Cybersecurity and Data Privacy Protection
Commitment
To strengthen cybersecurity and data privacy protection with enhanced technology and people capabilities to improve productivity, ensure compliance and build trust with all stakeholders
Materiality
Of growing importance, digital technology and data has become a valuable asset to the banking sector as it enables banks to understand and serve customers better as well as to develop products and services that better meet their needs. However, there are also significantly increased risks from cyber threats and breaches of customer data privacy which may cause damage to customers, disrupt business operations, increase the cost of business, impact the trust of customers and other stakeholders. Therefore, we attach great significance to providing IT security, cybersecurity and data privacy protection through the implementation of standard cybersecurity management, prudent data governance processes and effective data privacy protection measures. We also raise awareness and build capabilities of our employees so they can tackle cyber threats and exercise vigilance to ensure compliance with personal data protection guidelines, thereby mitigating risks related to data leakage, data theft, loss of data, and misuse of data without data owners’ consent.
Cybersecurity Management
We consider IT risks including risks from cyber threats as key risks that need to be managed prudently. We have put in place a framework for managing information security and cybersecurity that conforms with international standards. An action plan to tackle various forms of cyber threats has been established so that we can quickly and effectively mitigate potential impacts. We have also adopted modern technology to monitor and detect unusual situations or events that may damage the Bank’s data and information systems. In addition, we have developed security standards for all data collected through the Bank’s services while our systems are regularly assessed according to these security standards, both before and after customers use a service. At the same time, we are committed to consistently developing our personnel’s cybersecurity competencies. In 2024, the Bank received Best Performance Awards 2024 for organizations that achieved ‘Excellent’ assessment result for cybersecurity advancement from the Prime Minister Awards: Thailand Cybersecurity Excellence Award 2024 event organized by the National Cyber Security Agency (NCSA). The award manifestly reflects our commitment to cybersecurity management.
Cybersecurity Governance Structure
To ensure that our information security and cybersecurity are appropriately managed and in accordance with the Bank’s policies and strategies, we have clearly defined the scope of responsibility for relevant parties from the Board of Directors level to management level as follows:
Cybersecurity Policy and Measures
We have established an Information Security and Cybersecurity Policy that complies with international standards and regulations as a guideline for managing information security and managing cyber attacks. We also publish the Information Security and Cybersecurity Handbook to provide clear guidelines for employees to follow. The policy is reviewed every year to ensure it is up to date with new technologies and current cyber threats. During 2024 we revised our risk management strategy and asset management principles to align with the NIST Cybersecurity Framework 2.0, adding controls on the adoption of artificial intelligence (AI), information security for cloud system services, and quantum computing security. In addition, the Bank has been certified as meeting various international security standards, including ISO/IEC 27001:2013 for the Bank of Thailand’s Automated High-value Transfer Network (BAHTNET) and the Image Cheque Clearing and Archive System (ICAS), and we are in the process of being certified for the Payment Card Industry Data Security Standard (PCI/DSS).
To support working in the digital age where employees can work from anywhere, the Bank has established regulations on the use of mobile devices, access to external data, management of e-mails, and storage of data in accordance with the Information Security and Cybersecurity Policy and other related policies. Furthermore, we have installed security systems in our hardware and regularly scan for malware on devices as well as monitoring for any potential information leakages from different sources as proactive security measures.
Monitoring Cybersecurity
We have established clear guidelines for monitoring cybersecurity incidents that may affect information security as well as setting response times for the escalation of incidents and notification of related parties so that incidents can be managed and any resulting damage mitigated in a timely manner. We regularly enhance the knowledge and skills of relevant employees to ensure preparedness in preventing and responding to cyber threats. In 2024 we offered training organized by both internal and external agencies to employees to enhance their cybersecurity-related skills. We also sent employees to participate in the Cyber Combat 2024 competition hosted by the Thailand Banking Sector Computer Emergency Response Team (TB-CERT) to strengthen their skills in handling cyber threats through simulated situations.
Employees who encounter a dubious incident related to IT security and cybersecurity can report the incident to the Service Desk through the channels provided. In 2024 there were no cases of information security breaches or other cybersecurity incidents at the Bank.
Preparation for the Cybersecurity Incident Response
The Information Technology Security Management Unit conducts a cybersecurity drill of the Bank’s cyber threat response plan at least twice a year and adjusts the scenarios for the cybersecurity drill on a regular basis. The results of the drills are used to improve the Bank’s cybersecurity incident response process to be more effective. During 2024 the Bank carried out three drills for the cybersecurity incident response plan namely, an internal drill, a banking sector drill under TB-CERT, and a drill at national level by the NCSA. Moreover, we regularly test the responses of our personnel on cybersecurity by simulating phishing emails with different subjects and content and sending them to directors, executives and employees throughout the year to test their understanding. Results are applied to heighten the awareness of employees on how to spot and handle phishing emails. Furthermore, every year a certified external independent agency examines our IT security management processes covering IT General Control and Application Control to ensure that our IT systems have a high standard of protection and are able to handle threats. We also conduct a Vulnerability Analysis for important work systems to test their vulnerabilities and conduct a Penetration Test which is led by both internal and external experts on an annual basis.
Collaboration with External Agencies to Build Cybersecurity
To promote cybersecurity, we have set up collaboration with both local and international external agencies including TB-CERT, the Thai Computer Emergency Response Team (ThaiCERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), with the objective of exchanging information related to cybersecurity and enhancing our ability to monitor and respond to cyber threats. In 2024 we participated in a seminar on cybersecurity under the topic Tomorrow’s Cybersecurity in the Age of AI. This was organized by TB-CERT to update knowledge and practices on cybersecurity in an era where AI is playing a significant role. In addition, the Bank’s executives gave lectures and exchanged knowledge at the cybersecurity workshop Capital Market Cyber Leaders 2024: Trust, Resiliency, Sustainability organized by the Securities and Exchange Commission (SEC) for directors of listed companies, and to a seminar organized by NCSA entitled the Joining Forces between the Public and Private Sectors to Drive Cloud Security to Support the Cloud First Policy.
Cybersecurity Governance Structure
To ensure that our information security and cybersecurity are appropriately managed and in accordance with the Bank’s policies and strategies, we have clearly defined the scope of responsibility for relevant parties from the Board of Directors level to management level as follows:
Responsible for governing and overseeing information security and cybersecurity management to be appropriate for the Bank’s business operations.
Responsible for overseeing and monitoring information technology risks including risks from cyber threats.
Responsible for ensuring that our Information Technology Division works effectively and in alignment with business operations.
Responsible for supporting the Chief Information Security Officer (CISO) who is responsible for the following:
- Defining, developing and regularly reviewing the structure, policies, standards and procedures for information security and cybersecurity.
- Assessing and monitoring the status of security control through vulnerability and threat management, as well as investigating any unusual incidents in the Bank’s security.
- Fostering a risk culture regarding information security and cybersecurity in the organization.
Cybersecurity Policy and Measures
We have established an Information Security and Cybersecurity Policy that complies with international standards and regulations as a guideline for managing information security and managing cyber attacks. We also publish the Information Security and Cybersecurity Handbook to provide clear guidelines for employees to follow. The policy is reviewed every year to ensure it is up to date with new technologies and current cyber threats. During 2024 we revised our risk management strategy and asset management principles to align with the NIST Cybersecurity Framework 2.0, adding controls on the adoption of artificial intelligence (AI), information security for cloud system services, and quantum computing security. In addition, the Bank has been certified as meeting various international security standards, including ISO/IEC 27001:2013 for the Bank of Thailand’s Automated High-value Transfer Network (BAHTNET) and the Image Cheque Clearing and Archive System (ICAS), and we are in the process of being certified for the Payment Card Industry Data Security Standard (PCI/DSS).
To support working in the digital age where employees can work from anywhere, the Bank has established regulations on the use of mobile devices, access to external data, management of e-mails, and storage of data in accordance with the Information Security and Cybersecurity Policy and other related policies. Furthermore, we have installed security systems in our hardware and regularly scan for malware on devices as well as monitoring for any potential information leakages from different sources as proactive security measures.
Monitoring Cybersecurity
We have established clear guidelines for monitoring cybersecurity incidents that may affect information security as well as setting response times for the escalation of incidents and notification of related parties so that incidents can be managed and any resulting damage mitigated in a timely manner. We regularly enhance the knowledge and skills of relevant employees to ensure preparedness in preventing and responding to cyber threats. In 2024 we offered training organized by both internal and external agencies to employees to enhance their cybersecurity-related skills. We also sent employees to participate in the Cyber Combat 2024 competition hosted by the Thailand Banking Sector Computer Emergency Response Team (TB-CERT) to strengthen their skills in handling cyber threats through simulated situations.
Employees who encounter a dubious incident related to IT security and cybersecurity can report the incident to the Service Desk through the channels provided. In 2024 there were no cases of information security breaches or other cybersecurity incidents at the Bank.
Preparation for the Cybersecurity Incident Response
The Information Technology Security Management Unit conducts a cybersecurity drill of the Bank’s cyber threat response plan at least twice a year and adjusts the scenarios for the cybersecurity drill on a regular basis. The results of the drills are used to improve the Bank’s cybersecurity incident response process to be more effective. During 2024 the Bank carried out three drills for the cybersecurity incident response plan namely, an internal drill, a banking sector drill under TB-CERT, and a drill at national level by the NCSA. Moreover, we regularly test the responses of our personnel on cybersecurity by simulating phishing emails with different subjects and content and sending them to directors, executives and employees throughout the year to test their understanding. Results are applied to heighten the awareness of employees on how to spot and handle phishing emails. Furthermore, every year a certified external independent agency examines our IT security management processes covering IT General Control and Application Control to ensure that our IT systems have a high standard of protection and are able to handle threats. We also conduct a Vulnerability Analysis for important work systems to test their vulnerabilities and conduct a Penetration Test which is led by both internal and external experts on an annual basis.
Collaboration with External Agencies to Build Cybersecurity
To promote cybersecurity, we have set up collaboration with both local and international external agencies including TB-CERT, the Thai Computer Emergency Response Team (ThaiCERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), with the objective of exchanging information related to cybersecurity and enhancing our ability to monitor and respond to cyber threats. In 2024 we participated in a seminar on cybersecurity under the topic Tomorrow’s Cybersecurity in the Age of AI. This was organized by TB-CERT to update knowledge and practices on cybersecurity in an era where AI is playing a significant role. In addition, the Bank’s executives gave lectures and exchanged knowledge at the cybersecurity workshop Capital Market Cyber Leaders 2024: Trust, Resiliency, Sustainability organized by the Securities and Exchange Commission (SEC) for directors of listed companies, and to a seminar organized by NCSA entitled the Joining Forces between the Public and Private Sectors to Drive Cloud Security to Support the Cloud First Policy.
Personal Data Protection Management
We place high importance on personal data protection to prevent data owners from being harmed by the use of data for improper purposes. The Bank has established principles and practices for personal data protection in accordance with the requirements of the Personal Data Protection Act (PDPA) and other relevant regulations. We have assigned responsible personnel for reviewing and monitoring data, granting of access rights, sorting and classifying data into different degree of risk along with establishing corresponding personal data security measures that are consistent with the degree of risk and potential impacts from a breach of personal data privacy. We have identified personal data risk as one of the Bank’s key risks and have assigned the Data Protection Office and Data Protection Officer (DPO) to participate in the risk management process, from risk identification to risk management and risk control.
Governance on Personal Data Protection
To ensure that the Bank’s supervision of personal data protection is in accordance with relevant laws and in line with the Bank’s policies and practices, we have clearly defined the duties and responsibilities of the Board of Directors, senior executives, and relevant departments. We undertake risk control according to the Three Lines of Defense principle and ensure that the audit of personal data protection is conducted by the Audit and Control Division working independently of the units that collect, use and disclose personal data. In addition, the Bank has established a Data Protection Office under the Compliance Unit and appointed a DPO to be in charge of personal data protection.
Personal Data Protection Policy and Standards
We have established the Personal Data Protection Policy and Personal Data Protection Standards in accordance with the Personal Data Protection Act B.E. 2562 (PDPA) as guidelines for all business groups of the Bank, as well as business partners and external service providers. The policy and standards will be subject to a regular review and revision to be consistent with changes in business and relevant laws. In addition, we have prepared operating manuals for personal data protection for all relevant units to ensure that employees have a good understanding of the process and put this in practice accordingly. All employees must acknowledge and conform to the Personal Data Protection Policy. Violations or failure to comply may result in disciplinary action up to termination of employment coupled with a criminal offense or punishment under related laws as applicable.
We disseminate a Privacy Notice to data subjects through our website, branches and digital banking channels to inform them about personal data protection and data subject rights in detail. Data subjects can make inquiries and exercise their rights as data subjects at branches or through other service channels of the Bank or contact the Bank’s Data Protection Officer or Data Protection Office for assistance.
In cases where a data owner becomes aware of a personal data breach, the data owner can file a complaint through various channels provided by the Bank, or contact the DPO or the Data Protection Office. We will follow the established procedures to investigate the incident in a transparent and fair manner. If the investigation confirms the breach, the Bank will take action against the wrongdoer according to the established disciplinary processes and guidelines, make proper remedies to the affected parties, and implement preventive measures. During 2024 the Bank received 14 complaints of personal data breaches from customers: 13 cases were received through the Bank’s channels and one case through a regulator. All these data privacy breach cases were duly investigated and closed according to the Bank’s established procedures. None of the cases caused significant impacts on data subjects.
Governance on Personal Data Protection
To ensure that the Bank’s supervision of personal data protection is in accordance with relevant laws and in line with the Bank’s policies and practices, we have clearly defined the duties and responsibilities of the Board of Directors, senior executives, and relevant departments. We undertake risk control according to the Three Lines of Defense principle and ensure that the audit of personal data protection is conducted by the Audit and Control Division working independently of the units that collect, use and disclose personal data. In addition, the Bank has established a Data Protection Office under the Compliance Unit and appointed a DPO to be in charge of personal data protection.
Personal Data Protection Policy and Standards
We have established the Personal Data Protection Policy and Personal Data Protection Standards in accordance with the Personal Data Protection Act B.E. 2562 (PDPA) as guidelines for all business groups of the Bank, as well as business partners and external service providers. The policy and standards will be subject to a regular review and revision to be consistent with changes in business and relevant laws. In addition, we have prepared operating manuals for personal data protection for all relevant units to ensure that employees have a good understanding of the process and put this in practice accordingly. All employees must acknowledge and conform to the Personal Data Protection Policy. Violations or failure to comply may result in disciplinary action up to termination of employment coupled with a criminal offense or punishment under related laws as applicable.
We disseminate a Privacy Notice to data subjects through our website, branches and digital banking channels to inform them about personal data protection and data subject rights in detail. Data subjects can make inquiries and exercise their rights as data subjects at branches or through other service channels of the Bank or contact the Bank’s Data Protection Officer or Data Protection Office for assistance.
The Bank has established a consent form that specifies details and objectives regarding the collection, use and disclosure of the personal data of a data subject so that the data subject can consider this before giving consent, prior to or during data processing (such consent is the data subject’s choice and will not in any way be a requirement for using the Bank’s services). Additionally, we also monitor the usage of customers’ personal data for secondary purposes as allowed by relevant laws, such as marketing, research and analysis for the purpose of improving the quality of products and services. Note that 77 percent of the Bank’s customers gave consent to the use of their personal data for secondary purposes.
Guidelines for a Breach of Personal Data
To promote clarity, orderliness and responsiveness, we have established guidelines, procedures and responsible persons to respond to personal data breaches according to regulatory requirements and the Bank’s personal data protection policy. A personal data breach report form has also been established for the unit detecting the incident to fill in for reporting to its responsible supervisor in charge for further submission to the DPO.
In cases where a data owner becomes aware of a personal data breach, the data owner can file a complaint through various channels provided by the Bank, or contact the DPO or the Data Protection Office. We will follow the established procedures to investigate the incident in a transparent and fair manner. If the investigation confirms the breach, the Bank will take action against the wrongdoer according to the established disciplinary processes and guidelines, make proper remedies to the affected parties, and implement preventive measures. During 2024 the Bank received 14 complaints of personal data breaches from customers: 13 cases were received through the Bank’s channels and one case through a regulator. All these data privacy breach cases were duly investigated and closed according to the Bank’s established procedures. None of the cases caused significant impacts on data subjects.
Promoting a Culture of IT Security, Cybersecurity and Personal Data Protection
We believe that fostering a culture of IT security, cybersecurity and personal data protection in the organization requires every employee to have the right knowledge and understanding of the subject. Therefore, we have taken the following measures or requirements to enhance knowledge and understanding:
Raising Awareness of Online Financial Threats to Society
The volume of online fraud and scams is on the rise, causing severe financial and psychological damage to victims. To alleviate this problem, we have cooperated with relevant government agencies in implementing various preventive measures, such as detecting and tracking mule accounts, providing alerts when transferring money online, and requiring additional identity verification for high-value transfers. In addition, we have continuously sought to raise public and customer awareness about online financial threats by sharing knowledge through the Bank’s offline and online channels about types of fraud, how to identify suspicious behavior, exercise vigilance and take preventive measures, as well as what to do when one becomes a victim. In collaboration with Thailand Service Co-operative of the Blind (TSCB) under the Fin Lit for the Blind project, we also organized a lecture on Navigating Cybersecurity in the Age of Rapidly Changing Technology to provide visually-impaired people with knowledge and awareness about the techniques of scammers.
- The Board of Directors is required to enhance their knowledge of IT security and cybersecurity management on a regular basis through participation in training programs organized by internal units and external agencies such as the SEC and Bank of Thailand.
- All executives and employees receive mandatory training to raise awareness about cyber threat prevention and personal data protection. The training includes topics such as Personal Data Protection, Phishing Awareness, Phishing Emails, and Information Security and Cybersecurity (ISCS).
- Employees in directly relevant units must attend personal data protection training specific to their roles
- The PDPA Awareness Campaign was launched to educate concerned parties on proper practices under the PDPA through articles, newsletters, infographics and videos as well as providing channels for them to seek advice from experts and send inquiries to the DPO.
- Information on cybersecurity is shared on a regular basis through our internal communication channels. During 2024, various topics were covered, including Security Tips: Protect Against Dangerous Links in Emails with Safe Links on Microsoft Outlook, Warning! Spread of Ransomware or Extortion Emails, Security News: Hit with Real Fines! Case of Personal Data Leakage, etc.
- Cybersecurity Talk activities were organized to enable employees to apply knowledge to their work and daily lives. In 2024 talks were organized under the topics of: Expose the Dark Web, Answering Questions about Security on Data Security Stored in a Database, and AI and Human Behavior: Navigating the Intersection for Enhanced Digital Security.
- Bangkok Bank Cybersecurity Day 2024 was organized to provide knowledge and raise awareness of dealing with cyber threats for executives and employees. The event included a seminar to share experiences and knowledge about ransomware and techniques of deception currently used by hackers, as well as recommendations for behaviors that help protect against cyber threats. In addition, booths offered knowledge and quiz games with prizes.
- The Cybersecurity Hero Season 1 event was organized to build an organizational cybersecurity culture that aims to build awareness among employees about the importance of cybersecurity and how to deal with cyber threats. This was done through various activities designed to teach employees to identify and report phishing emails and cyber threats impersonating the Bank in order to collect points to redeem prizes.
Raising Awareness of Online Financial Threats to Society
The volume of online fraud and scams is on the rise, causing severe financial and psychological damage to victims. To alleviate this problem, we have cooperated with relevant government agencies in implementing various preventive measures, such as detecting and tracking mule accounts, providing alerts when transferring money online, and requiring additional identity verification for high-value transfers. In addition, we have continuously sought to raise public and customer awareness about online financial threats by sharing knowledge through the Bank’s offline and online channels about types of fraud, how to identify suspicious behavior, exercise vigilance and take preventive measures, as well as what to do when one becomes a victim. In collaboration with Thailand Service Co-operative of the Blind (TSCB) under the Fin Lit for the Blind project, we also organized a lecture on Navigating Cybersecurity in the Age of Rapidly Changing Technology to provide visually-impaired people with knowledge and awareness about the techniques of scammers.
This Website uses cookies to provide you with the best experience and to improve the Bank’s website services in order to better serve your requirements. You can find the details about cookies use on
Cookies Policy
