Cybersecurity and Data Privacy Protection

Commitment


To strengthen cybersecurity and personal data protection with enhanced technology and employee capabilities to ensure compliance and build trust among all stakeholders.

Materiality


The Bank’s business operations entail collection, consolidation and processing of large volumes of customer data. Rapid technological advancements have led to increasingly sophisticated and severe cyber threats, resulting in risks related to information technology and personal data breaches. These risks may result in adverse impacts on customer assets, as well as on the Bank’s business continuity and reputation. The Bank is therefore firmly committed to strengthening cybersecurity management and overseeing personal data protection. Effective measures have been implemented to safeguard personal data, alongside continuous efforts to enhance employee awareness and capabilities in responding to cyber threats and complying with the Bank’s information security and personal data protection policies and practices. These efforts aim to prevent or mitigate potential adverse impacts on customers and the Bank arising from data breaches, data loss, or the unauthorized or improper use of personal data without the data subject’s consent.
Cybersecurity Management
We consider IT risks including risks from cyber threats as key risks that need to be managed prudently. We have put in place a framework for managing information security and cybersecurity that conforms with international standards. An action plan to tackle various forms of cyber threats has been established so that we can quickly and effectively mitigate potential impacts. We have also adopted modern technology to monitor and detect unusual situations or events that may damage the Bank’s data and information systems. In addition, we have developed security standards for all data collected through the Bank’s services while our systems are regularly assessed according to these security standards, both before and after customers use a service. At the same time, we are committed to consistently developing our personnel’s cybersecurity competencies. In 2024, the Bank received Best Performance Awards 2024 for organizations that achieved ‘Excellent’ assessment result for cybersecurity advancement from the Prime Minister Awards: Thailand Cybersecurity Excellence Award 2024 event organized by the National Cyber Security Agency (NCSA). The award manifestly reflects our commitment to cybersecurity management.
 
Cybersecurity Governance Structure

To ensure that our information security and cybersecurity are appropriately managed and in accordance with the Bank’s policies and strategies, we have clearly defined the scope of responsibility for relevant parties from the Board of Directors level to management level as follows:

 



Responsible for governing and overseeing information security and cybersecurity management to be appropriate for the Bank’s business operations.

Responsible for overseeing and monitoring information technology risks including risks from cyber threats.

Responsible for ensuring that our Information Technology Division works effectively and in alignment with business operations.

Responsible for supporting the Chief Information Security Officer (CISO) who is responsible for the following:

  • Defining, developing and regularly reviewing the structure, policies, standards and procedures for information security and cybersecurity. 
  • Assessing and monitoring the status of security control through vulnerability and threat management, as well as investigating any unusual incidents in the Bank’s security. 
  • Fostering a risk culture regarding information security and cybersecurity in the organization.


Cybersecurity Policy and Measures

We have established an Information Security and Cybersecurity Policy that complies with international standards and regulations as a guideline for managing information security and managing cyber attacks. We also publish the Information Security and Cybersecurity Handbook to provide clear guidelines for employees to follow. The policy is reviewed every year to ensure it is up to date with new technologies and current cyber threats. During 2024 we revised our risk management strategy and asset management principles to align with the NIST Cybersecurity Framework 2.0, adding controls on the adoption of artificial intelligence (AI), information security for cloud system services, and quantum computing security. In addition, the Bank has been certified as meeting various international security standards, including ISO/IEC 27001:2013 for the Bank of Thailand’s Automated High-value Transfer Network (BAHTNET) and the Image Cheque Clearing and Archive System (ICAS), and we are in the process of being certified for the Payment Card Industry Data Security Standard (PCI/DSS).

To support working in the digital age where employees can work from anywhere, the Bank has established regulations on the use of mobile devices, access to external data, management of e-mails, and storage of data in accordance with the Information Security and Cybersecurity Policy and other related policies. Furthermore, we have installed security systems in our hardware and regularly scan for malware on devices as well as monitoring for any potential information leakages from different sources as proactive security measures.

Monitoring Cybersecurity

We have established clear guidelines for monitoring cybersecurity incidents that may affect information security as well as setting response times for the escalation of incidents and notification of related parties so that incidents can be managed and any resulting damage mitigated in a timely manner. We regularly enhance the knowledge and skills of relevant employees to ensure preparedness in preventing and responding to cyber threats. In 2024 we offered training organized by both internal and external agencies to employees to enhance their cybersecurity-related skills. We also sent employees to participate in the Cyber Combat 2024 competition hosted by the Thailand Banking Sector Computer Emergency Response Team (TB-CERT) to strengthen their skills in handling cyber threats through simulated situations.

 



Employees who encounter a dubious incident related to IT security and cybersecurity can report the incident to the Service Desk through the channels provided. In 2024 there were no cases of information security breaches or other cybersecurity incidents at the Bank.

Preparation for the Cybersecurity Incident Response

The Information Technology Security Management Unit conducts a cybersecurity drill of the Bank’s cyber threat response plan at least twice a year and adjusts the scenarios for the cybersecurity drill on a regular basis. The results of the drills are used to improve the Bank’s cybersecurity incident response process to be more effective. During 2024 the Bank carried out three drills for the cybersecurity incident response plan namely, an internal drill, a banking sector drill under TB-CERT, and a drill at national level by the NCSA. Moreover, we regularly test the responses of our personnel on cybersecurity by simulating phishing emails with different subjects and content and sending them to directors, executives and employees throughout the year to test their understanding. Results are applied to heighten the awareness of employees on how to spot and handle phishing emails.

The Bank conducts an information technology security assessment annually by internal audit unit. Additionally, we hired independent external audit agency to examine our IT security management processes covering IT General Control and Application Control to ensure that our IT systems have a high standard of protection and are able to handle threats.

The Bank also conducts a vulnerability analysis for important work systems to test their vulnerabilities and conduct a penetration test which is led by both internal and external experts on an annual basis. In addition, the Bank has implemented artificial intelligence technology to detect counterfeit digital assets such as domain names, websites, and social media pages, enabling early intervention before they cause damage to customers and the bank's reputation.

Collaboration with External Agencies to Build Cybersecurity

To promote cybersecurity, we have set up collaboration with both local and international external agencies including TB-CERT, the Thai Computer Emergency Response Team (ThaiCERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), with the objective of exchanging information related to cybersecurity and enhancing our ability to monitor and respond to cyber threats. In 2024 we participated in a seminar on cybersecurity under the topic Tomorrow’s Cybersecurity in the Age of AI. This was organized by TB-CERT to update knowledge and practices on cybersecurity in an era where AI is playing a significant role. In addition, the Bank’s executives gave lectures and exchanged knowledge at the cybersecurity workshop Capital Market Cyber Leaders 2024: Trust, Resiliency, Sustainability organized by the Securities and Exchange Commission (SEC) for directors of listed companies, and to a seminar organized by NCSA entitled the Joining Forces between the Public and Private Sectors to Drive Cloud Security to Support the Cloud First Policy.
Information Security and Cybersecurity Policy
The Bank has established the Information Security and Cybersecurity Policy that complies with domestic regulations and international standards for the financial institution sector as a guideline for managing information security and cybersecurity. This policy applies to all employees and personnel of the Bank, as well as third party who perform tasks on behalf of the Bank.

The Bank reviews the policy annually or when there is a major regulatory change to ensure that policy is appropriate to information security and cybersecurity landscape and in alignment with the Bank’s business direction.

Essence of Information Security and Cybersecurity Policy

  • Organization Structure for Information Security and Cybersecurity
    The Bank shall follow the three lines of defense structure for information security and cybersecurity management by defining clear and definite responsibility across the Bank without overlapping accountability. All staff and executives have to be strictly accountable for their determined responsibilities to ensure efficiency and effectiveness of information security and cybersecurity management.
  • Information Security and Cybersecurity Risk Management
    The Bank assigns a direct responsible person from each unit to coordinate and facilitate the identification and assessment of potential information security and cybersecurity events within their units as well as the assessment of existing internal controls to future determine effective risk control procedure or risk mitigation plans.
  • Information Technology Asset Management
    The Bank shall define how any and all of its information assets should be handled, including the appropriate protection responsibilities for assets by identifying, inventorying, classifying, and developing rules for acceptable use. Assets shall also include any data, knowledge, or information that has value to the Bank, whether created by the Bank or not.
  • Access Control
    The Bank shall determine the appropriate rules on need to know basis for access control, access rights, and access restrictions for assets that are commensurate to the sensitivity of the asset and exposure to information security risk.
  • Cryptography
    The Bank shall ensure the security and protection of communication channels and the storage and transmission of assets through proper and effective cryptographic methods.
  • Physical and Environmental Security
    The Bank shall implement physical and environmental security guidelines in order to prevent unauthorized physical access; damage and interference to information facilities; loss, damage, theft, or compromise of physical assets; and interruption to the Bank’s operations.
  • Operations Security
    The Bank shall ensure the security and operation of information processing facilities; protection of assets from all applicable information security and cybersecurity threats.
  • Communications Security
    The Bank shall ensure the protection of information in network services and the security of information when transmitted and transferred within and outside of the Bank.
  • Mobile Devices and Remote Access Security
    The Bank shall secure and protect the use of mobile devices and remote access to the Bank’s information systems in order to prevent the compromise of the Bank’s information systems and assets.
  • Information Security and Cybersecurity in Third Party Relationships
    The Bank shall manage third party relationships (e.g. external service provider, vendor, etc.) to ensure information security and cybersecurity when contracting and receiving services.
  • System Acquisition, Development, and Maintenance
    The Bank shall constantly monitor and review the information security and cybersecurity vulnerabilities and capabilities of systems and applications in order to assess and reduce security risks associated with the ownership, use, and development of such systems and applications.
  • Information Security and Cybersecurity Incident Management
    The Bank shall ensure that there is a consistent and effective approach in response to information security and cybersecurity related incidents. This includes the communication of security incidents and or weaknesses, as well as appropriate post-incident handling.
  • Information Security and Cybersecurity Aspects of Business Continuity Management
    The Bank shall ensure that information security and cybersecurity continuity is a part of BCM in order to protect critical business processes and ensure continuity or timely resumption of information security and cybersecurity systems in adverse situations such as disasters, failures, or crises.
  • Information Security and Cybersecurity Training and Awareness
    The Bank shall establish information security and cybersecurity training and awareness programs to ensure the knowledge, skills, and awareness of all employees in the protection against information security and cybersecurity threats on regular basis.
  • Human Resource Security
    The Bank shall define, communicate, and enforce responsibilities and requirements towards the Bank’s assets for all those employed by the Bank.
  • Compliance and Information Security and Cybersecurity Review
    The Bank shall avoid breaches of legal, statutory, and contractual obligations related to information security and cybersecurity requirements. The Bank shall abide by any applicable legislation and regulation when using any information or information system in its operations.
  • Emerging Information Security and Cybersecurity Threats and Trends
    The Bank is aware of developing information security and cybersecurity trends due to the rapid evolution of technology and corresponding technological threats. The Bank shall monitor vulnerabilities and threats that may arise due to changes in the technological landscape and the way technology is used within the Bank. The bank shall ensure that emerging technology deployment shall be efficiently managed with additional specific guideline on top of normal practices in order to drive the proactive awareness and support the banking industry.
Artificial Intelligence Risk Management

Artificial intelligence (AI) technology is currently being widely adopted across both business operations and in daily life. The Bank has leveraged AI to support its business activities, including threat detection, product recommendation (cross-selling), and chatbot implementation for customer services. Recognizing the potential risks associated with the use of AI, the Bank has established a comprehensive risk management framework based on the principles of responsible AI adoption that takes into consideration the impacts related to ethics, social and personal data security. The Bank has also established an Information Security and Cybersecurity Policy which specifies a comprehensive governance framework for the adoption and control of AI to ensure its appropriate and responsible use. The policy also embeds security-by-design principles into AI-enabled systems, including data encryption, access controls, and regular vulnerability assessments. The Bank also engages in proactive communication with employees and customers to promote awareness and understanding of responsible AI use.

Personal Data Protection Management

We place the highest priority on the protection of personal data to prevent data subjects from being harmed by the misuse or unlawful exploitation of personal information. We have established principles and operational guidelines for personal data security that are fully aligned with the Personal Data Protection Act (PDPA) and other relevant regulations. The Bank has assigned responsible personnel for reviewing and monitoring data. Requirements have also been set up on the granting of access rights, and the sorting and classification of data in order to establish different corresponding personal data security measures that are consistent with the degree of risk and potential impacts from a breach of personal data privacy. We have identified personal data risk as one of the Bank’s key risks and have assigned the Data Protection Office and Data Protection Officer (DPO) to participate in the risk management process, from risk identification to risk management and risk controls.

Personal Data Protection Governance

To ensure transparent and effective governance of personal data protection in compliance with the Bank’s internal practices and relevant laws and regulations, the Bank has clearly defined the roles and responsibilities of the Board of Directors, senior executives, and relevant departments in personal data protection. The Bank undertakes risk control according to the Three Lines of Defense principle and ensures that the audit of personal data protection is conducted by the Audit and Control Division working independently of the units that collect, use and disclose personal data. In addition, the Bank has established a Data Protection Office under the Compliance Unit and appointed a DPO to be in charge of personal data.

Personal Data Protection Policy and Standards

We have established the Personal Data Protection Policy and Standards in compliance with the Personal Data Protection Act B.E. 2562 (PDPA) and other applicable regulatory requirements. The policy applies across the Bank’s business groups, business partners and external service providers. The policy is reviewed on an annual basis to ensure it remains current and effective. In addition, the Bank has developed operating manuals for personal data protection for all relevant units to ensure that employees have a good understanding of the processes and puts them into practice accordingly. All employees must acknowledge and conform to the Personal Data Protection Policy. Any violation or non-compliance may result in disciplinary action and could also give rise to criminal liability or other legal penalties under applicable laws. We disseminate our Privacy Notice through multiple channels, including the website, branches, and digital banking channels, to inform data subjects of details regarding personal data protection and their rights. Data subjects may seek further information and exercise their rights at any branch or through other service channels of the Bank, or by contacting the Bank’s Data Protection Officer or the Data Protection Office for assistance.



We have established a consent form that specifies details and objectives regarding the collection, use and disclosure of the personal data of a data subject so that the data subject can consider this before giving consent, prior to or during data processing (such consent is the data subject’s choice and will not in any way be a requirement for using the Bank’s services). Additionally, we also monitor the data used for secondary purposes as allowed by relevant laws and with consent, such as marketing activities and data analytics to develop products and services. As of the reporting period, 88 percent of the Bank’s customers have provided consent for the use of their personal data for secondary purposes.

Personal Data Breach Response

We have established clear guidelines and procedures, and designated responsible persons for responding to personal data breach incidents. A personal data breach reporting form has been established for completion by the unit detecting the incident and for reporting to the responsible supervisor in charge for further submission to the DPO.


Data subjects may submit complaints regarding personal data breach incidents through the Bank’s established complaint handling channels or by contacting the Data Protection Officer (DPO) or the Data Protection Office. Upon receipt of a complaint, we conduct a transparent and impartial investigation to ascertain the facts. If the investigation confirms the breach, we will take action against the wrongdoer according to the established disciplinary processes and guidelines, make proper remedies to the affected parties, and implement corrective measures to prevent recurrence. In 2025 we received a total of 22 complaints related to personal data protection breaches, comprising 12 complaints submitted through the Bank’s complaint handling channels and 10 complaints submitted through regulatory authorities. Of these, 15 cases have been fully investigated and resolved with none of the cases causing significant impacts on data subjects.

Fostering a Culture of Information Technology Security, Cybersecurity and Personal Data Protection

We believe that fostering a culture of information technology security, cybersecurity and personal data protection in the organization requires every employee to have the right knowledge and understanding of the subject. Therefore, we have taken the following measures or requirements to enhance knowledge and understanding:


  • Requiring members of the Board of Directors to participate in training programs related to information technology security and cybersecurity management, organized by the Bank or relevant regulatory authorities.
  • Communicating the Bank’s Information Security and Cybersecurity Policy, as well as related information security and cybersecurity manuals through internal communication channels, and developing engaging learning materials in the form of animations to enhance accessibility and understanding.
  • Implementing mandatory training programs for executives and employees to enhance awareness of cyber threat prevention and personal data protection. These include Personal Data Protection training, Phishing Email Awareness training, and Information Security and Cybersecurity training.
  • Requiring employees in relevant units to attend Personal Data Protection training specific to their roles.
  • Organizing a PDPA Awareness Campaign to promote understanding of proper compliance with the Personal Data Protection Act B.E. 2562 (PDPA), delivered through a range of knowledge-sharing materials such as articles, newsletters, infographics and videos, with dedicated channels provided for employees to submit inquiries to the Data Protection Officer (DPO).
  • Organizing expert sessions on the topic of the Personal Data Protection Act (PDPA) to enhance employees’ understanding of the Bank’s roles and responsibilities as a data controller; best practices for managing personal data throughout its lifecycle; and guidelines for engaging with companies or their directors in a manner that ensures compliance with the PDPA and prevents any potential violations.
  • Sharing knowledge about the ESG Journey 2025 and strengthening operational excellence in PDPA to enhance awareness of the latest personal data protection regulations and guidelines issued by the Office of the Personal Data Protection Commission (PDPC).
  • Developing and disseminating security tips and security news throughout the year via the Bank’s internal communication channels.
  • Organizing cybersecurity talk sessions by inviting internal and external experts to share knowledge on cybersecurity topics, such as Cyber Threat Awareness to Build Organizational Resilience; Security First! Fundamental Security Principles for Vendors and Application Developers; The Quantum (Computing) Mania; and Surviving in Digital Future.
  • Organizing the Cybersecurity Hero Season 2 program, building on the success of Season 1, with the objective of encouraging behavioral change among employees to recognize the importance of cybersecurity awareness and how to deal with cyber threats. Activities included reporting phishing emails and cyber threats impersonating the Bank in order to collect points to redeem prizes.
  • Organizing Bangkok Bank Cybersecurity Day 2025 under the theme Unlocking the Future of Cybersecurity with AI which aimed at enhancing knowledge of AI technology trends, the safe and responsible adoption of AI in alignment with the Bank’s cybersecurity framework, and emerging AI-related cyber threats. The event featured knowledge-sharing by experts in AI and cybersecurity from both inside and outside the Bank, as well as interactive booths provided by leading technology companies.

TOOLS & ASSISTANCE

We are ready to help you.

TOOLS & ASSISTANCE

We are ready to help you.

You are now leaving Bangkok Bank's website