Cybersecurity

Digital technologies and innovation play a greater role in human daily life. Therefore, consumer expectations and behaviors have changed where they tend to more rely on technology to access products and services to enhance efficiency and swiftness. Moreover, a number of leading corporates in various industries and financial service providers are putting an effort to adopt innovations and technologies to enhance operational efficiency and create good customer experiences such as artificial intelligence (AI), machine learning (ML), and distributed ledger technology (DLT) or blockchain, and Robotic Process Automation (RPA). At the same time, the potential of innovation and technology has been developed to cope with advanced cyberthreats which cause substantial damages at national and international levels.

As a responsible financial service provider, the Bank places importance on preventing theft of financial data and risks arising from cyberattacks to ensure we can mitigate threats related to data leakage, misuse and unauthorized use of personal data, and other cyber risks. Krungsri takes a serious approaches on cybersecurity to protect data of employees, customers, and relevant parties as well as to ensure business continuity including service provision.

Management Approaches

• Established ‘Enterprise Information Security Policy’ as a guideline to manage and protect IT data of the Bank and communicate with the Bank’s employees and other stakeholders such as counterparties, temporary employees, suppliers and vendors, and other external parties who need to use the Bank’s data to ensure that they acknowledge such policy and abide by the legal requirements and regulations related to this policy. Relevant actions were taken under three important frameworks such as maintenance of data confidentiality, integrity, and availability whereby the IT contingency plan was formulated. It is stipulated that the policy be applicable to the Bank and companies in the Financial Business Group (‘subsidiaries’) in which at least 50 percent of shares are held by the Bank where the subsidiaries are required to adopt this policy as a common guideline to formulate their own IT security policy. Moreover, the content is to be revised and updated at least once a year in line with the risk landscape and future trends that could impact the Bank’s IT security.
• Applied efficient security control measures starting from employment, transfer of position, or resignation procedures and informed the IT security system administrator in case of transfer of employees or computers
• Prepared a complete IT asset register and maintained IT assets on a regular basis to ensure availability to support the Bank’s business
• Performed information classification, maintained and destroyed the data according to its class, managed the cryptography and key management throughout the encrypted key usage period which are reliable and meet international standards
• Stipulated access management and verified user identity according to their access right, level of necessity, and the risk level to prevent access and system modification performed by unauthorized persons
• Provided the cybersecurity center and allocated the office area for key IT operations to prevent damage caused by cyberattack and natural disaster
• Managed irregular events and issues arising from the use of technology in an appropriate and timely manner where there was a record, analysis, and reporting of irregularity, problems, and rectification results to the Board of Directors for acknowledgement
• Formulated the IT contingency plan to enable the Bank to handle irregular incidents that caused system interruption and damage to ensure business continuity and timely system recovery
• Established ‘Information Technology Security Measures’ in order to be adopted as a measure to handle various situations in line with the ‘Enterprise Information Security Policy’ of the Bank. The measures covered 14 sub-topics as follows:
  1. IT security management measures
  2. Communication network security measures
  3. Organization-wide IT security structure measures
  4. IT operation security measures
  5. Personnel security measures
  6. System procurement and development measures
  7. IT asset management measures
  8. IT issue and irregularity management measures
  9. Data security measures
  10. IT contingency plan management measures
  11. Access control measures
  12. Third-party management measures
  13. Environmental and physical security measures
  14. Regulatory compliance security measures
• Established ‘Guidelines for Cybersecurity Incident Response’ to increase the Bank’ s capability to comprehensively maintain cybersecurity to prevent cyberthreats and support IT advancement including the phishing simulation exercise and the cyber tabletop exercise. An incident where the Bank was under cyberattack was simulated where officers from relevant functions were required to participate in the exercise to ensure that they knowledge and understand as well as were being familiar with the threat response process to ensure that they can handle cyberthreats in an efficient manner.
• Adopted domestic and international industry standards and applied best practices for the management of cyber and IT security in the organization such as the advanced persistent threat tool and cyberthreats intelligence tool from reliable sources to enhance capability for detecting irregular events which was a part of cyberthreat monitoring process performed by the Security Operations Center (SOC), Society for Worldwide Interbank Financial Telecommunications (SWIFT), compliance with ISO 27001 Certification, Information Security Management System (ISMS) in two different systems including the Bank of Thailand Automated High-value Transfer Network (BAHTNET) for major funds transfer transactions and Imaged Cheque Clearing and Archive System (ICAS) according to the BOT’s requirements, and other relevant actions to strengthen cybersecurity standards.
• Provided a channel to report the receipt of phishing mail, malware, computer virus, and other regularities caused by cyberattack to the Cyber Security Department