Sign In
SEC News
SEC amends the Rules on Establishment of Information Technology System to strengthen investor confidence



Tuesday 17 December 2024 | No. 271 / 2024


In October 2024, the SEC conducted a hearing to gather comments from the public and stakeholders on the draft amendments to the IT Regulation and Guideline. Feedback and suggestions from stakeholders were incorporated into the finalization process. The SEC has issued notifications specifying the amendments with the key points as follows:

          (1) To adjust the frequency of submitting IT audit reports to be more appropriate for the risk level of small business operators and low-risk operators, with measures that allow the SEC to monitor the business operators’ risks in the event of adverse incidents;  

          (2) To align the submission timeline for risk level assessment (RLA) reports and IT audit reports to the same period, specifically within the first quarter of each calendar year;  

           (3) To adjust security measures to be commensurate with the risks of small business operators by, for example, reducing the penetration testing frequency, increasing access control requirements to cover both generic user accounts and high-privileged user accounts, and requiring business operators to manage IT incidents by conducting root cause analysis, maintaining incident records, and reporting such incidents to the SEC;

           (4) To adjust the applicable scope for investment advisory business operators to ensure that they will be able to implement sufficient controls for managing IT-related risks arising from the use of technology;
          (5) To Improve other details of the rules to better communicate the intent of the oversight and enable effective risk control implementation.

The notifications of the aforesaid amendments will take effect from 1 January 2025 onwards.

 







Related News

SEC announces special holidays for securities companies and derivatives business operators
SEC Board approves the principles for amending ICO portal regulations to allow a wider range of work system outsourcing to enhance flexibility of business operations
SEC amends reporting rules for securities and derivatives business operators
SEC public hearing on proposed amendments to the regulations related to securities trading services including short and long selling transactions
SEC releases a statement outlining guidelines for foreign business operators on providing investment services to Thai investors, and Ease of Doing Business guidelines to support Thailand as financial hub

Building Confidence in the Capital Market
NEWS
Securities and Exchange Commission
Corporate Communication and Investor Service Department
Tel. (66)2033-9502-5 E-mail: press@sec.or.th
No. 271 / 2024 Tuesday 17 December 2024
SEC amends the Rules on Establishment of Information Technology System to strengthen investor confidence

In October 2024, the SEC conducted a hearing to gather comments from the public and stakeholders on the draft amendments to the IT Regulation and Guideline. Feedback and suggestions from stakeholders were incorporated into the finalization process. The SEC has issued notifications specifying the amendments with the key points as follows:

          (1) To adjust the frequency of submitting IT audit reports to be more appropriate for the risk level of small business operators and low-risk operators, with measures that allow the SEC to monitor the business operators’ risks in the event of adverse incidents;  

          (2) To align the submission timeline for risk level assessment (RLA) reports and IT audit reports to the same period, specifically within the first quarter of each calendar year;  

           (3) To adjust security measures to be commensurate with the risks of small business operators by, for example, reducing the penetration testing frequency, increasing access control requirements to cover both generic user accounts and high-privileged user accounts, and requiring business operators to manage IT incidents by conducting root cause analysis, maintaining incident records, and reporting such incidents to the SEC;

           (4) To adjust the applicable scope for investment advisory business operators to ensure that they will be able to implement sufficient controls for managing IT-related risks arising from the use of technology;
          (5) To Improve other details of the rules to better communicate the intent of the oversight and enable effective risk control implementation.

The notifications of the aforesaid amendments will take effect from 1 January 2025 onwards.