On January 16, 2023, Thailand’s Securities and Exchange Commission (SEC) prescribed a set of security measures that digital asset business operators must implement if they provide custody of digital assets for their customers. The new security measures are prescribed in two notifications from the SEC and its office on digital asset wallet management systems and cryptographic key management systems, with the aim of safeguarding digital assets in custody against loss, fraud, and cybertheft. The notifications took immediate effect.
The new security measures and the management systems are summarized below.
Policy and guidelines for managing systems related to digital asset custody
Digital asset business operators must have a written risk management policy for all systems relating to digital asset custody, approved by their board of directors and made accessible to all employees. The policy must be reviewed or revised at least once annually, or promptly if any potential risks are identified. Specific procedures must be implemented, such as establishment of a compliance team and internal controls.
Management of systems for digital asset wallets and cryptographic keys
Digital asset business operators must have policies and procedures for managing all systems relating to digital asset custody. This includes properly designing, developing, and managing digital asset wallets in a safe and secure manner. The same requirement on policies and procedures applies to cryptographic key management as well.
Management of incidents that may affect systems related to digital asset custody
Digital asset business operators must have measures in place to manage incidents that may impact systems related to digital asset custody. The measures include designating a person responsible for incident management, testing and reviewing the incident management policy annually, reporting any incidents affecting digital asset custody to the designated responsible person and the SEC immediately, and conducting a digital forensic investigation with an independent specialist, if necessary.
If an incident affects the security of systems related to digital asset custody and has a significant impact on customers’ assets, the digital asset business operator must conduct a digital forensic investigation and report the investigation results to the SEC. The operator must also develop a plan to resolve the issues, along with measures to prevent reoccurrence. Documentary evidence of the incident management must be maintained for at least two years.
Digital asset business operators that provided digital asset custody services to customers prior to January 16, 2023, are required to implement the new security measures specified in the notifications at the earliest opportunity, and no later than July 16, 2023 (i.e., six months from the effective date of the notification).