Cyber threats in the digital age come in various forms with complexity that can cause widespread damage. Accordingly, we have established a clear IT security and cybersecurity framework that conforms to international standards. We have also reviewed our IT security and cybersecurity policies to ensure they are consistent with international standards of ISO/IEC 27002 and that they are suitable for current technologies and cyber threats. In addition, we have adopted new technologies to monitor and detect anomalies and irregular incidents that may damage the Bank’s data or IT systems. Moreover, we have established security standards for all data collected through the Bank’s services. Our systems are regularly assessed against these security standards, both before and after customers use a service. The Bank has been certified for various international security standards including ISO/IEC 27001:2013 for the Bank of Thailand Automated High-value Transfer Network (BAHTNET) and the Imaged Cheque Clearing and Archive System (ICAS) and is in the process of being certified for PCI/DSS security standard. As a testimony of our commitment to and vigilance on cybersecurity, the Bank received the Certificate of Cyber Hygiene (Gold Level) from the National Cyber Security Agency in 2022 for our compliance with required basic cybersecurity standards.
Cybersecurity Governance Structure
To ensure the efficiency and effectiveness of our information security and cybersecurity, the Bank has clearly defined the scope of responsibility for relevant parties throughout the organization as follows:
Personal Data Protection Management
It is our duty and responsibility to protect customers’ personal data from loss or unauthorized access, usage, change and disclosure. Therefore, we have established principles and practices on personal data protection in accordance with laws and rules imposed by regulators, the Bank’s personal data protection policy, and other related policies. These principles and practices cover personal data privacy protection measures and notifications in cases of violation of personal data privacy. Relevant parties are assigned the responsibility to review and monitor data, oversee the granting of access rights and data classification as well as levels of data classification, so as to determine the extent of personal data security measures that are consistent with the degree of risk and potential impacts from a breach of personal data privacy.
To ensure that the personal data protection processes and practices comply with rules imposed by regulators and the Bank, we have put in place an audit of personal data protection practices by the Audit and Control Division, which is independent from the units that collect, use and disclose personal data. Besides, personal data risk has been recognized as one of the Bank’s major risks, requiring the Data Protection Office, and the responsible officers to participate in the Bank’s risk management process covering personal data risk identification to risk management and control.
Personal Data Protection Policy and Standards
The Bank has established a personal data protection policy and personal data protection standards in accordance with the Personal Data Protection Act B.E.2562 (2019) and related rules and regulations. All involved persons must comply with the policy and standards, which apply to the entire financial conglomerate including business partners and external suppliers. In addition, we disseminate a Privacy Notice
through our website, branches and digital banking channels to inform customers about personal data protection and data subject rights.
The Bank also provides consent forms that give details regarding the collection, use and disclosure of the customers’ personal data so that data subjects can deliberate before giving consent, before or during the data processing. However, giving such consent is the data subject’s choice and will not in any way be a requirement for using the Bank’s services. Additionally, we also monitor data used for secondary purposes, such as marketing, research and analysis for the purpose of improving products and services’ quality, which is a data usage permitted by the Bank’s personal data protection practices and allowed by laws. In 2022, approximately 60 percent of all customers have given consent for personal data used for secondary purposes.
Governance on Personal Data Protection
The Bank has clearly defined the governance structure of personal data protection by specifying roles and responsibilities of the Board of Directors, senior executives and related units as well as adopting risk management under the three lines of defense principle. In addition, we have established a Data Protection Office (DPO Office) under the Compliance Unit and appointed a Data Protection Officer (DPO) to be in charge of personal data protection at the Bank to ensure that the governance of personal data protection is effective and compliant with laws, the Bank’s policies and practices.
Guidelines for a Breach of Personal Data
The Bank has established guidelines, procedures and responsible persons to respond to a breach of personal data according to regulatory requirements and the Bank’s personal data protection policy to ensure clear understanding and proper compliance of related parties. All employees shall acknowledge and comply with a guideline accompanying the personal data protection policy. Failures to comply with the policy guideline may result in disciplinary actions, including a termination of employment. In addition, violation of the policy may be found criminally liable and be subjected to legal measures according to applicable laws and regulations.