English (United States) News

SEC News

SEC amends the Rules on Establishment of Information Technology System to strengthen investor confidence

Tuesday 17 December 2024 | No. 271 / 2024

Bangkok, 17 December 2024 – The Securities and Exchange Commission (SEC) has issued notifications regarding amendments to the Rules on Establishment of Information Technology System (“IT Regulation and Guideline”) to align the requirements with the risk profiles of different groups of business operators. The rules aim to accommodate technological advancements, address cyber threats, and ensure alignment with international standards. The amendments will take effect on 1 January 2025.

In October 2024, the SEC conducted a hearing to gather comments from the public and stakeholders on the draft amendments to the IT Regulation and Guideline. Feedback and suggestions from stakeholders were incorporated into the finalization process. The SEC has issued notifications specifying the amendments with the key points as follows:

(1) To adjust the frequency of submitting IT audit reports to be more appropriate for the risk level of small business operators and low-risk operators, with measures that allow the SEC to monitor the business operators’ risks in the event of adverse incidents;

(2) To align the submission timeline for risk level assessment (RLA) reports and IT audit reports to the same period, specifically within the first quarter of each calendar year;

(3) To adjust security measures to be commensurate with the risks of small business operators by, for example, reducing the penetration testing frequency, increasing access control requirements to cover both generic user accounts and high-privileged user accounts, and requiring business operators to manage IT incidents by conducting root cause analysis, maintaining incident records, and reporting such incidents to the SEC;

(4) To adjust the applicable scope for investment advisory business operators to ensure that they will be able to implement sufficient controls for managing IT-related risks arising from the use of technology;
(5) To Improve other details of the rules to better communicate the intent of the oversight and enable effective risk control implementation.

The notifications of the aforesaid amendments will take effect from 1 January 2025 onwards.

NEWS

Securities and Exchange Commission

Corporate Communication and Investor Service Department

Tel. (66)2033-9502-5 E-mail: press@sec.or.th

No. 271 / 2024	Tuesday 17 December 2024
SEC amends the Rules on Establishment of Information Technology System to strengthen investor confidence
Bangkok, 17 December 2024 – The Securities and Exchange Commission (SEC) has issued notifications regarding amendments to the Rules on Establishment of Information Technology System (“IT Regulation and Guideline”) to align the requirements with the risk profiles of different groups of business operators. The rules aim to accommodate technological advancements, address cyber threats, and ensure alignment with international standards. The amendments will take effect on 1 January 2025.
In October 2024, the SEC conducted a hearing to gather comments from the public and stakeholders on the draft amendments to the IT Regulation and Guideline. Feedback and suggestions from stakeholders were incorporated into the finalization process. The SEC has issued notifications specifying the amendments with the key points as follows: (1) To adjust the frequency of submitting IT audit reports to be more appropriate for the risk level of small business operators and low-risk operators, with measures that allow the SEC to monitor the business operators’ risks in the event of adverse incidents; (2) To align the submission timeline for risk level assessment (RLA) reports and IT audit reports to the same period, specifically within the first quarter of each calendar year; (3) To adjust security measures to be commensurate with the risks of small business operators by, for example, reducing the penetration testing frequency, increasing access control requirements to cover both generic user accounts and high-privileged user accounts, and requiring business operators to manage IT incidents by conducting root cause analysis, maintaining incident records, and reporting such incidents to the SEC; (4) To adjust the applicable scope for investment advisory business operators to ensure that they will be able to implement sufficient controls for managing IT-related risks arising from the use of technology; (5) To Improve other details of the rules to better communicate the intent of the oversight and enable effective risk control implementation. The notifications of the aforesaid amendments will take effect from 1 January 2025 onwards.

Documents

Related News