Thailand’s Workplace of the Insurance coverage Fee (OIC) lately issued two notifications—one for life-insurance firms and one other for insurance coverage firms—establishing key standards and necessities for insurance coverage firms to handle dangers regarding IT and cybersecurity.
The notifications, entitled Notifications Re: Standards for the Supervision and Administration of Dangers Referring to Info Know-how for Life/Non-life Insurance coverage Corporations B.E. 2563 (2020) got here into impact on January 1, 2021, and canopy eight main facets of IT threat administration as detailed beneath.
Insurance coverage firms are required to observe and handle IT dangers and cyber threats in accordance with the scale, traits, complexity, and context of their enterprise operations, and every firm ought to have at the least one director with information of, or previous expertise in, the sector of data expertise.
IT Mission Administration
Insurance coverage firms are required to develop a written framework for IT challenge administration, protecting at the least the graduation, implementation, and management of the challenge, in addition to the challenge closing and post-project auditing. Corporations should additionally appoint a committee for supervising and monitoring IT initiatives.
Insurance coverage firms are required to institute a written IT safety coverage, which have to be reviewed at the least every year or upon implementing any vital adjustments. The coverage have to be permitted by the board of administrators, or a related subcommittee appointed by the board of administrators.
In outsourcing IT actions to third-party service suppliers, or coming into into any association that enables enterprise companions to connect with or entry the corporate’s IT system, insurance coverage firms are required to specify their very own standards and procedures for the number of third-party service suppliers, enter right into a written service settlement and a service stage settlement with the third-party supplier, and conform with different necessities beneath the notifications. Insurance coverage firms may also be required to adjust to the OIC’s forthcoming pointers on the standards for the supervision of IT outsourcing to third-party service suppliers.
IT Danger Administration
Insurance coverage firms should additionally write an IT threat administration coverage and evaluation it at the least every year, or upon implementing any vital adjustments. This coverage should even be permitted by the board of administrators or their appointed subcommittee. The businesses should even have procedures for IT threat evaluation, therapy, monitoring, and critiques.
Insurance coverage firms are required to implement the required measures for IT compliance to adapt with relevant legal guidelines and laws regarding IT and anti-money laundering.
Insurance coverage firms are required to have at the least one inside or exterior IT auditor with expertise and experience in IT auditing. Corporations are additionally required to ascertain a plan and scope for IT audits, which have to be permitted by the audit committee and reviewed at the least every year, or upon implementing any vital adjustments. The IT audit reviews have to be permitted by the audit committee and saved on the firm workplace.
Insurance coverage firms are required to ascertain a framework and pointers for supervision of and safety in opposition to cyber threats, in accordance with cybersecurity legal guidelines and commensurate with the scale and complexity of their enterprise operations. They have to additionally implement required measures in opposition to cyber threats, together with threat identification, safety, detection, and countermeasures.
Insurance coverage firms are obligated to report cyber risk incidents to the OIC, and different threats that have an effect on their IT techniques, within the following instances:
- They grow to be conscious of any materials concern or incident concerning using IT that impacts the corporate’s providers, techniques, popularity, or the info of insured events. These incidents embrace instances the place an organization’s materials IT is topic to an precise cyberattack, or there’s a potential risk of a cyberattack, that have to be reported to the corporate’s chief government officer. On this circumstance, the businesses are required to report the incident to the OIC, together with different required particulars, instantly upon turning into conscious of it.
- They’re topic to an assault from any cyber risk inflicting points or incidents regarding the supply of vital IT infrastructure. These incidents have to be reported to the OIC, or the accountable cybersecurity authority as required beneath the regulation, immediately and inside 72 hours.
— to www.lexology.com