Cybersecurity and Customer Data Privacy Protection

Commitment


To strengthen cybersecurity and customer data privacy protection with enhanced technology and people capabilities in order to improve productivity, ensure compliance and build trust with all stakeholders

Materiality


Personal data is inevitably collected when conducting banking business in the digital age. This data can be analyzed to help formulate business strategy, design products and services to meet customer needs, and create opportunities and a competitive advantage over competitors. Although there are many benefits to be gained from data, there are also risks of data abuse which can cause negative impacts for both the Bank and data owners. Therefore, we attach great significance to providing data security, for both customer data and business data, to protect rights and maintain trust among customers, suppliers and business partners. We have implemented proper data security measures that include raising awareness and building employee capabilities to tackle cyber threats. At the same time, we cooperate with external agencies to enhance our ability to manage cyber risks, adopt efficient and effective data governance processes, and issue appropriate and adequate measures to protect customer data privacy and the Bank’s business data.
Management Approach
Cybersecurity Management

Cyber threats in the digital age have become more severe and complicated compared to the past and are likely to intensify in the future. Cybersecurity is therefore considered to be a key risk factor affecting the Bank’s business operations that we have to manage. Accordingly, we have set a clear IT security and cybersecurity framework that conforms to international standards. We have also ad-opted new technologies to monitor and detect anomalies and irregular incidents that may damage the Bank’s data or IT systems. Moreover, we have established security standards for all data collected through the Bank’s services. Our systems are regularly assessed against these security standards, both before and after customers use a service. This is to ensure that preventive or corrective actions are taken promptly once a loophole is found. The Bank has received ISO 27001 certification and is in the process of being certified for PCI/DSS standards.

Personal Data Protection Management

We have established principles and practices on personal data protection in accordance with laws and rules imposed by regulators, the Bank’s personal data protection policy and other related policies. These principles and practices cover personal data privacy protection measures and notifications in cases of violation of personal data privacy. Besides this, personal data risk has been recognized as one of the Bank’s major risks and the scope of our risk taxonomy has been expanded to cover personal data risk, requiring the Personal Data Protection Unit and the responsible officers to participate in the Bank’s risk management process. At the same time, we continue to build awareness and understanding among all executives and staff to keep them up-to-date and compliant with relevant laws and the Bank’s practices.

We have put in place appropriate step-by-step measures on personal data protection to prevent data loss, unauthorized access, usage, change, amendment or disclosure, and reviewed these on a regular basis. Relevant parties must comply with the measures and are given the responsibility to monitor data, grant access rights and classify data so as to determine levels of personal data security that are consistent with the degree of risk and potential impacts from a breach of personal data privacy.



Promoting a Data Security and Cybersecurity Risk Culture

Since we collect, use and disclose personal data, we realize the importance of responsible parties having a proper and complete understanding of how to manage data security and cybersecurity. Consequently, we have continuously built relevant knowledge among staff and executives to prevent misuse of information, theft, leakage and loss of data through a variety of approaches such as knowledge sharing sessions, cyber threat response plan rehearsals and simulations. All departments are responsible for ensuring the security of their relevant information. Building knowledge and understanding of data security and cybersecurity forms an important part of our organization-wide risk culture.
Key Activities
In 2021, the Bank carried out the following key activities:

  • Activities to raise awareness about cybersecurity: We introduced mandatory online learning curricula through BBLearn for all employees to attend including Phishing Awareness and Personal Data Privacy Protection. We also encouraged employees to be aware of information security management systems to understand different forms of cyber threats and be informed about the Bank’s policies and practices on data security and cybersecurity. At the same time, we also provided training on cybersecurity for the Board of Directors.
  • Activities to apply knowledge on PDPA. We organized an online training program on the application of the Personal Data Protection Act B.E. 2562 (PDPA) for employees in various units to understand policies and practices around personal data protection as well as be able to apply knowledge to improve work processes they are responsible for.
  • Activities to build awareness about the protection of personal data. We established the PDPA Awareness Campaign to create understanding and awareness of employee responsibilities under the PDPA through articles and videos, while also conducting assessments to ensure that employees have a good understanding and can perform their duties in compliance with the Personal Data Protection Act B.E. 2562 (PDPA).
  • Activities to educate and inform customers. We continually raise awareness among customers about cyber threats by communicating relevant information, knowledge and alerts in an easy-to-understand format through digital communication channels such as our website, Facebook, LINE Official and YouTube accounts including providing QR Codes for customers to access information related to personal data protection to prevent them or the general public from becoming cybercrime victims.

TOOLS & ASSISTANCE

We are ready to help you.

TOOLS & ASSISTANCE

We are ready to help you.

You are now leaving Bangkok Bank's website