On 15 February 2021, the Bank of Thailand introduced additional regulations on the Security of Information Technology Systems by e-payment services providers (specifically non-bank institutions) to improve resiliency against cybersecurity risks, enhance consumer protection, and to ensure Thailand’s e-payment infrastructure is in line with global best practices. The central bank stated that the newly released criteria will apply only to non-bank institutions that provide e-payment services. The requirements under the new regulations are substantially like the existing regulations controlling the security of information technology systems for financial institutions.
Sirithida Panomwon Na Ayudhya, assistant governor of payment systems policy and financial technology, broke down the regulations into two main areas: cyber-hygiene, which refers to building and improving security infrastructure for protection against malware and other malicious software, and IT risk management. The regulations are split into six main categories, which service providers will be required to comply with starting 29 April 2021, comprising security baseline and hardening, malware protection, security patch management, privileged user ID management, multi-factor authentication (MFA), as well as vulnerability assessment and penetration tests.
‘Significant’ E- Payment Service providers, who provide services to over five million accounts or conduct more than 10 million transactions, must also implement systems that effectively address IT risk management from 29 January 2022 onwards. This includes enacting effective IT governance and risk management policies that support supervision structures to ensure third lines of defense and implementing IT security procedures that cover aspects such as asset management, acquisition and development, and incident and problem management. Service providers are also required to implement adequate IT project management systems to ensure compliance with the new requirements.
According to Ms. Sirithida, similar regulations decreased cybersecurity risks in the UK by around 50%. She expressed hope that “additional IT management regulations will help protect cybersecurity risks and build up consumer confidence.”
The requirements under these new regulations will co-exist with the current cybersecurity management regulations surrounding governance, protection, response, and risk mitigation.
Matters related to fintech and technology are among Silk Legal’s key practice areas. For more information about these new regulations, please contact us at [email protected] or using the contact form provided.