Thailand has rapidly grown its digital economy and has made a concerted push towards technological innovation. As technology has evolved within the country, however, so has the threat of cybersecurity issues.
To tackle this looming threat, the government of Thailand released the Cybersecurity Act B.E. 2562 (2019) (“Cybersecurity Act”), which was published in the Government Gazette on 27 May 2019 and is now in effect. The Cybersecurity Act is intended to ensure the security of cyberspace. It sets out cybersecurity risk assessment plans to prevent and mitigate cybersecurity threats that may affect national security stability, interests related to the economy, healthcare, public interests, international relations, and other governmental functions.
The Cybersecurity Act applies to both public and private sector entities that: i) own information and communication infrastructure which are integral for the maintenance of vital societal functions, otherwise known as Critical Information Infrastructure (“CII”); and ii) are engaged in the following services:
- National security;
- Material public service;
- Banking and finance;
- Information technology and telecommunications;
- Transportation and logistics;
- Energy and public utilities;
- Public health; and
- Other areas that the relevant cybersecurity authority may further prescribe.
Under the Cybersecurity Act, these companies must put in place internal guidelines for managing cybersecurity issues, and these guidelines must be per the national cybersecurity master plan.
There are two central cybersecurity regulatory authorities, as follows:
a) National Cyber Security Committee
The National Cyber Security Committee (“NCSC”) comprises the Prime Minister of Thailand as the chairman and directors from the government and the private sector that hail from areas that benefit cybersecurity such as engineering, law, and information technology. The NCSC sets out general cybersecurity policies and action plans and minimum standards for computer systems used in both government agencies and CII entities, according to the national cybersecurity master plan.
The NCSC also has the authority to determine the levels of cybersecurity threats under the Cybersecurity Act (i.e., non-critical, critical and crisis) and the preventive and mitigative measures that should be in place for each of these levels. To enable this, the NCSC is empowered to request information and documents from and access the facilities of private entities, subject to the owner’s consent to analyze and evaluate the impact of the critical cyber threat to determine cybersecurity threat levels and appropriate preventive, mitigative measures.
b) Cyber Security Regulatory Committee
The Cyber Security Regulatory Committee (“CSRC”) consists of the Minister of the Ministry of Digital Economy and Society as the chairman. Like the NCSC, it has government and private-sector directors from areas that benefit cybersecurity. The role of the CSRC is to set out codes of practice and minimum standards for cybersecurity in public and private sectors relating to CII, including risk assessment and mitigation plans against cyber threats. In addition, the CSRC may order public and private sector entities to prevent, mitigate or re-evaluate cyber threats in line with prescribed cybersecurity minimum standards.
If a critical level threat is discovered, the CSRC is empowered to perform any action to prevent or mitigate such threat. For example, the CSRC may order an owner or user of a computer that is the subject of a cyber threat to fix defects or eliminate undesirable programs. Furthermore, if judicial permission is granted, the CSRC may access information or seize computer systems, data, and related equipment for a maximum of 30 days to prevent and mitigate cyber threats.
In the case of a crisis-level threat, the National Security Council shall be in charge to carry out its duties. However, for any crisis-level threat that requires an immediate response, the CSRC is authorized to perform any act warranted as necessary without judicial permission.
In addition to the two central regulatory authorities above, there are two other relevant authorities, including the Computer Security Coordination Center and competent regulators responsible for monitoring and acting against cyber threats and regulating minimum cybersecurity requirements for CII entities under their supervision.
Although the definition of CII is understandable, the process to designate specific infrastructure as CII is not defined. As a result, industry groups are lobbying the government to issue further clarity and definition.
Regulatory Authority Guidance
The guidance on cybersecurity under the Cybersecurity Act relates to developing security mechanisms to safeguard CII and enhance the prevention and mitigation of national cyber threats. The guidance also emphasizes the importance of cooperation between public and private sectors and international organizations to cope with cyber threats. Developing cybersecurity research and local expertise, including effective cybersecurity-related laws and regulations, is also considered a critical factor in enforcing cybersecurity. The NCSC’s policies and plans on cybersecurity measures must be formulated in line with this general guidance.
Scope of Application
There are several main concepts in cybersecurity that are addressed or have been adopted under the Cybersecurity Act, as follows:
a) Network and Information Systems
Network and information systems may be like CII under the Cybersecurity Act, which again refers to information and communication infrastructure such as a computer system of either public or private entities essential for maintaining core societal functions, including national security and public security safety, or public utility infrastructure. A computer system in this context is considered to be a network and have information that is critical to national security and the public interest, and therefore must be protected from cyber threats by implementing cybersecurity standards issued by regulatory authorities.
b) CII Operators
Under Section 3 of the Cybersecurity Act, CII operators refer to any public or private entity responsible for information critical to national security and the public interest, such as banking, information technology, telecommunications, and transportation. CII Operators must have cybersecurity measures that comply with standards specified by their local regulators, code of practice and other relevant authorities such as the NCSC and CSRC.
c) Operator of Essential Services
An operator of essential services is similar to a CII operator. Any public or private entity that provides a service essential for the maintenance of vital societal functions must have standard cybersecurity measures in place to cope with cybersecurity incidents.
d) Cloud Computing Services
Cloud computing service is not defined explicitly in the Cybersecurity Act. However, these services can be subject to the Cybersecurity Act. They can be categorized as information technology and telecommunications services, which are services relating to CII and, therefore, services subject to the Cybersecurity Act.
e) Digital service providers
A digital service provider is not defined explicitly in the Cybersecurity Act. However, like cloud computing services, these providers can be considered CII Operators as digital service falls within the classification of CII; these providers would therefore be subject to the Cybersecurity Act.
The term “cyber threat” is a critical definition in implementing the Cybersecurity Act and refers to any illegal actions that use computers, network systems or offensive programs to cause or that are likely to harm a computer, a computer network, or data.
The Cybersecurity Act further elaborates on “cyber threat” by categorizing it into three levels, as follows:
(i) Non-critical – any threat that may negatively impact the performance of a CII Operator’s computer system or services provided by government entities;
(ii) Critical – any threat to a computer system or computer data that is significantly increased to attack CII relating to national infrastructure, national security, the economy, healthcare, international relations, governmental functions, etc., and such an attack would impair the provision of CII-related services; and
(iii) Crisis – any threat more significant than a critical-level event, which may have a widespread impact, causing the government to lose control of a computer system or any threat that may lead to mass destruction, terrorism, or an overthrow of the government.
Details of cyber threats and the preventive and mitigative measures employed for each level of cyber threat shall be further determined by the NCSC.
(a) Security Measures
Under Sections 44 and 56 of the Cybersecurity Act, each government entity, competent regulator, and CII entity must have a code of practice, organizational measures and a cybersecurity framework that complies with prescribed cybersecurity minimum standards. In addition, the code of practice must at least cover cybersecurity risk identification and assessment performed by either an internal or external independent auditor at least once a year (which must be reported to the NCSC office within 30 days) and a cyber threat response plan.
CII entities must further provide monitoring mechanisms for cyber threats and cybersecurity incidents that threaten their CII according to standards as prescribed by the NCSC or CSRC. CII entities must also participate in cybersecurity testing organized by the NCSC to assess and ensure their readiness to respond to cyber threats.
(b) Notification of Cybersecurity Incidents
There is an obligation to notify the competent regulatory authority in the event of a cybersecurity incident.
In the event of a cybersecurity incident involving CII of either public or private entities, such entities must investigate all their information, computer data and computer systems. Such investigation must include any circumstances to evaluate the cyber threat, with measures under the code of practice and cybersecurity standards followed in responding to and mitigating the cyber threat and notify the NCSC office and competent regulator of each entity involved in the cybersecurity incident.
A specific timeline for the notification is not addressed under the Cybersecurity Act. It does, however, include details on process and requirements, and the CSRC may prescribe a timeline for the notification in the future.
(c) Registration with Regulatory Authority
There is no requirement to register with a regulatory authority. However, under the Cybersecurity Act, the NCSC shall be responsible for designating entities that have services relating to CII, deemed as CII Operators, which shall be subject to obligations under the Cybersecurity Act. The criteria for making such designations shall be published in the Royal Gazette, periodically revising as deemed necessary.
(d) Appointment of a Security Officer
There is an obligation to appoint a security officer as prescribed under Section 46 of the Cybersecurity Act. Each government entity, competent regulator and CII entity must notify its personnel at both management level and practitioner level to the NCSC office to coordinate cybersecurity matters. If there is a change of responsible personnel, this change must be notified to the NCSC office. However, no specific timeline for the notification is stipulated in the Cybersecurity Act.
(e) Other Requirements
Under Section 52 of the Cybersecurity Act, CII operators must provide details of administrators who have management-level control over computer systems. Accordingly, persons designated as CII operators must submit such details to the NCSC office, the competent regulator, and the Computer Security Coordination Center within 30 days from the NCSC publishing criteria relating to CII for coordination purposes. In addition, in the event of a change of owner, possessor or administrator, the notice must be sent to each responsible authority at least seven days before the change.
CII operators that fail to report cybersecurity incidents to the NCSC office and their competent regulator, without reasonable cause, shall be subject to a maximum fine of THB 200,000.
Any person who refuses to provide information and documents required to assess a cyber threat and its impacts without reasonable cause shall be subject to a maximum fine of THB 100,000.
During a critical-level threat, an operator must search for defects or assess impacts from cyber threats as ordered by a competent officer. Failure to monitor or verify the computer or computer system shall be subject to a maximum fine of THB 300,000 and an additional daily fine of up to THB 10,000 until compliance with an order.
In addition, failure to comply with lawful orders may result in penalties of imprisonment of up to one year and/or a maximum fine of THB 20,000 may be imposed on such operator.
During a critical-level threat, any person who obstructs or refuses access to information or premises or the seizure of computer systems, data, and related equipment a competent official, without reasonable cause, shall be subject to imprisonment of up to three years and/or a maximum fine of THB 60,000.
If an offender is a juristic person or an authorized person of the juristic person involved in an offence, either by performing unlawful actions or failing to perform specific actions that cause the juristic person to commit an offence, shall be subject to the above penalties.
The contents herein are for informational purposes only and should not be relied upon as legal advice. For more information, please contact John P. Formichella, Partner at Formichella & Sritawat, at email@example.com
© John P. Formichella, 2021