The Guidelines for the Supervision and Management of Information Technology Risks of Life Insurance Companies B.E. 2563 (2020) (หลักเกณฑ์การกำกับดูแลและบริหารจัดการความเสี่ยงด้านเทคโนโลยีสารสน เทศของบริษัทประกันชีวิต พ.ศ. ๒๕๖๓) were issued by the Office of Insurance Commission (OIC) of Thailand to strengthen IT risk management in the life insurance sector.
What are the Guidelines for the Supervision and Management of IT Risks by OIC?
- Ensure secure and stable IT operations in life insurance companies
- Mitigate risks from cyber threats, data breaches, and system failures
- Align with international standards
- Enhance regulatory compliance and consumer protection
- All life insurance companies registered in Thailand
- Third-party service providers (handling IT systems/data for insurers)
6 categories: IT Governance, IT Project Management, IT Security, IT Risk Management, IT Compliance, IT Audit, Cybersecurity Governance and Risk Management and Reporting of Cyber Threat Incidents.
COMPLIANCE BRIEF
Complying with the Guidelines for the Supervision and Management of IT Risks by OIC of Thailand
Discover how insurance providers comply with the Guidelines for the Supervision and Management of Information Technology Risks through our comprehensive cybersecurity solutions and learn more about the requirements.
How Thales Helps with the Guidelines for the Supervision and Management of IT Risks by OIC of Thailand
Thales’ Cybersecurity Solutions help organizations address 2 categories – IT Security and Cybersecurity Governance and Risk Management by simplifying compliance and automating security with visibility and control, reducing the burden on security and compliance teams.
OIC Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks.
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the OIC – Guidelines for the Supervision and Management of IT Risks
How Thales helps:
- Identify structured and unstructured sensitive data at risk across Hybrid IT.
- Identify the current state of compliance and document gaps.
- Discover and classify potential risk for all public, private and shadow APIs.
- Classify and assign specific sensitivity levels for data when you are defining your data stores and your classification profiles for different types of data sets.
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Unify key management operations with role-based access control.
- Offer Multi-Factor Authentication (MFA) to ensure that those accessing the system are truly authorized.
- Employ Single Sign-On (SSO) to allow users to securely access multiple systems with a single authentication.
- Set up access policies based on user roles, responsibilities, and risks (Policy-based Access Control).
- Store access logs to support retrospective auditing.
- Encrypt data both at rest and in transit (Data-at-Rest & Data-in-Transit Encryption) to prevent unauthorized access.
Solutions:
Application Security
Data Security
Identity & Access Management
How Thales helps:
- Deploy transparent and continuous encryption that protects against unauthorized access by users and processes in physical, virtual, and cloud environments.
- Pseudonymize sensitive information in databases to prevent exposure of real data for testing.
- Protect cryptographic keys in FIPS140-3 Level 3 and tamper-evident hardware.
- Encrypt Keys with a one-time-use AES 256 key and send over a mutually authenticated TLS connection.
- Security products designed for post-quantum upgrade to maintain crypto-agility.
How Thales helps:
- Enable Multi-Factor Authentication (MFA) for remote users to ensure that access is authorized.
- Provide user rights management for the Virtual Private Network (VPN) system to prevent access from unauthorized devices.
- Offer Remote Access Policies to control only pre-approved users.
- Store Remote Access Logs to support retrospective auditing.
- Encrypt data sent over remote connections (Data-in-Transit Encryption) to prevent data interception during communication.
Solutions:
Identity & Access Management
How Thales helps:
- Detect and prevent cyber threats with a web application firewall, ensuring seamless operations and peace of mind.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Provide uptime with fast, effective DDoS mitigation and a 3-second SLA for Layers 3 & 4 attacks.
- Protect against business logic attacks and many more of the OWASP API Top Ten threats.
- Provide continuous protection of all APIs using deep discovery and classification to detect all public, private and shadow APIs.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
- Pinpoint risky data access activity for all users, including privileged users.
- Protect data with real-time alerting or user access blocking of policy violations.
- Offer transparency and context into your data risk status by consolidating data risk metrics, locating risk areas, and providing transparent and customizable risk scores.
Solutions:
Application Security
Data Security
How Thales helps:
- Run assessment tests on data stores such as MySQL or so to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.