Presently, technology and digital systems play more roles in a daily life and business operations as they deliver more convenience and effectiveness to people and the working process. On the other hand, cyber security threats also tend to increase rapidly. Such threats cause direct and indirect impacts such as computer virus threat, threat of ransom software and internet fraud threat, including threat of hacking important data.
The Bank has been aware of dangers of such cyber threats that are considered as a risk factor in preserving the Bank’s business stability and image, including maintaining the confidence in using services of customers The Bank has adopted the framework of ISO/IEC 27001:2013 (ISMS: Information Security Management Systems) and important systems for both financial transactions and computer center to be used as a guideline for information security management system and cyber security maturity assessment according to NIST Cybersecurity Framework of the United States in order to ensure that the banking system is ready to detect cyber threats, prevent and respond to attacks quickly according to international standards. Moreover, the Bank has used services of FS-ISAC (Financial Services - Information Sharing and Analysis Center) to receive cyber threat intelligence of attacks against global financial institutions in order to prevent the Bank’s systems before being attacked. The Bank has also conducted various activities to enhance its cybersecurity, for example annual IT system audits from international experts in assessing the risks caused by vulnerabilities of information systems as well as investing in, developing and increasing capabilities of information security technology in order to ensure that the bank’s information system has efficiency and security at the international standard level.
Besides cybersecurity system development, the Bank has implemented various projects to prevent and crack down on cyber threats, which complies with the Cybersecurity Act, the Personal Data Protection Act and the regulations of the Bank of Thailand., for example:
IT Security Awareness To create awareness for employees through online channels and provide training on information technology security of the Bank to let employees know and be ready to deal with cyber threats in various ways such as Email, Website, Mobile. Moreover, there is awareness-raising of employees in Technology Group about the development of programs to be safe, through training by specialized experts to provide system developers with additional knowledge on how to develop systems to be more secure as well as communicating to customers about security issues such as promoting awareness of phishing email/SMS and new threats.
Data Protection Assessment (DPA) and Data Loss Prevention (DLP) To assess important data of each business unit of the Bank; employees will gain knowledge and understanding of information classification correctly, appropriately and safely and prevent leakage of important information that may have a negative effect to the Bank’s reputation and customer.
Network Access Control (NAC) To prevent external computers from connecting to the internal server of the Bank in order to mitigate risks of accessing important data of the Bank without permission.
According to announcement No. FPG 21/2562 (2019) of the Bank of Thailand regarding the rules of information technology risk control for financial institutions dated 1 October 2019, financial institutions with high cyber inherent risk must have a Chief Information Security Officer (CISO). Therefore, Mr. Cherdsak Nana, Senior Vice President – Information Technology Security, overseeing information technology security, is appointed as CISO from 1 June 2022 onwards until further notice.