Thailand’s Office of Insurance Commission (OIC) has opened a public hearing on proposed amendments to the OIC Notification on Criteria for Information Technology Risk Governance and Management for Life Insurance and Non-Life Insurance Companies B.E. 2563 (2020) via the centralized Law platform. The public consultation period runs from May 8, 2026, to June 9, 2026.
The proposed amendments aim to elevate the IT risk governance and cybersecurity risk management framework to be more modern and aligned with international standards, with a focus on strengthening cyber resilience, enhancing the role of IT audits, and establishing data governance and data quality controls.
The parties affected by these amendments include life insurance companies, non-life insurance companies, and external IT auditors.
Key Changes
Elevated Role of Board of Directors
The proposed notification requires the company’s board of directors to oversee data governance, cybersecurity, and the responsible use of AI. Additionally, the board should include at least one director with IT knowledge or experience. Companies are also required to designate a head of security responsible for information security. The board’s duties are expanded to include oversight of data governance and AI usage, including establishing relevant policies and committees.
Enhanced IT Security and Cybersecurity
The revised notification consolidates the existing chapters on IT project management, IT security and cybersecurity to reduce redundancy, and introduces significant new measures. These include mandatory multi-factor authentication for material systems, enhanced data security measures such as data masking and data leakage prevention, security hardening requirements, web filtering, and mandatory vulnerability assessment and penetration testing at least annually. New requirements are also introduced for mobile application security, API security, and security measures for emerging technologies such as cloud computing and post quantum cryptography.
The cybersecurity framework now encompasses identification, protection, detection, response, and recovery. The draft also introduces source code review requirements for system development and mandates security controls when AI is used to support system development.
IT Risk Management and IT Compliance
The revised notification requires the appointment of a qualified IT risk officer with relevant knowledge and experience, and mandates risk reporting to management or the board at least annually. For IT compliance, companies must designate personnel responsible for monitoring, assessing, and reporting on regulatory compliance, including summarizing non-compliance incidents and remediation measures to the relevant committee.
Enhanced IT Audit Requirements
The draft introduces a requirement for external IT auditors to hold CISA or ISO/IEC 27001 lead auditor certifications. Audit planning must adopt a risk-based approach. Material systems must undergo a full-scope audit at least every three years, while high-risk systems require full-scope audits annually. In the event of a cyber attack, affected systems must be subject to a full-scope audit within the year the incident occurs, except where the incident occurs in the fourth quarter of the year.
Data Governance
A new Data Governance chapter is introduced as a regulatory requirement. Companies must establish data management processes throughout the data life cycle, covering data life cycle management, metadata management, data quality management, data risk management, data security, and data privacy. Data quality must be reviewed and reported at least annually.
AI Governance
A new AI Governance chapter requires companies using AI to establish policies and governance processes throughout the AI usage life cycle, with responsibilities divided according to the “three lines of defense” model. This covers both in-house development and third-party services, risk assessment and monitoring, AI performance evaluation, and data management in accordance with the AI governance guidelines.
Cyber Incident Reporting Framework
Currently, companies must report incidents involving critical information infrastructure to the OIC or other agencies as prescribed by law within 72 hours. The draft provides greater clarity on the types of incidents that must be reported, the information to be disclosed, and the agencies to be notified.
Recommended Actions for Insurance Companies
Life insurance and non-life insurance companies should assess the impact of these proposed changes on their current governance structures, risk management processes, and IT systems. Stakeholders may submit comments through the centralized Law platform until June 9, 2026.
