On Mar. 27, Thai CB issued circular re new cybersecurity guidelines.
Thai CB issued cybersecurity guide for client computers connected to financial systems.
Guidelines apply to users of critical level 1 (CL1) electronic financial services including payment systems, debt instruments systems (e-bidding, bond switching), and financial market systems; supersedes previous guidelines on BAHTNET client computer security.
Follows Thai CB Aug. 2019 issued rules for money transfer services, see #64526.
Document dated Mar. 27, 2025, was added on Apr. 10, 2025 due to editorial backfill.
Outline of Security Guidelines
Control access to computer centers and network equipment connecting to CL1 systems; rollout network security measures including firewalls for client computers.
Segregate client computer networks from unnecessary networks, limit connection to essential internal and external services only, install endpoint protection with regular signature updates and scheduled scans, have Windows security patch management.
Establish change management procedures for network settings and computer systems, and secure physical placement of client computers to prevent unauthorized access.
Define access rights with appropriate segregation of duties to prevent complete control by any one employee, maintain access logs to monitor abnormal activities on client computers, power off client computers when not in use or outside business hours.
Control peripheral device connections to client computers, secure USB tokens, passwords, certificates, user accounts, change USB token PIN codes at least every 90 days, change Windows passwords at least every 90 days with strong password rules.
Assign security responsibilities at both operational and management levels, develop contingency plans for client computer security incidents including malware attacks.
Establish procedures for monitoring, recording, and reporting security breaches, provide continuous security awareness training for executives and staff, as well as share information about new technology developments and emerging threats.
Additionally, covers SWIFT-specific requirements; users required to comply with relevant electronic transaction laws and regulatory requirements; institutions must report suspicious transactions to Thai CB according to specified risk incident criteria.
Effectiveness
The guideline shall be effective on/from Oct. 14, 2025.
