Thailand’s Office of the Insurance Commission (OIC) recently issued two notifications—one for life-insurance companies and another for insurance companies—establishing key criteria and requirements for insurance companies to manage risks relating to IT and cybersecurity.
The notifications, entitled Notifications Re: Criteria for the Supervision and Management of Risks Relating to Information Technology for Life/Non-life Insurance Companies B.E. 2563 (2020) came into effect on January 1, 2021, and cover eight major aspects of IT risk management as detailed below.
IT Governance
Insurance companies are required to monitor and manage IT risks and cyber threats in accordance with the size, characteristics, complexity, and context of their business operations, and each company should have at least one director with knowledge of, or past experience in, the field of information technology.
IT Project Management
Insurance companies are required to develop a written framework for IT project management, covering at least the commencement, implementation, and control of the project, as well as the project closing and post-project auditing. Companies must also appoint a committee for…