Sign In
SEC News
SEC public hearing on proposed amendments to IT Standard Rules to ensure business operators’ IT security and investor confidence in the capital market



Friday 6 May 2022 | No. 62 / 2022


Bangkok, 6 May 2022 – The Securities and Exchange Commission (SEC) is seeking public comments on proposed amendments to the Rules on Establishment of Information Technology System to strengthen IT security standards adopted by capital market business operators and investor confidence in the capital market.

In December 2021, the SEC conducted an earlier public hearing on the proposed amendments to the aforesaid Rules, the objective of which is to accommodate the use of technology to operate business in the changing landscape and address cyber threats. Comments and suggestions from stakeholders were taken into consideration in drafting the amendments more appropriately. Essentially, the key amendments to the IT Standard Rules this time are summarized as follows:  

(1) Establishing IT-related risk assessment criteria to define the entity’s risk level and to specify standards of IT security controls and oversight that suitably apply to licensed corporations of different risk levels as well as diverse natures of business operation, organizational structure, business size, and complexity of the used technology;  

(2) Defining clear roles, responsibilities, and involvement of the board of directors, including the governance body, to ensure secure, effective, and efficient IT practices and usage in the business. This also includes requirements related to information security audits and the qualifications of the auditor who must be qualified and independent;  

(3) Revising the requirements and guidelines in line with international standards and other financial IT regulations;   

(4) Determining additional requirements and guidelines for IT quality and IT service management, such as IT project management and system capacity management;  

(5) Enhancing cybersecurity control measures to strengthen and protect the capital market from cyber threats in alignment with the requirements prescribed by Thailand’s Cybersecurity Law, such as Vulnerability Assessment and Penetration Test, etc.; and 

(6) Revising the third-party management provisions by extending the scope to include IT service providers or business partners whereby there is a system interconnection for those providers/partners to access critical data of business operators or their customers’ data. 

The consultation paper is available at https://www.sec.or.th/TH/Pages/PB_Detail.aspx?SECID=795. Stakeholders and interested parties are welcome to give comments and suggestions via the website or email: nakharin@sec.or.th, natchac@sec.or.th or chat@sec.or.th. The public hearing ends on 6 June 2022.   













Building Confidence in the Capital Market
NEWS
Securities and Exchange Commission
Corporate Communication and Investor Service Department
Tel. (66)2033-9502-5 E-mail: press@sec.or.th
No. 62 / 2022 Friday 6 May 2022
SEC public hearing on proposed amendments to IT Standard Rules to ensure business operators’ IT security and investor confidence in the capital market
Bangkok, 6 May 2022 – The Securities and Exchange Commission (SEC) is seeking public comments on proposed amendments to the Rules on Establishment of Information Technology System to strengthen IT security standards adopted by capital market business operators and investor confidence in the capital market.

In December 2021, the SEC conducted an earlier public hearing on the proposed amendments to the aforesaid Rules, the objective of which is to accommodate the use of technology to operate business in the changing landscape and address cyber threats. Comments and suggestions from stakeholders were taken into consideration in drafting the amendments more appropriately. Essentially, the key amendments to the IT Standard Rules this time are summarized as follows:  

(1) Establishing IT-related risk assessment criteria to define the entity’s risk level and to specify standards of IT security controls and oversight that suitably apply to licensed corporations of different risk levels as well as diverse natures of business operation, organizational structure, business size, and complexity of the used technology;  

(2) Defining clear roles, responsibilities, and involvement of the board of directors, including the governance body, to ensure secure, effective, and efficient IT practices and usage in the business. This also includes requirements related to information security audits and the qualifications of the auditor who must be qualified and independent;  

(3) Revising the requirements and guidelines in line with international standards and other financial IT regulations;   

(4) Determining additional requirements and guidelines for IT quality and IT service management, such as IT project management and system capacity management;  

(5) Enhancing cybersecurity control measures to strengthen and protect the capital market from cyber threats in alignment with the requirements prescribed by Thailand’s Cybersecurity Law, such as Vulnerability Assessment and Penetration Test, etc.; and 

(6) Revising the third-party management provisions by extending the scope to include IT service providers or business partners whereby there is a system interconnection for those providers/partners to access critical data of business operators or their customers’ data. 

The consultation paper is available at https://www.sec.or.th/TH/Pages/PB_Detail.aspx?SECID=795. Stakeholders and interested parties are welcome to give comments and suggestions via the website or email: nakharin@sec.or.th, natchac@sec.or.th or chat@sec.or.th. The public hearing ends on 6 June 2022.