Sign In
SEC News
SEC amends the Rules on Establishment of Information Technology System to strengthen investor confidence



Tuesday 17 December 2024 | No. 271 / 2024


In October 2024, the SEC conducted a hearing to gather comments from the public and stakeholders on the draft amendments to the IT Regulation and Guideline. Feedback and suggestions from stakeholders were incorporated into the finalization process. The SEC has issued notifications specifying the amendments with the key points as follows:

          (1) To adjust the frequency of submitting IT audit reports to be more appropriate for the risk level of small business operators and low-risk operators, with measures that allow the SEC to monitor the business operators’ risks in the event of adverse incidents;  

          (2) To align the submission timeline for risk level assessment (RLA) reports and IT audit reports to the same period, specifically within the first quarter of each calendar year;  

           (3) To adjust security measures to be commensurate with the risks of small business operators by, for example, reducing the penetration testing frequency, increasing access control requirements to cover both generic user accounts and high-privileged user accounts, and requiring business operators to manage IT incidents by conducting root cause analysis, maintaining incident records, and reporting such incidents to the SEC;

           (4) To adjust the applicable scope for investment advisory business operators to ensure that they will be able to implement sufficient controls for managing IT-related risks arising from the use of technology;
          (5) To Improve other details of the rules to better communicate the intent of the oversight and enable effective risk control implementation.

The notifications of the aforesaid amendments will take effect from 1 January 2025 onwards.

 







Related News

SEC seeks public comments on amendments to regulations governing DRs, Thai ETFs’ investment in L&I ETFs, and margin lending
SEC launches E-Learning course on “SEC Open Data Services: Unlocking the potential of Thai capital market data” to promote data use in the digital age
SEC partners with TikTok Thailand to enhance investment literacy and resilience against financial fraud, empowering content creators to share quality information with the public
SEC seeks public comments on proposed criteria to include a "significant funding provider" as a major shareholder, to better reflect ultimate controlling persons
SEC files criminal complaint against Finansia Syrus Securities Plc. for deficiencies in KYC/CDD systems

Building Confidence in the Capital Market
NEWS
Securities and Exchange Commission
Corporate Communication and Investor Service Department
Tel. (66)2033-9502-5 E-mail: press@sec.or.th
No. 271 / 2024 Tuesday 17 December 2024
SEC amends the Rules on Establishment of Information Technology System to strengthen investor confidence

In October 2024, the SEC conducted a hearing to gather comments from the public and stakeholders on the draft amendments to the IT Regulation and Guideline. Feedback and suggestions from stakeholders were incorporated into the finalization process. The SEC has issued notifications specifying the amendments with the key points as follows:

          (1) To adjust the frequency of submitting IT audit reports to be more appropriate for the risk level of small business operators and low-risk operators, with measures that allow the SEC to monitor the business operators’ risks in the event of adverse incidents;  

          (2) To align the submission timeline for risk level assessment (RLA) reports and IT audit reports to the same period, specifically within the first quarter of each calendar year;  

           (3) To adjust security measures to be commensurate with the risks of small business operators by, for example, reducing the penetration testing frequency, increasing access control requirements to cover both generic user accounts and high-privileged user accounts, and requiring business operators to manage IT incidents by conducting root cause analysis, maintaining incident records, and reporting such incidents to the SEC;

           (4) To adjust the applicable scope for investment advisory business operators to ensure that they will be able to implement sufficient controls for managing IT-related risks arising from the use of technology;
          (5) To Improve other details of the rules to better communicate the intent of the oversight and enable effective risk control implementation.

The notifications of the aforesaid amendments will take effect from 1 January 2025 onwards.