Herbert Smith Freehills (Thailand) Ltd
The Thai National Cyber Security Committee of Thailand (“NCSC”) has released two notifications requiring critical information infrastructure operators (“CIIOs”)1 to implement baseline cybersecurity protection measures in their data and information systems to enhance their cybersecurity resilience. These notifications are: |
|
which shall be referred to as “Notifications”. These Notifications were published in Thailand’s Royal Gazette on 18 January 2024 and will become effective on 18 January 2025 (i.e. 1 year from the publication date). The CIIOs are expected to be in compliance with the Notifications as of the effective date. |
Designation of CIIOs CIIOs refer to those organisations which have been designated by the relevant regulator as CIIOs in their respective sectors, and broadly include companies that provide, or whose functions involve “critical services”. A NCSC notification issued in 2021 contains an extensive list of specific services that are deemed critical services, including certain services relevant to the following sectors: national security, significant public services, banking and finance (including securities-related businesses such as securities brokerage), IT and telecommunications, transportation and logistics, energy and public utilities and public health. In determining which companies are CIIOs, the NCSC grants discretion to each relevant sector regulator to determine whether any of their regulated companies/entities should be deemed as CIIOs based on the guidelines issued by NCSC and the relevant regulator. The designated CIIO companies/entities would be informed by the relevant regulators, as the list of CIIOs is not publicly available. |
Obligations on CIIOs Per the Notifications, CIIOs are required to: |
|
Step 1: Classifying data / information systems of CIIOs CIIOs are required to assess their data and information systems and assign them the appropriate class, which is determined after considering three cybersecurity objectives: confidentiality, integrity, and availability. Other relevant considerations are the potential impact on the (i) potential financial, property, and reputational damages to the CIIO; (ii) users, employees or the general public members using the CIIO’s services; (iii) the efficiency of the CIIO’s operations; and (iv) national security and public order. The classification outcome needs to be revisited at least once every three (3) years or upon the occurrence of any material change to data/information systems or the functions of the CIIO. |
Step 2: Implement baseline cybersecurity measures in CIIOs’ data and information systems After the data / information systems have been classified with a risk level, CIIOs are required to implement baseline cybersecurity measures for each class of data/information system. Below is a table setting out areas that need to be covered in the baseline cybersecurity measures required for each class. |
|
Our observations Governments and regulators in Asia (e.g. Thailand, Singapore and China) have designated CIIOs and specified baseline cybersecurity requirements for CIIOs to adopt, with the objective of enhancing cybersecurity resilience of critical systems. The practice of classifying data and information systems into different risk categories is also commonly adopted to ensure that appropriate and sufficient cybersecurity measures are adopted to protect critical systems. |
__________ 1. In 2021, the NCSC issued a notification which sets out the criteria for determining CIIOs and the list of critical services. NCSC grants discretion to Thai sector regulators for them to determine which companies are CIIOs in their respective sectors. |