On Sep. 12, Thai SEC amended criteria with respect to IT systems.
Thai SEC issued draft improvements regarding IT systems criteria along with risk.
Follows Thai CB Jan. 2024 updated on reporting data sets for IT risk, see #126034.
Proposed Amendments
There is an adjustment to the frequency of delivering IT audit reports to suit the size and risk of small and low-risk businesses, while still being able to monitor IT risks.
Amend the delivery schedule of the risk level assessment (RLA) report and the IT audit report to the same time period within the first quarter of each calendar year.
Improve the requirements for providing security measures consistent with the risks of small business operators, such as changing the frequency of penetration testing.
Plus adding control measures to cover general user accounts, requiring management of IT irregularities by providing cause analysis along with recording related data.
Improve the scope of enforcement for investment advisory business operators so they may have more appropriate IT risk management as well as control measures.
Consultation End
Stakeholders can submit comments until Oct. 15, 2024.
Nov. 2024 Amendment Finalized
On Nov. 21, 2024, Thai SEC finalized directive revising guidelines on IT systems for businesses dealing with digital tokens, securities, and other financial services.
The directive is effective from Jan. 1, 2025.
Document dated Nov. 21, 2024, received from Thai SEC Nov. 29, summarized Dec. 2.
Dec. 12, 2024 Additional Amendments
On Dec. 12, 2024, Thai SEC issued revised requirements for IT system implementation by financial institutions, namely re expanding scope, revising reporting requirement.
Expanded scope to include investment and derivatives advisors using technology for business operations; revised reporting requirements to include risk level assessment results and IT audit reports and remediation plans, both now due by Mar. 31 annually.
Modified IT audit frequency for small operators and low-risk firms, where audits are required at least every three years, with 2026 set as the first mandatory audit year.
Additional audits will be required after any significant security incidents occur.
Updated IT security rules for small operators; guidelines for additional transaction log submissions, rules for foreign bank branches, as well as enhanced security protocols.
The directive is effective from Jan. 1, 2025.
Follows Thai SEC Nov. 2024 issued guidelines on IT system governance, see #235711.
Dec. 17, 2024 Press Release
On Dec. 17, 2024, Thai SEC issued a press release re the above IT system rules for capital market business operators to enhance cybersecurity and investor confidence.
Regulators
Thai SEC
Entity Types
Corp; IA
Reference
PR 271/2567, 12/17/2024; Cir 5225/2567, 12/12/2024; Dir NP 6/2567, SorThor. 33/2567, Dir SorThor. 33/2567, 11/21/2024; PR, 187/2567, 9/12/2024
