You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

January 13, 2021

IT Risks in Insurance: Thailand’s Regulator Sets Criteria for Monitoring and Managing

Subscribe to Updates

Thailand’s Office of the Insurance Commission (OIC) recently issued two notifications—one for life-insurance companies and another for insurance companies—establishing key criteria and requirements for insurance companies to manage risks relating to IT and cybersecurity.

The notifications, entitled Notifications Re: Criteria for the Supervision and Management of Risks Relating to Information Technology for Life/Non-life Insurance Companies B.E. 2563 (2020) came into effect on January 1, 2021, and cover eight major aspects of IT risk management as detailed below.

IT Governance

Insurance companies are required to monitor and manage IT risks and cyber threats in accordance with the size, characteristics, complexity, and context of their business operations, and each company should have at least one director with knowledge of, or past experience in, the field of information technology.

IT Project Management

Insurance companies are required to develop a written framework for IT project management, covering at least the commencement, implementation, and control of the project, as well as the project closing and post-project auditing. Companies must also appoint a committee for supervising and monitoring IT projects.

IT Security

Insurance companies are required to institute a written IT security policy, which must be reviewed at least once a year or upon implementing any significant changes. The policy must be approved by the board of directors, or a relevant subcommittee appointed by the board of directors.

In outsourcing IT activities to third-party service providers, or entering into any arrangement that allows business partners to connect to or access the company’s IT system, insurance companies are required to specify their own criteria and procedures for the selection of third-party service providers, enter into a written service agreement and a service level agreement with the third-party provider, and conform with other requirements under the notifications. Insurance companies will also be required to comply with the OIC’s forthcoming guidelines on the criteria for the supervision of IT outsourcing to third-party service providers.

IT Risk Management

Insurance companies must also write an IT risk management policy and review it at least once a year, or upon implementing any significant changes. This policy must also be approved by the board of directors or their appointed subcommittee. The companies must also have procedures for IT risk assessment, treatment, monitoring, and reviews.

IT Compliance

Insurance companies are required to implement the required measures for IT compliance to conform with applicable laws and regulations concerning IT and anti-money laundering.

IT Audit

Insurance companies are required to have at least one internal or external IT auditor with experience and expertise in IT auditing. Companies are also required to establish a plan and scope for IT audits, which must be approved by the audit committee and reviewed at least once a year, or upon implementing any significant changes. The IT audit reports must be approved by the audit committee and kept at the company office.

Cybersecurity

Insurance companies are required to establish a framework and guidelines for supervision of and protection against cyber threats, in accordance with cybersecurity laws and commensurate with the size and complexity of their business operations. They must also implement required measures against cyber threats, including risk identification, protection, detection, and countermeasures.

Reporting Obligations

Insurance companies are obligated to report cyber threat incidents to the OIC, and other threats that affect their IT systems, in the following cases:

  • They become aware of any material issue or incident regarding the use of IT that affects the company’s services, systems, reputation, or the data of insured parties. These incidents include cases where a company’s material IT is subject to an actual cyberattack, or there is a potential threat of a cyberattack, that must be reported to the company’s chief executive officer. In this circumstance, the companies are required to report the incident to the OIC, along with other required details, immediately upon becoming aware of it.
  • They are subject to an attack from any cyber threat causing issues or incidents relating to the provision of critical IT infrastructure. These incidents must be reported to the OIC, or the  responsible cybersecurity authority as required under the law, without delay and within 72  hours.

For more information on the requirements under these notifications, or on any aspect of insurance law in Thailand, please contact the Tilleke & Gibbins insurance team at [email protected], [email protected], or [email protected].

Related Professionals

Industries

Insurance

Technology

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice