The Guidelines for the Supervision and Management of Information Technology Risks of Life Insurance Companies B.E. 2563 (2020) (หลักเกณฑ์การกำกับดูแลและบริหารจัดการความเสี่ยงด้านเทคโนโลยีสารสน เทศของบริษัทประกันชีวิต พ.ศ. ๒๕๖๓) were issued by the Office of Insurance Commission (OIC) of Thailand to strengthen IT risk management in the life insurance sector.
What are the guidelines for the supervision and management of IT risks by OIC?
- Ensure secure and stable IT operations in life insurance companies
- Mitigate risks from cyber threats, data breaches and system failures
- Align with international standards
- Enhance regulatory compliance and consumer protection
- All life insurance companies registered in Thailand
- Third-party service providers (handling IT systems/data for insurers)
6 categories: IT Governance, IT Project Management, IT Security, IT Risk Management, IT Compliance, IT Audit, Cybersecurity Governance and Risk Management and Reporting of Cyber Threat Incidents.
COMPLIANCE BRIEF
Complying with the Guidelines for the Supervision and Management of IT Risks by OIC of Thailand
Discover how insurance providers comply with the Guidelines for the Supervision and Management of Information Technology Risks through our comprehensive cybersecurity solutions and learn more about the requirements.
How Thales helps with the Guidelines for the Supervision and Management of IT Risks by OIC of Thailand
Thales' Cybersecurity Solutions help organisations address 2 categories – IT Security and Cybersecurity Governance and Risk Management by simplifying compliance and automating security with visibility and control, reducing the burden on security and compliance teams.
OIC compliance solutions
Application security
Protect applications and APIs at scale in the cloud, on-premises or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks.
Data security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion or in use, using encryption tokenisation and key management. Thales solutions also identify, evaluate and prioritise potential risks for accurate risk assessment as well as identify anomalous behaviour and monitor activity to verify compliance, allowing organisations to prioritise where to spend their efforts.
Identity & access management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-factor authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the OIC – Guidelines for the Supervision and Management of IT Risks
How Thales helps:
- Identify structured and unstructured sensitive data at risk across Hybrid IT.
- Identify the current state of compliance and document gaps.
- Discover and classify potential risk for all public, private and shadow APIs.
- Classify and assign specific sensitivity levels for data when you are defining your data stores and your classification profiles for different types of data sets.
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Centralise access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Unify key management operations with role-based access control.
- Offer Multi-factor authentication (MFA) to ensure that those accessing the system are truly authorised.
- Employ Single Sign-On (SSO) to allow users to securely access multiple systems with a single authentication.
- Set up access policies based on user roles, responsibilities and risks (Policy-based Access Control).
- Store access logs to support retrospective auditing.
- Encrypt data both at rest and in transit (Data-at-Rest & Data-in-Transit Encryption) to prevent unauthorised access.
Solutions:
Application security
Data security
Identity & access management
How Thales helps:
- Deploy transparent and continuous encryption that protects against unauthorised access by users and processes in physical, virtual and cloud environments.
- Pseudonymise sensitive information in databases to prevent exposure of real data for testing.
- Protect cryptographic keys in FIPS140-3 Level 3 and tamper-evident hardware.
- Encrypt keys with a one-time-use AES 256 key and sent over a mutually authenticated TLS connection.
- Security products designed for post-quantum upgrade to maintain crypto-agility.
How Thales helps:
- Enable Multi-factor authentication (MFA) for remote users to ensure that access is authorised.
- Provide user rights management for the Virtual Private Network (VPN) system to prevent access from unauthorised devices.
- Offer Remote Access Policies to control only pre-approved users.
- Store Remote Access Logs to support retrospective auditing.
- Encrypt data sent over remote connections (Data-in-Transit Encryption) to prevent data interception during communication.
Solutions:
Identity & access management
How Thales helps:
- Detect and prevent cyber threats with a web application firewall, ensuring seamless operations and peace of mind.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Provide uptime with fast, effective DDoS mitigation and a 3-second SLA for Layers 3 & 4 attacks.
- Protect against business logic attacks and many more of the OWASP API Top Ten threats.
- Provide continuous protection of all APIs using deep discovery and classification to detect all public, private and shadow APIs.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
- Pinpoint risky data access activity for all users, including privileged users.
- Protect data with real-time alerting or by blocking user access for policy violations.
- Offer transparency and context into your data risk status by consolidating data risk metrics, locating risk areas and providing transparent and customisable risk scores.
Solutions:
Application security
Data security
How Thales helps:
- Run assessment tests on data stores, such as MySQL, to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to ensure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data breach notification laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction, but almost universally include a "safe harbour" clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.