Cybersecurity and Customer Data Privacy Protection
Commitment
To strengthen cybersecurity and data privacy protection with enhanced technology and people capabilities to improve productivity, ensure compliance and build trust with all stakeholders
Materiality
As digital transformation continually increases the value of information and data within the banking business, the quantity of information and our ability to analyze data are key factors that enable us to understand and serve customers better while strengthening our competitive advantage. Digital transformation has also significantly increased risks from cyberthreats and violations of customer data privacy. Therefore, we have made it our mission to promote cybersecurity and personal data protection in order to strengthen the confidence of our customers, suppliers and other stakeholders as well as to promote a good image for the Bank. We attach great significance to providing IT security, cybersecurity and data privacy protection through the implementation of standardized cybersecurity management, prudent data governance processes and effective data privacy protection measures. We also raise awareness and build capabilities of our employees to tackle cyber threats and exercise vigilance to ensure compliance with personal data protection guidelines, thereby mitigating risks related to data leakage, data theft, loss of data and violation of personal data privacy, which could cause damage to both data subjects and the Bank.
Cybersecurity Management
The Bank considers IT risks, including risks from cyber threats, as the key risks that need to be managed prudently. We have put in place a framework for managing IT security and cybersecurity that conforms to international standards. In addition, the Bank has adopted modern technology to monitor and detect unusual situations or events that may damage the Bank's data and information systems. We have also established security standards for all data collected through the Bank’s services while our systems are regularly assessed against these security standards, both before and after customers use a service.
We received four accolades for our cybersecurity commitment in 2023 from the Prime Minister Awards: Thailand Cybersecurity Excellence Awards 2023 organized by the National Cyber Security Agency (NCSA), namely: 1. Cybersecurity Performance Excellence Awards 2023, Critical Information Infrastructure (CII), 2. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure for Banking and Finance, 3. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure Agency Cybersecurity for Cooperation, and 4. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure Agency for Capacity Development.
Cybersecurity Governance Structure
To ensure the effectiveness of our IT security and cybersecurity in accordance with the Bank’s policies and principles, we have clearly defined the scope of responsibility for relevant parties from the Board of Directors to managerial level as follows:
Preparation for the Cybersecurity Incident Response Plan
The Information Technology Security Management unit conducts a cybersecurity drill of the Bank’s cyber threat response plan at least once a year and adjusts the scenario for the cybersecurity drill every year to ensure that employees and applicable technologies are ready to counter cyberattacks in different forms. Apart from internal practices, cybersecurity drills are regularly conducted with other banks under the Thailand Banking Sector Computer Emergency Response Team (TB-CERT). These activities continually help improve our cybersecurity process to combat cyber threats more effectively. In 2023, we organized two drills of the cybersecurity incident response plan: one drill at the Bank level for an incident that occurred to external service providers which had an impact on the Bank's services, and the other at the banking sector level for an incident of attacks on sensitive personal data storage systems.
To ensure that the Bank's information technology systems are well protected and can prevent potential threats in a timely manner, we arrange an external independent auditor to examine our IT security management processes twice a year. The audit covers IT General Control and Application Control. At the same time, we have established a process for managing vulnerabilities along with conducting a Vulnerability Analysis for important work systems as well as carrying out a Penetration Test led by both internal and external experts on an annual basis. Moreover, we regularly test the responses of our personnel on cybersecurity by simulating phishing emails and sending to directors, executives and employees every year. Testing results are applied to improve employee communications to heighten their awareness of how to spot and handle phishing emails. During 2023, we conducted tests by sending phishing emails with different topics and content throughout the year. The results showed that fewer employees were deceived while more reports of suspected phishing emails were received.
Collaboration with External Agencies to Build Cybersecurity
To promote cybersecurity, we have collaborated with both local and international external agencies including TB-CERT, the Thai Computer Emergency Response Team (ThaiCERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) with the objective of exchanging information related to cybersecurity and cyber threats and to enhance our ability to respond to cyberattacks. In 2023 we participated in brainstorming discussions on guidelines to prevent or reduce the risk of scams through Facebook and Google platforms, as well as developing a process for reporting incidents to Facebook to strengthen its ability to combat fake pages including jointly testing Safe Browsing with Google.
We received four accolades for our cybersecurity commitment in 2023 from the Prime Minister Awards: Thailand Cybersecurity Excellence Awards 2023 organized by the National Cyber Security Agency (NCSA), namely: 1. Cybersecurity Performance Excellence Awards 2023, Critical Information Infrastructure (CII), 2. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure for Banking and Finance, 3. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure Agency Cybersecurity for Cooperation, and 4. Best Cybersecurity Performance Awards 2023, Critical Information Infrastructure Agency for Capacity Development.
Cybersecurity Governance Structure
To ensure the effectiveness of our IT security and cybersecurity in accordance with the Bank’s policies and principles, we have clearly defined the scope of responsibility for relevant parties from the Board of Directors to managerial level as follows:
Information Security and Cybersecurity Policy and Measures
We have prepared an Information Security and Cybersecurity Policy that is in line with the international standard ISO/IEC 27002 as a guideline for managing information security and handling cyber attacks. We also published the Information Security and Cybersecurity Handbook to provide employees with clear guidance on how to perform their duties in accordance with the Bank's policy. We review the said policy every year to keep it up to date with new technologies and cyber threats. During 2023, we revised the Information Security and Cybersecurity Policy by incorporating topics on Artificial Intelligence Adoption and Threat Intelligence Program. In addition, the Bank has Information Security and Cybersecurity Policy and Measures been certified for various international security standards, including ISO/IEC 27001:2013 for the Bank of Thailand’s Automated High-value Transfer Network (BAHTNET) and the Imaged Cheque Clearing and Archive System (ICAS), and is in the process of being certified for the Payment Card Industry Data Security Standard.
To enable employees to work more flexibility and to respond to the work from anywhere practice, we have established security procedures for using mobile devices and accessing information via external devices that are in line with the Information Security and Cybersecurity Policy and other related policies. Furthermore, we have gradually installed security systems into our equipment to enhance cybersecurity and personal data security while we regularly scan for malware on devices. In 2023, we investigated data leaks from various sources such as the dark web, GitHub and Pastebin, along with analyzing the data and notifying data subjects to facilitate proactive defensive actions.
Monitoring Cybersecurity
We have established clear guidelines for monitoring cybersecurity incidents that may affect information security as well as setting response times for the escalation of incidents and notification of related parties so that incidents can be managed and any resulting damage controlled in a timely manner. At the same time, we focus on enhancing the knowledge and skills of relevant employees to ensure preparedness in preventing and responding to cyber threats at all times. In 2023, we organized training to promote skills and knowledge in various areas including Secure Software Development, Threat Hunting, and PCI Professional Training, as well as sending employees to participate in cybersecurity competitions at the international level and banking sector level to strengthen their technical analysis through simulated situations.
Employees who encounter a dubious incident related to IT security and cybersecurity can report the incident to the Service Desk through the provided channels. In 2023, the Bank had no case of information security breaches or other cybersecurity incidents.
Preparation for the Cybersecurity Incident Response Plan
The Information Technology Security Management unit conducts a cybersecurity drill of the Bank’s cyber threat response plan at least once a year and adjusts the scenario for the cybersecurity drill every year to ensure that employees and applicable technologies are ready to counter cyberattacks in different forms. Apart from internal practices, cybersecurity drills are regularly conducted with other banks under the Thailand Banking Sector Computer Emergency Response Team (TB-CERT). These activities continually help improve our cybersecurity process to combat cyber threats more effectively. In 2023, we organized two drills of the cybersecurity incident response plan: one drill at the Bank level for an incident that occurred to external service providers which had an impact on the Bank's services, and the other at the banking sector level for an incident of attacks on sensitive personal data storage systems.
To ensure that the Bank's information technology systems are well protected and can prevent potential threats in a timely manner, we arrange an external independent auditor to examine our IT security management processes twice a year. The audit covers IT General Control and Application Control. At the same time, we have established a process for managing vulnerabilities along with conducting a Vulnerability Analysis for important work systems as well as carrying out a Penetration Test led by both internal and external experts on an annual basis. Moreover, we regularly test the responses of our personnel on cybersecurity by simulating phishing emails and sending to directors, executives and employees every year. Testing results are applied to improve employee communications to heighten their awareness of how to spot and handle phishing emails. During 2023, we conducted tests by sending phishing emails with different topics and content throughout the year. The results showed that fewer employees were deceived while more reports of suspected phishing emails were received.
Collaboration with External Agencies to Build Cybersecurity
To promote cybersecurity, we have collaborated with both local and international external agencies including TB-CERT, the Thai Computer Emergency Response Team (ThaiCERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) with the objective of exchanging information related to cybersecurity and cyber threats and to enhance our ability to respond to cyberattacks. In 2023 we participated in brainstorming discussions on guidelines to prevent or reduce the risk of scams through Facebook and Google platforms, as well as developing a process for reporting incidents to Facebook to strengthen its ability to combat fake pages including jointly testing Safe Browsing with Google.
Personal Data Protection Management
We have established principles and practices on personal data protection in accordance with requirements of the Personal Data Protection Act (PDPA) and other applicable laws and regulations of relevant regulatory agencies as well as assigning responsible personnel for reviewing and monitoring data; overseeing the granting of access rights; sorting and classifying data; establishing different personal data security measures that are consistent with the degree of risk and potential impacts from a breach of personal data privacy. These tasks are designed to prevent data loss, as well as illegal access, use, alteration, modification, or disclosure of personal data. We consider personal data risk as a key risk for the Bank and have established a Data Protection Office (DPO Office) and appointed a Data Protection Officer (DPO) to be in charge of the relevant risk management process covering everything from identifying personal data risk and risk management to risk control. We undertake risk control according to the Three Lines of Defense principle and ensure that the audit on personal data protection is conducted by the Audit and Control Division working independently of the units that collect, use and disclose personal data.
Governance on Personal Data Protection
To ensure that the governance of personal data protection is effective, comprehensive and compliant with related laws including the Bank’s policies and practices, we have established a Data Protection Office (DPO Office) under the Compliance Unit and appointed a Data Protection Officer (DPO) to be in charge of personal data protection.
Personal Data Protection Policy and Standards
We have established a Personal Data Protection Policy and Personal Data Protection Standards in accordance with the Personal Data Protection Act B.E. 2562 (2019) as guidelines for all business groups of the Bank as well as business partners and external service providers. In addition, we have prepared operating manuals for personal data protection for all relevant units to ensure that employees have a good understanding of how to comply with the policy and standards in their respective work. Violations or failure to comply may result in disciplinary action up to termination of employment coupled with a criminal offense or punishment under related laws as applicable.
We disseminate a Privacy Notice to customers through our website, branches and digital banking channels to inform customers about personal data protection and data subject rights. Customers can request additional information or exercise their rights as data subjects through branches or other service channels of the Bank or contact the Bank’s Data Protection Officer or Data Protection Office.
In cases where a customer becomes aware of a personal data breach, the customer can file a complaint through various channels provided by the Bank or contact the DPO or the Data Protection Officer. We will follow the established procedures to investigate the issue in a transparent and fair manner. If the investigation confirms the breach, the Bank will take action against the wrongdoer according to the established disciplinary processes and guidelines and make proper remedies to the affected parties.
Governance on Personal Data Protection
To ensure that the governance of personal data protection is effective, comprehensive and compliant with related laws including the Bank’s policies and practices, we have established a Data Protection Office (DPO Office) under the Compliance Unit and appointed a Data Protection Officer (DPO) to be in charge of personal data protection.
Personal Data Protection Policy and Standards
We have established a Personal Data Protection Policy and Personal Data Protection Standards in accordance with the Personal Data Protection Act B.E. 2562 (2019) as guidelines for all business groups of the Bank as well as business partners and external service providers. In addition, we have prepared operating manuals for personal data protection for all relevant units to ensure that employees have a good understanding of how to comply with the policy and standards in their respective work. Violations or failure to comply may result in disciplinary action up to termination of employment coupled with a criminal offense or punishment under related laws as applicable.
We disseminate a Privacy Notice to customers through our website, branches and digital banking channels to inform customers about personal data protection and data subject rights. Customers can request additional information or exercise their rights as data subjects through branches or other service channels of the Bank or contact the Bank’s Data Protection Officer or Data Protection Office.
Guidelines for a Breach of Personal Data
To promote clarity and orderliness, we have established guidelines, procedures and responsible persons to respond to personal data breaches according to regulatory requirements and the Bank’s personal data protection policy as well as creating a personal data breach report form covering important details for the unit detecting the incident to report to the responsible person in charge of the units for further submission to the DPO.
Procedures for a Breach of Personal Data
- The unit detecting the incident immediately notifies the DPO that a personal data breach has taken place.
- The unit detecting the incident, together with the DPO, considers the impact on the data subject and evaluates potential damage.
- If there is a significant impact on the data subject, the DPO reports the personal data breach incident to the concerned regulatory authority within 72 hours from when the DPO has received confirmation of the incident and notified the data subject.
- The unit detecting the incident reviews lessons learned from the personal data breach to prevent similar incidents happening in the future.
In cases where a customer becomes aware of a personal data breach, the customer can file a complaint through various channels provided by the Bank or contact the DPO or the Data Protection Officer. We will follow the established procedures to investigate the issue in a transparent and fair manner. If the investigation confirms the breach, the Bank will take action against the wrongdoer according to the established disciplinary processes and guidelines and make proper remedies to the affected parties.
Promoting a Culture of IT Security, Cybersecurity and Personal Data Protection
We believe that fostering a culture of cybersecurity and personal data protection requires that everyone in the organization has the right knowledge and understanding of the subject. Therefore, we have taken the following measures or requirements:
- Board of Directors must enhance their knowledge of IT security and cybersecurity management on a regular basis through participation in training programs organized by internal units and external agencies which are held every year.
- All executives and employees must attend mandatory training including Personal Data Protection, Phishing Awareness and Information Security and Cybersecurity (ISCS).
- Employees in units concerned must attend personal data protection training specific to their roles.
- The PDPA Awareness Campaign was launched to educate concerned parties on proper practices under the Personal Data Protection Act B.E. 2562 (PDPA) through articles, newsletters, infographics and videos as well as providing channels for them to seek advice from experts and send inquiries to the DPO.
- Continuous knowledge sharing and communication on cybersecurity was made through internal communication channels, such as “Warning for Phishing Mail in QR Code Format,” “How Important is Cybersecurity Knowledge?”, and “Bing Chat Enterprise - How to Safely Use It?”.
- Learning courses on information security and cybersecurity were continuously developed. In 2023, the Bank added the new "Creating Awareness on Information Security ISMS" and “Bangkok Bank Security Roundup 2022-2023” courses to our online learning platform. In addition, the Bank organized the Knowledge Day Forum 2023 activity on the topic “CISO GPT” to educate executives and employees about how to deal with new forms of cyber threats.
- A learning exchange activity on personal data protection was organized with PT Bank Permata Tbk, the Bank’s subsidiary in Indonesia, to provide Bank officers with knowledge and understanding of topics including personal data protection laws in Thailand and Indonesia, the Bank's governance structure and personal data protection processes, and how to raise awareness among employees on preventing and responding to personal data protection issues.
This Website uses cookies to provide you with the best experience and to improve the Bank’s website services in order to better serve your requirements. You can find the details about cookies use on
Cookies Policy
