Financial Crime World

Cybersecurity Laws and Regulations in Thailand: A Comprehensive Overview

Thailand has implemented various laws and regulations aimed at enhancing cybersecurity measures in the corporate sector. This article provides a detailed summary of key aspects, including corporate governance, incident response, disclosure requirements, litigation, and insurance.

Corporate Governance (Section 5)

Directors or officers may be held liable for failing to prevent or mitigate an Incident, which highlights the importance of effective risk management and cybersecurity measures in Thailand. While companies are not required by law to designate a Chief Information Security Officer (CISO), some organizations may choose to appoint one due to the severity of potential risks.

  • Key points:
    • Directors or officers may be held liable for failing to prevent or mitigate an Incident.
    • Companies are not required to designate a CISO by law, but may do so voluntarily.
    • The Office of Insurance Commission (OIC) requires insurance companies to follow certain guidelines and financial institutions must appoint a CISO if they face high cybersecurity risks.

Incident Response (Section 5)

Incident response planning is crucial in Thailand, particularly for securities firms, financial institutions, and e-payment service providers. These organizations are required to report Incidents and maintain reports about their services for inspection by relevant authorities.

  • Key points:
    • The Central Securities Board of Thailand (CSB) requires securities firms to report Incidents.
    • Financial institutions and e-payment service providers must create reports about their services and make them available for inspection by the Bank of Thailand (BOT).

Litigation (Section 6)

Affected individuals in Thailand can claim civil damages for wrongful acts (tort) under the Civil and Commercial Code (CCC). Companies that hold customer data may be liable for breaches under the Personal Data Protection Act (PDPA), allowing individuals to bring civil actions for compensation.

  • Key points:
    • Affected individuals can claim civil damages for wrongful acts (tort) under the CCC.
    • Companies that hold customer data may be liable for breaches under the PDPA, allowing individuals to bring civil actions for compensation.

Insurance (Section 7)

The OIC allows insurance companies to sell cyber insurance policies in Thailand. These policies can cover theft of funds, cyber extortion, business interruption losses, and other related costs.

  • Key points:
    • The OIC allows insurance companies to sell cyber insurance policies.
    • Each insurance company has its own conditions and exclusions.

Conclusion

Thailand’s cybersecurity laws and regulations emphasize the importance of incident response planning, risk assessments, and disclosure requirements. Companies that fail to prevent or mitigate Incidents may face potential liability for directors, officers, and companies.