Reconix LogoReconix
OIC Thailand

OIC Cybersecurity Compliance for Thailand's Insurance Sector

Every insurer and insurtech firm in Thailand must meet OIC IT governance requirements. Protect policyholder data, pass regulatory reviews, and build operational resilience.

OIC
Regulatory Oversight
IT Governance
Framework
Periodic
Assessment Cycle
Policyholder
Focus
Get OIC Compliance Assessment

What Is the OIC Cybersecurity Regulation?

The Office of Insurance Commission (OIC / คปภ.) regulates Thailand's insurance industry. Its cybersecurity mandate centers on the Notification Re: Criteria for Life and Non-life Insurance Companies' Governance and Management of Information Technology Risk B.E. 2563 (2020).

Modeled after the Bank of Thailand's IT risk guidelines, this framework is tailored to the insurance sector's unique exposure: sensitive personal data, health records, and financial information. It covers IT governance, security policies, data protection, operational resilience, and secure SDLC controls.

The OIC enforces a "Three Lines of Defense" model: operational controls, risk management and compliance functions, and independent assurance. The approach is risk-based, meaning the Board of Directors must review critical findings from security assessments and ensure the IT team has the budget and authority to remediate them.

Who Must Comply?

OIC cybersecurity requirements apply to all entities regulated by the Office of Insurance Commission.

Life insurance companies
Non-life (general) insurance companies
Health insurance providers
Insurance brokers and agents (with significant IT operations)
Insurtech companies under OIC oversight
Reinsurance companies operating in Thailand

Key OIC Cybersecurity Requirements

The six pillars every insurer must address under the OIC IT security management guidelines.

IT Governance & Three Lines of Defense

Board-level oversight under the Three Lines of Defense principle. Directors must actively review IT security risks identified during assessments, approve remediation budgets, and ensure accountability across the organization.

Information Security Policy

Documented security policies, standards, and procedures covering all IT operations including the System Development Life Cycle (SDLC). Must integrate secure coding practices and be regularly reviewed.

Security Risk Assessment

Mandatory vulnerability assessments and penetration testing, especially for E-Insurance platforms. Requires systematic CVE identification, risk-based prioritization, and documented remediation with re-testing evidence.

Policyholder Data Protection

Safeguarding sensitive customer data including personal information, health records, and financial details through appropriate technical controls.

Incident Response & Business Continuity

Documented plans for detecting, responding to, and recovering from security incidents, with tested business continuity procedures. Cyber threats must be integrated into Enterprise Risk Management (ERM).

Third-Party Risk Management

Security assessment and ongoing monitoring of vendors and outsourced service providers. Insurers remain fully responsible for ensuring third-party developers conduct secure code reviews, even when development is outsourced.

Policyholder Data Protection

Insurers hold some of the most sensitive data of any industry — demanding robust technical controls.

Sensitive Data Types Handled by Insurers

  • Personal identification information
  • Health records and medical history
  • Financial information and payment data
  • Claims history and settlement details
  • Beneficiary details and family information

Cross-Compliance with PDPA Section 37

Insurance companies must also comply with PDPA Section 37, which mandates appropriate technical safeguards for all personal data processing. The combination of OIC and PDPA requirements means insurers face dual regulatory obligations for data protection.

Consequences of Non-Compliance

  • Regulatory sanctions from the Office of Insurance Commission
  • Increased supervisory oversight and more frequent examinations
  • Potential restrictions on business operations or new product approvals
  • Reputational damage from security incidents affecting policyholders
  • PDPA penalties also apply: administrative fines up to ฿5,000,000 per violation for sensitive data (฿3,000,000 for standard personal data) under Sections 83–84

How Security Testing Addresses OIC Requirements

Every assessment type below maps to a specific OIC mandate under the B.E. 2563 (2020) notification.

Vulnerability Assessment (Mandatory)
Systematic vulnerability management across all IT infrastructure — identifying CVEs, ranking by risk severity, and patching within documented timeframes.
Penetration Testing (Mandatory)
Required periodically or upon material system change (Clause 21), and before launching major customer-facing applications. Especially stringent for E-Insurance platforms. Annual testing is widely accepted as meeting this requirement. Critical findings must be remediated and re-tested.
Secure Code Review (Required under SDLC)
Static analysis (SAST) and manual code inspection to address OWASP Top 10 vulnerabilities. Insurers remain responsible even when application development is outsourced to third parties.
Red Teaming (Expected for Large Operators)
Simulates advanced attacks targeting people, processes, and technology. Strongly encouraged by OIC and NCSA for top-tier insurers handling critical data, to prove operational resilience.
Smart Contract Audit (Required for DeFi/Blockchain)
Practically mandatory under "Adoption of Information Technology" risk clauses for insurers using blockchain or parametric insurance. Requires both automated verification and manual code review.

OIC Compliance Checklist

Key items to validate for OIC cybersecurity alignment under B.E. 2563 (2020).

  • IT governance framework with Three Lines of Defense and board-level oversight of IT risks
  • Security policies documented, approved, and reviewed — including SDLC security practices
  • Mandatory vulnerability assessments conducted with systematic CVE tracking and documented remediation
  • Periodic penetration testing completed (annually at minimum), with pre-launch testing for E-Insurance platforms
  • Secure code review integrated into development processes (including outsourced development)
  • Incident response plan documented, tested, and integrated with Enterprise Risk Management
  • Third-party vendors assessed for security compliance with ongoing monitoring
  • Policyholder data protection controls validated across all systems

Official References

Consult the source documents for the complete regulatory requirements.

OIC IT Risk Governance for Non-Life Insurance B.E. 2563 (EN PDF)
OIC IT Risk Governance for Life Insurance B.E. 2563 (EN PDF)
OIC Law Search (ค้นหากฎหมาย คปภ.)

Related Services

Vulnerability Assessment

Systematic identification of security weaknesses across your insurance IT infrastructure.

Learn more

Network Penetration Testing

Validate network security controls protecting policyholder data and critical operations.

Learn more

Cybersecurity Consulting

Strategic guidance on IT governance frameworks and security policy development.

Learn more
Back to Compliance

OIC Cybersecurity FAQ

Answers to the most common questions about OIC cybersecurity requirements for insurers in Thailand.

Secure Your Insurance Operations

Meet every OIC cybersecurity requirement with expert security assessments and compliance guidance tailored to the insurance industry.

Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.