Bank of Thailand cyber-risk supervision
The Bank of Thailand's cyber-risk supervision covers expectations for banks and other regulated financial institutions on technology risk, operational resilience, outsourcing, incident reporting and governance. It is a key driver of MSSP demand because financial institutions must maintain strong monitoring, controls and response capability. The slug points to a regulatory framework inside the Bank of Thailand rather than a separate company, but the relevant profile entity is the central bank as financial-sector supervisor.
Profile overview
The Bank of Thailand's cyber-risk supervision covers expectations for banks and other regulated financial institutions on technology risk, operational resilience, outsourcing, incident reporting and governance. It is a key driver of MSSP demand because financial institutions must maintain strong monitoring, controls and response capability. The slug points to a regulatory framework inside the Bank of Thailand rather than a separate company, but the relevant profile entity is the central bank as financial-sector supervisor.
Supervisory programs
Technology Risk
IT risk and outsourcing circular
BoT Circular on Technology Risk Management requires banks and non-bank financial institutions to maintain documented technology-risk frameworks, cloud outsourcing registers, and annual independent assessments.
Incident reporting
Mandatory breach notification
Supervised entities must report significant cyber incidents to BoT within specified timelines. Severity thresholds and escalation paths are defined in the Cybersecurity framework, driving MSSP SOC service demand.
PDPA alignment
Personal data protection compliance
BoT guidance aligns with the PDPA (Personal Data Protection Act B.E. 2562) for customer data held by banks. MSSP providers must demonstrate PDPA-compliant data-handling in managed-security contracts.
CII oversight
Critical information infrastructure
Banks and payment networks are designated CII under the Cybersecurity Act 2019. BoT coordinates with NCSA on sector drills, threat intelligence sharing, and minimum-control standards.
Key BoT cyber-risk framework instruments
Regulations and circulars relevant to financial-sector MSSP procurement, 2019β2025
Technology Risk Management Circular
Year
2020
Scope
All BoT-supervised FIs
MSSP demand driver
SOC, vulnerability management mandates
Cloud Service Outsourcing Guideline
Year
2021
Scope
Banks, NBFIs
MSSP demand driver
Cloud security review, MSSP oversight requirements
Cybersecurity Act CII designation
Year
2019
Scope
Banks, payment networks
MSSP demand driver
Mandatory drills, NCSA coordination
PDPA financial-sector guidance
Year
2022
Scope
All customer-data handlers
MSSP demand driver
DLP, data-access monitoring services
Operational Resilience Framework
Year
2024
Scope
Systemically important banks
MSSP demand driver
Third-party risk management, resilience testing
| Instrument | Year | Scope | MSSP demand driver |
|---|---|---|---|
| Technology Risk Management Circular | 2020 | All BoT-supervised FIs | SOC, vulnerability management mandates |
| Cloud Service Outsourcing Guideline | 2021 | Banks, NBFIs | Cloud security review, MSSP oversight requirements |
| Cybersecurity Act CII designation | 2019 | Banks, payment networks | Mandatory drills, NCSA coordination |
| PDPA financial-sector guidance | 2022 | All customer-data handlers | DLP, data-access monitoring services |
| Operational Resilience Framework | 2024 | Systemically important banks | Third-party risk management, resilience testing |
Watchpoints 2025β2026
Framework updates
Operational resilience evolution
BoT is aligning with Basel Committee operational-resilience principles. Tighter requirements on recovery time objectives and third-party risk will expand MSSP contract scope at major banks.
AI risk
Generative AI and model risk
BoT is developing guidance on AI model risk in financial services. MSSP providers with AI-assisted threat detection must demonstrate explainability and auditability to retain compliance status.
NCSA coordination
Cross-sector threat intelligence
Joint BoT-NCSA threat-intelligence sharing exercises are expanding. MSSPs embedded in financial institutions gain early access to threat feeds not available to non-designated sectors.
Source-pack context
Bank of Thailand cyber-risk supervision is linked to existing Insight report coverage through tracked source packs. The cited sources provide the current evidence trail for market context, regulatory exposure, operator positioning, or sector structure; exact numeric claims should still be checked against raw snapshots before being surfaced as headline metrics.[, , ]
Deep operating read
Bank of Thailand cyber-risk supervision sits inside the report evidence trail for thailand-cybersecurity-mssp-managed-security-and-cii-act. The strongest available tracked source pack references include Critical Information Infrastructure Act 2019; G-Able cybersecurity MSSP services; AIS Cyber Hawk MSSP overview, so the profile can now explain its role through market structure and source context rather than remaining a stub. This remains source-pack grounded rather than fresh-web grounded; any exact metric should wait for raw snapshot confirmation.[, , , ]
Execution watchpoints
The useful buyer angle is not just who Bank of Thailand cyber-risk supervision is, but where the existing report pack places it in the chain: operator, regulator, platform, buyer, or demand proxy. Watch for source freshness, regulatory changes, market-share claims, and ownership/brand ambiguity before promoting this profile to Gold or adding headline metrics. Until those checks are done, the cited pack supports directional context but not new exact claims.[, , , ]
Related Market profiles
Peers, parents, partners, agencies, and other Thailand Cybersecurity MSSP, Managed Security and CII Act actors.
Competitor
Binance TH by Gulf Binance
Licensed Thai digital-asset exchange backed by Binance and Gulf
Open Market profile β
Competitor
Sea Value Group
Thai seafood processor focused on canned tuna and private-label exports
Open Market profile β
Competitor
Vejthani Hospital
Bangkok private hospital known for international patient services
Open Market profile β
Sector peer
Anti-Money Laundering Office (AMLO)
Thai AML authority shaping financial-account compliance standards
Open Market profile β
Reports featuring this profile
Thai Crypto: Bitkub, Binance Thailand, and the SEC Digital Asset Licensing Framework
BoT 2022 directive crypto-payment restriction.
Open report β
Sits alongside 4 other Atlas profilesThai Cybersecurity MSSP and Critical Information Infrastructure Act
Bank of Thailand sector cyber-risk supervisory framework for banks.
Open report β
Sits alongside 4 other Atlas profilesThai Stablecoin: Payment Corridor Use and THB-Pegged On-Chain
BoT cyber risk overlay for crypto rails
Open report β
Sits alongside 4 other Atlas profiles