individuals or organizations who collaborate with or provide services to us are required to adhere to our information security policies and standards.

To effectively address potential cybersecurity threats stemming from our engagement with third-party service providers, we carefully identify and assess cybersecurity risks inherent to such engagement on a case-by-case basis. Following such identification of risks and assessment, we may include specific agreements, covenants and representations in our contracts with such third-party service providers to require compliance with cybersecurity standards we deem appropriate.

Employee Behavioral Guidelines

We have established clear and detailed guidelines designed to safeguard confidential information and minimize the risk of information leakage or misuse by our employees. These guidelines encompass various aspects of data handling, confidentiality, and the acceptable use of company resources. Specifically, our guidelines cover the following:

·

Employee obligations and prohibitions: Employees are required to know, understand, and comply with our information security policies, sign an Integrity Pact annually, and responsibly manage and protect information from misuse by unauthorized parties. Our guidelines explicitly prohibit several actions to protect confidential information, including sharing passwords, accessing information unlawfully, misusing company information, storing important company documents without proper security measures, and leaving devices unsecured. Our employees are also responsible for ensuring their actions align with applicable standards.

·

Social media and external communication: Our guidelines prescribe restrictions on posting or forwarding information classified as Highly Confidential or Confidential on social media, except for specific company programs. Our guidelines also prohibit the posting or forwarding of hoax news, provocative materials, or content related to sensitive social issues, and the unauthorized sharing of company information with unauthorized parties.

·

Use of cloud storage and external software: Storing classified information in cloud storage or websites not managed by us is forbidden, as is the installation of software on information technology work equipment outside of established procedures or that infringes on intellectual property laws.

·

Handling and transmission of sensitive data: Our guidelines mandate that transactions of data and information classified as Confidential or Highly Confidential must be conducted through systems managed by us to prevent unauthorized access and ensure data integrity.

These guidelines aim to ensure that our employees act responsibly with regard to the handling and distribution of confidential and sensitive information. The measures are designed to cultivate a security-conscious environment, thereby reducing the likelihood of inadvertent leaks or malicious misuse of company data and resources.

Increasing Cybersecurity Awareness

We conduct programs aimed at improving the cybersecurity awareness of our employees. This includes continuous socialization of our Information Security Governance policies and competency enhancement related to cybersecurity awareness. We also test the level of cybersecurity awareness of our employees periodically or as needed.

We also have a procedure in place for enforcing discipline regarding any violations of our information security regulations, which includes coordination among relevant units, such as the Human Capital Management Unit and Cyber Security Unit.

Cybersecurity Risk Management Processes Integrated [Text Block]

Incident Management

Our Computer Security Incident Response Team (“CSIRT”) manages and responds to cybersecurity incidents. Our CSIRT is part of the Group’s Crisis Management Team (CMT), which is responsible for preparing for and responding to potential emergencies and crises that could impact our organization. The CSIRT is responsible for managing crises related to cybersecurity.

·

Composition: The CSIRT consists of designated personnel with specific roles and responsibilities related to cybersecurity incident management, such as the Coordinator and the Secretary, and multiple specific fields within it, such as Legal, Communications & Public Relations, IT & Infrastructure, among others. These designees each have designated tasks such as coordinating incident response activities, monitoring cybersecurity incident activities, supporting data management and reporting, undergoing post-incident evaluations, and ensuring all actions adhere to specific procedural and security response guidelines;

·

Procedure and coordination: The CSIRT coordinates with various departments and stakeholders within our Group to ensure a comprehensive and timely response to cybersecurity incidents, such as by allowing coordinators and other key personnel to appoint appropriate deputies for daily operations or during incident handling. This enables inter-unit and even inter-subsidiary coordination for rapid incident response. If an incident suggests potential failures in data privacy, the cybersecurity team promptly coordinates with the Data Protection Team to ensure appropriate actions are taken. In such cases, our Data Privacy Policies are applied to address the incident, ensure compliance with data protection regulations, and mitigate related risks.

·

Reporting: The CSIRT is responsible for reporting cybersecurity incidents to the relevant authorities, our management, and affected parties, as per our incident response plan, to ensure compliance with applicable regulatory requirements.

Policies and Procedures

We implement several policies and procedures designed to protect confidential information and personal data, as part of a comprehensive approach to maintaining confidentiality and preventing unauthorized access or disclosure. These policies and procedures include:

·

Encryption technology: Such policies specify the design and implementation of adequate encryption technology to secure the transmission of information according to our needs, thus ensuring that sensitive data remains confidential during communication processes. With respect to encryption, we have implemented policies regarding the management of cryptography and security of physical environments that span both digital and physical domains of information security.

·

Access control management: We have established Access Control Management standards governing physical access management, remote access management, user access management, and controls over system and application access. These standards include obligations not to share user access information (including passwords) with others and to report unauthorized use of access credentials. We adopt a structured approach to restrict and monitor who has access to specific pieces of information, thereby limiting the risk of unauthorized disclosure. Furthermore, we conduct regular review and revision of our Access Control Management standards. These reviews ensure that our access control mechanisms remain effective and in line with evolving security landscapes.

·

Confidentiality agreements: Generally, we require written permission from the relevant business unit before copying or distributing sensitive data. Additionally, our confidentiality measures extend to controlling how information is shared, both internally and externally, and ensuring that sensitive data is only used for legitimate business purposes.

·

Monitoring and reporting: Our information security policies include provisions for regular reviews of security procedures and control, as well as the effectiveness of information security control measures. These reviews are documented and evaluated to identify areas for improvement.

·

Segregation of duties: Our emphasis on ensuring segregation of duties to prevent misuse of excessive privilege and information is also a critical measure for safeguarding the confidentiality and integrity of sensitive data. By requiring multiple checks or approvals for critical actions, we aim to reduce the risk of unauthorized access or disclosures.

·

Incident response: Our information security policies include requirements for regular reviews of information security incidents and the effectiveness of its response. We also require immediate reporting in cases where sensitive data is damaged, lost, or stolen, so that we can quickly identify and mitigate any breaches of confidentiality.

Furthermore, we implement and regularly update our cybersecurity policies to align with evolving needs and industry standards and regulations. These updates incorporate changes and improvements in information security management to ensure that our practices remain effective and relevant. In order to keep our information security standards current and effective, we endeavor to adhere to international standards such as ISO/IEC 27001:2013, which are globally recognized frameworks for information security. We attained these certifications on April 12, 2022. In addition, with respect to application development, we consider the OWASP Secure Coding Practices Checklist, which provides guidance on best practices in coding to enhance application security. This checklist specifically helps developers avoid common coding pitfalls that could lead to security vulnerabilities. We also conduct vulnerability and penetration tests on the applications to ensure compliance with our cybersecurity standards.

Overall, our policies and procedures collectively form a framework aimed at preserving the confidentiality of sensitive information and preventing unauthorized disclosure through technical, administrative, and procedural safeguards.

Employees and Third Parties

We endeavor to establish clear guidelines for employee behavior and raise cybersecurity awareness among our workforce in the following ways. In addition to our own employees, we also extend our information security regulations to external parties and work partner employees. This means that individuals or organizations who collaborate with or provide services to us are required to adhere to our information security policies and standards.

To effectively address potential cybersecurity threats stemming from our engagement with third-party service providers, we carefully identify and assess cybersecurity risks inherent to such engagement on a case-by-case basis. Following such identification of risks and assessment, we may include specific agreements, covenants and representations in our contracts with such third-party service providers to require compliance with cybersecurity standards we deem appropriate.

Employee Behavioral Guidelines

We have established clear and detailed guidelines designed to safeguard confidential information and minimize the risk of information leakage or misuse by our employees. These guidelines encompass various aspects of data handling, confidentiality, and the acceptable use of company resources. Specifically, our guidelines cover the following:

·

Employee obligations and prohibitions: Employees are required to know, understand, and comply with our information security policies, sign an Integrity Pact annually, and responsibly manage and protect information from misuse by unauthorized parties. Our guidelines explicitly prohibit several actions to protect confidential information, including sharing passwords, accessing information unlawfully, misusing company information, storing important company documents without proper security measures, and leaving devices unsecured. Our employees are also responsible for ensuring their actions align with applicable standards.

·

Social media and external communication: Our guidelines prescribe restrictions on posting or forwarding information classified as Highly Confidential or Confidential on social media, except for specific company programs. Our guidelines also prohibit the posting or forwarding of hoax news, provocative materials, or content related to sensitive social issues, and the unauthorized sharing of company information with unauthorized parties.

·

Use of cloud storage and external software: Storing classified information in cloud storage or websites not managed by us is forbidden, as is the installation of software on information technology work equipment outside of established procedures or that infringes on intellectual property laws.

·

Handling and transmission of sensitive data: Our guidelines mandate that transactions of data and information classified as Confidential or Highly Confidential must be conducted through systems managed by us to prevent unauthorized access and ensure data integrity.

These guidelines aim to ensure that our employees act responsibly with regard to the handling and distribution of confidential and sensitive information. The measures are designed to cultivate a security-conscious environment, thereby reducing the likelihood of inadvertent leaks or malicious misuse of company data and resources.

Increasing Cybersecurity Awareness

We conduct programs aimed at improving the cybersecurity awareness of our employees. This includes continuous socialization of our Information Security Governance policies and competency enhancement related to cybersecurity awareness. We also test the level of cybersecurity awareness of our employees periodically or as needed.

We also have a procedure in place for enforcing discipline regarding any violations of our information security regulations, which includes coordination among relevant units, such as the Human Capital Management Unit and Cyber Security Unit.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

At the Board of Directors level, the responsibility for cybersecurity falls to the Director of Network and IT Solutions. Vice President (VP) of Network/IT Strategy, Technology & Architecture is responsible for Group’s overall cybersecurity strategy and governance, while our Operational Vice President (OVP) of Cyber Security is responsible for managing the day-to-day operation of Telkom’s Cyber Security Operation. Both reports directly to the Director of Network

& IT Solutions. Our Cyber Security Operation Center operates 24/7 to address cybersecurity threats and collaborates with related units to protect sensitive data. Its responsibilities include monitoring and responding to security threats and incidents, analyzing and investigating security events, conducting forensics, performing security testing and vulnerability management, and managing security threat intelligence.

Since 2022, the Telkom Group Cyber Security Squad was initiated to support cross-entity collaboration on cybersecurity. In 2024, this function was formalized as the Telkom Group Cyber Security Committee, which includes representatives from all Telkom Directorates and cybersecurity representatives from our subsidiaries. The Committee’s Management is led by the Director of Network & IT Solutions, with the VP of Network/IT Strategy, Technology & Architecture serving as Working Level Coordinator. The Committee oversees the Group’s cybersecurity governance, providing strategic direction, as well as cybersecurity related risks.

Cybersecurity risks are incorporated into our overall risk profile and our risk management team is responsible for managing these risks. Our risk management team, together with the management of each unit throughout our Group, ensures that risk assessment is carried out, establishes and executes our Risk Treatment Plan, implements controls, monitors and reviews the effectiveness of our information security system operations, and documents the results. We conduct risk assessments at least once a year, according to rules set out in our Risk Assessment Policy Standards. We also conduct internal and external audits periodically or at least once a year. Discrepancies between implementation and policy identified in the operational process and audit results are followed up with evaluations and necessary corrective steps, which are fully documented. For oversight purposes, our risk management team provides a quarterly report on our risk profile to the Planning and Risk Evaluation and Monitoring Committee, which is part of our Board of Commissioners.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

our risk management team provides a quarterly report on our risk profile to the Planning and Risk Evaluation and Monitoring Committee, which is part of our Board of Commissioners.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The CSIRT consists of designated personnel with specific roles and responsibilities related to cybersecurity incident management, such as the Coordinator and the Secretary, and multiple specific fields within it, such as Legal, Communications & Public Relations, IT & Infrastructure, among others. These designees each have designated tasks such as coordinating incident response activities, monitoring cybersecurity incident activities, supporting data management and reporting, undergoing post-incident evaluations, and ensuring all actions adhere to specific procedural and security response guidelines

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true