Sign In
SEC News
SEC public hearing on proposed revisions to the Rules on Establishment of Information Technology System



Monday 17 June 2024 | No. 121 / 2024


Bangkok, 17 June 2024 – The Securities and Exchange Commission (SEC) is seeking public comments on draft revisions to the Rules on Establishment of Information Technology Systems (“IT Regulation and Guideline”) to align the requirements with the risk profiles of different groups of business operators. The draft revisions aim to accommodate changes in technology, cyber threats, and international standards.

Following the issuance of regulations on information technology systems in 2022*, the SEC recognizes that the current rules should be updated to enable business operators in the capital market to implement effective information technology risk control measures on a continuing basis without imposing undue burdens. The SEC is therefore conducting this public hearing on the proposed revisions to the Rules on Establishment of Information Technology Systems, with the following key points: 

    (1) To adjust the frequency of submitting IT audit reports to be appropriate for the risk level of small business operators and low-risk operators, requiring submission every three years or upon occurrence of a widespread adverse incident; 

    (2) To adjust submission of risk level assessment (RLA) forms and IT audit reports to be in the same period, i.e., the first quarter of each year; 

    (3) To adjust security measures to be commensurate with the risks of small business operators, such as reducing penetration testing frequency to once every three years, increasing controls for generic user accounts, and maintaining incident records for at least two years with root cause analysis; 

    (4) To adjust the applicable scope of investment advisory business operators to ensure that they would implement sufficient controls for managing IT-related risks arising from the use of technology; and 

    (5) To improve other details of the rules to better communicate the intent and enable effective risk control implementation.

The consultation paper is available at https://www.sec.or.th/TH/Pages/PB_Detail.aspx?SECID=998  and the central legal hub at www.law.go.th . Stakeholders and interested parties are welcome to submit comments and suggestions through the websites or email: cyberteam@sec.or.th. The public hearing ends on 15 July 2024. 

______________________

Note:

* Notification of the Office of the Securities and Exchange Commission No. Sor Thor. 38/2565 Re: Rules in Details concerning Arrangements of Information Technology Systems, dated 28 September 2022, effective from 1 July 2023 onwards. 





Related News

SEC public hearing on proposed amendments to the regulations on submission of financial statements by REIT managers
Capital market sector gears up to accommodate Thai ESGX IPOs and centralized LTF database portal launches on May 2
SEC public hearing on proposed amendments to IA refresher course regulations
SEC public hearing on draft amendments to qualifications criteria for foreign mutual funds investible by Thai mutual funds
SEC updates progress on Thai ESGX, businesses ready for IPO and transfer of LTF during May – June

Building Confidence in the Capital Market
NEWS
Securities and Exchange Commission
Corporate Communication and Investor Service Department
Tel. (66)2033-9502-5 E-mail: press@sec.or.th
No. 121 / 2024 Monday 17 June 2024
SEC public hearing on proposed revisions to the Rules on Establishment of Information Technology System

Bangkok, 17 June 2024 – The Securities and Exchange Commission (SEC) is seeking public comments on draft revisions to the Rules on Establishment of Information Technology Systems (“IT Regulation and Guideline”) to align the requirements with the risk profiles of different groups of business operators. The draft revisions aim to accommodate changes in technology, cyber threats, and international standards.

Following the issuance of regulations on information technology systems in 2022*, the SEC recognizes that the current rules should be updated to enable business operators in the capital market to implement effective information technology risk control measures on a continuing basis without imposing undue burdens. The SEC is therefore conducting this public hearing on the proposed revisions to the Rules on Establishment of Information Technology Systems, with the following key points: 

    (1) To adjust the frequency of submitting IT audit reports to be appropriate for the risk level of small business operators and low-risk operators, requiring submission every three years or upon occurrence of a widespread adverse incident; 

    (2) To adjust submission of risk level assessment (RLA) forms and IT audit reports to be in the same period, i.e., the first quarter of each year; 

    (3) To adjust security measures to be commensurate with the risks of small business operators, such as reducing penetration testing frequency to once every three years, increasing controls for generic user accounts, and maintaining incident records for at least two years with root cause analysis; 

    (4) To adjust the applicable scope of investment advisory business operators to ensure that they would implement sufficient controls for managing IT-related risks arising from the use of technology; and 

    (5) To improve other details of the rules to better communicate the intent and enable effective risk control implementation.

The consultation paper is available at https://www.sec.or.th/TH/Pages/PB_Detail.aspx?SECID=998  and the central legal hub at www.law.go.th . Stakeholders and interested parties are welcome to submit comments and suggestions through the websites or email: cyberteam@sec.or.th. The public hearing ends on 15 July 2024. 

______________________

Note:

* Notification of the Office of the Securities and Exchange Commission No. Sor Thor. 38/2565 Re: Rules in Details concerning Arrangements of Information Technology Systems, dated 28 September 2022, effective from 1 July 2023 onwards.