The Thai National Cyber Security Committee of Thailand ("NCSC") has released two notifications requiring critical information infrastructure operators ("CIIOs")1 to implement baseline cybersecurity protection measures in their data and information systems to enhance their cybersecurity resilience.
These notifications are:
- Notification on standards in determining the security category for data or information systems ("Notification on Security Category"); and
- Notification on baseline standards for data and information systems ("Notification on Baseline Cybersecurity Standards"),which shall be referred to as "Notifications".
These Notifications were published in Thailand's Royal Gazette on 18 January 2024 and will become effective on 18 January 2025 (ie 1 year from the publication date). The CIIOs are expected to be in compliance with the Notifications as of the effective date.
Designation of CIIOs
CIIOs refer to those organisations which have been designated by the relevant regulator as CIIOs in their respective sectors, and broadly include companies that provide, or whose functions involve "critical services".
A NCSC notification issued in 2021 contains an extensive list of specific services that are deemed critical services, including certain services relevant to the following sectors: national security, significant public services, banking and finance (including securities-related businesses such as securities brokerage), IT and telecommunications, transportation and logistics, energy and public utilities and public health.
In determining which companies are CIIOs, the NCSC grants discretion to each relevant sector regulator to determine whether any of their regulated companies/entities should be deemed as CIIOs based on the guidelines issued by NCSC and the relevant regulator. The designated CIIO companies/entities would be informed by the relevant regulators, as the list of CIIOs is not publicly available.
Obligations on CIIOs
Per the Notifications, CIIOs are required to:
- categorise their data/information systems based on cybersecurity objectives into one of the three risk classes: low, medium or high (per the Notification on Security Category); and
- set up and implement baseline cybersecurity measures to protect each class of data/information system (per the Notification on Baseline Cybersecurity Standards).
Step 1: Classifying data/information systems of CIIOs
CIIOs are required to assess their data and information systems and assign them the appropriate class, which is determined after considering three cybersecurity objectives: confidentiality, integrity, and availability.
Other relevant considerations are the potential impact on the (i) potential financial, property, and reputational damages to the CIIO; (ii) users, employees or the general public members using the CIIO's services; (iii) the efficiency of the CIIO's operations; and (iv) national security and public order.
The classification outcome needs to be revisited at least once every three(3) years or upon the occurrence of any material change to data/information systems or the functions of the CIIO.
Step 2: Implement baseline cybersecurity measures in CIIOs' data and information systems
After the data/information systems have been classified with a risk level, CIIOs are required to implement baseline cybersecurity measures for each class of data/information system.
Below is a table setting out areas that need to be covered in the baseline cybersecurity measures required for each class.
| Baseline Cybersecurity Measures | Class | ||
| Low | Medium | High | |
| Cybersecurity Audit Plan | X | X | |
| Cybersecurity Risk Assessment | X | X | X |
| Incident Response Plan | X | X | X |
| 1. Risk Identification: Identification of potential risks posed to computers, computer systems, other information relevant to computer systems and assets, life, and body of individuals | |||
| Asset Management | X | X | X |
| Risk Assessment and Risk Management Strategy | X | X | X |
| Vulnerability Assessment and Penetration Testing | X | ||
| Third-party Service Provider Management | X | ||
| 2. Risk Protection: Measures on protection of potential risks | |||
| Access Control | X | X | X |
| System Hardening | X | X | X |
| Remote Connection | X | X | |
| Removeable Storage Media | X | X | |
| Cybersecurity Awareness | X | X | X |
| Information Sharing | X | ||
| 3. Risk Detection: Measures on detection and monitoring cyberthreats | |||
| Cyber Threat Detection and Monitoring | X | X | X |
| 4. Risk Response: Measures in response to the cyberthreats incidents | |||
| Cybersecurity Incident Response Plan | X | X | X |
| Crisis Communication Plan | X | X | X |
| Cybersecurity Exercise | X | X | X |
| 5. Recovery: Measures on remedy and recovery of losses incurred from cyberthreats | |||
| Cybersecurity Resilience and Recovery | X | ||
Our observations
Governments and regulators in Asia (eg Thailand, Singapore and China) have designated CIIOs and specified baseline cybersecurity requirements for CIIOs to adopt, with the objective of enhancing cybersecurity resilience of critical systems. The practice of classifying data and information systems into different risk categories is also commonly adopted to ensure that appropriate and sufficient cybersecurity measures are adopted to protect critical systems.
Footnote
1. In 2021, the NCSC issued a notification which sets out the criteria for determining CIIOs and the list of critical services. NCSC grants discretion to Thai sector regulators for them to determine which companies are CIIOs in their respective sectors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
