In an announcement made on 15 February 2021, the Bank of Thailand introduced additional regulations surrounding the supervision of Security of Information Technology Systems by e-payment services providers, specifically non-bank institutions, in order to improve resiliency against mounting cybersecurity risks, protect consumers, and to ensure Thailand’s e-payment infrastructure is in line with industry best practices.

The central bank has stated that the criteria underlined by the new regulations will be applicable to only non-bank institutions that provide e-payment services. The requirements under the new regulations feature the same criteria as existing regulations controlling the security of information technology systems for financial institutions.

Sirithida Panomwon Na Ayudhya, assistant governor of payment systems policy and financial technology, broke down the regulations into two main areas: cyber-hygiene, which refers to building and improving security infrastructure for protection against malware and other malicious software, and IT risk management. Service providers will be required to implement six primary facets relevant to cyberhygiene starting 29 April 2021, including security baseline and hardening, malware protection, security patch management, privileged user ID management, multi-factor authentication (MFA), as well as vulnerability assessment and penetration tests.

‘Significant’ E- Payment Service providers that provide services to over five million accounts or conduct more than 10 million transactions, must also implement systems that effectively address IT risk management from 29 January 2022 onwards. This includes enacting effective IT governance and risk management policies that support supervision structures to ensure third lines of defense and implementing IT security procedures that cover aspects such as asset management, acquisition and development, and incident and problem management. Service providers are also required to implement adequate IT project management systems to ensure compliance with the new requirements.

According to Ms. Sirithida, similar regulations decreased cybersecurity risks in the UK by around 50%. She expressed hope that “additional IT management regulations will help protect cybersecurity risks and build up consumer confidence.”

The requirements under these new regulations will exist concurrently with those stipulated under existing cybersecurity management regulations surrounding governance, protection, response, and risk mitigation.

Source: Silk Legal news