Thailand’s Office of the Insurance Commission (OIC) recently issued two notifications—one for life-insurance companies and another for insurance companies—establishing key criteria and requirements for insurance companies to manage risks relating to IT and cybersecurity. The notifications, entitled Notifications Re: Criteria for the Supervision and Management of Risks Relating to Information Technology for Life/Non-life Insurance Companies B.E. 2563 (2020) came into effect on January 1, 2021, and cover eight major aspects of IT risk management as detailed below. IT Governance Insurance companies are required to monitor and manage IT risks and cyber threats in accordance with the size, characteristics, complexity, and context of their business operations, and each company should have at least one director with knowledge of, or past experience in, the field of information technology. IT Project Management Insurance companies are required to develop a written framework for IT project management, covering at least the commencement, implementation, and control of the project, as well as the project closing and post-project auditing. Companies must also appoint a committee for supervising and monitoring IT projects. IT Security Insurance companies are required to institute a written IT security policy, which must be reviewed at least once a year or upon implementing any significant changes. The policy must be approved by the board of directors, or a relevant subcommittee appointed by the board of directors. In outsourcing IT activities to third-party service providers, or entering into any arrangement that allows business partners to connect to or access the company’s IT system, insurance companies are required to specify their own criteria and procedures for the selection of third-party service providers, enter into a written service agreement and a service level agreement with the third-party provider, and conform with other requirements under the notifications. Insurance companies will also be required to comply with the OIC’s forthcoming