Thailand Insurance Cybersecurity Rules: What the 2026 OIC Reforms Mean

Thailand insurance cybersecurity standards are about to become significantly stricter. In May 2026, the Office of Insurance Commission (OIC) opened a public consultation on sweeping amendments to its IT risk governance rules for life and non-life insurers, with the comment period closing on 9 June 2026. For foreign insurers, reinsurers, brokers, and InsurTech firms operating in Thailand, the proposed framework raises the compliance bar on board accountability, cyber resilience, and data governance. This guide breaks down what is changing and how to prepare.

Why Thailand Insurance Cybersecurity Rules Are Tightening in 2026

Thailand’s insurance sector has digitised quickly. Policies are sold through apps, claims are processed in the cloud, and customer data flows across multiple vendors. As a result, regulators now treat cyber risk as a core prudential concern rather than a back-office IT matter.

The current standard, the OIC Notification on Criteria for Information Technology Risk Governance and Management B.E. 2563 (2020), has governed insurers since 2021. However, the threat landscape has shifted dramatically since then. Ransomware, supply-chain attacks, and AI-driven fraud have all matured, and the OIC’s proposed amendments aim to align Thailand insurance cybersecurity expectations with current international standards.

Key Takeaway The OIC’s draft amendments are not a minor update. They reframe cybersecurity and data governance as board-level responsibilities and introduce concrete technical controls that insurers must implement, document, and test on an ongoing basis.

What the OIC’s Proposed Amendments Cover

The consultation targets the existing IT risk governance notification for both life and non-life insurers. Importantly, the changes affect not only insurance companies themselves but also the external IT auditors who review them. Three themes stand out.

1. Board-Level Accountability for IT and Cyber Risk

Under the proposal, the board of directors must directly oversee data governance, cybersecurity, and the responsible use of artificial intelligence. Moreover, each board should include at least one director with genuine IT knowledge or experience. Companies must also appoint a designated head of security who is accountable for information security across the organisation.

This shift matters because it removes any ambiguity about who owns cyber risk. Therefore, directors can no longer delegate the issue entirely to a vendor or an internal IT team and assume the obligation is met.

2. Stronger Cybersecurity and Data Security Controls

The draft consolidates the previous chapters on IT project management, IT security, and cybersecurity to reduce duplication. In their place, it introduces a tighter set of mandatory controls, including:

  • Multi-factor authentication for all material systems
  • Data masking and data leakage prevention measures
  • Security hardening and web filtering requirements
  • Vulnerability assessment and penetration testing at least once a year
  • Dedicated controls for mobile application security and API security
  • Safeguards for emerging technologies such as cloud computing and post-quantum cryptography
  • Source code review for in-house and outsourced development

In addition, the revised cybersecurity framework follows a familiar lifecycle of identify, protect, detect, respond, and recover. This structure mirrors the internationally recognised NIST Cybersecurity Framework, which gives multinational insurers a useful reference point for aligning their global and Thai compliance programmes.

Key Takeaway Annual penetration testing, mandatory multi-factor authentication, and data leakage prevention move from “good practice” to baseline requirements. Insurers that already follow group-level standards will adapt faster than those relying on minimal local controls.

3. AI Governance and Data Quality

Notably, the OIC extends board oversight to the responsible use of AI. Insurers increasingly use machine learning for underwriting, pricing, and fraud detection, and the regulator wants clear accountability for how these systems handle customer data. Consequently, companies will need documented policies, defined committees, and data quality controls that support both governance and explainability.

Thailand’s regulators are taking a consistent line on emerging technology across sectors. For broader context on how Thai institutions are approaching automated systems, see our analysis of artificial intelligence in Thai courts.

Who Is Affected by the New Thailand Insurance Cybersecurity Framework

The amendments apply broadly across the insurance value chain. Specifically, the directly affected parties include:

  • Life insurance companies licensed and operating in Thailand
  • Non-life insurance companies, including foreign-owned and branch operations
  • External IT auditors engaged to assess insurer compliance
  • InsurTech and technology vendors whose platforms support regulated insurers

For foreign investors, the practical message is clear. Cyber and data compliance is now a condition of doing insurance business in Thailand, and weak controls can translate into regulatory exposure, reputational damage, and disrupted operations.

Practical Steps to Prepare for the 2026 Rules

Although the framework is still in consultation, insurers should not wait for final publication in the Royal Gazette to begin. Instead, forward-looking firms can take concrete steps now:

  • Review board composition. Confirm that at least one director holds credible IT or cybersecurity experience, and document how the board supervises cyber risk.
  • Appoint or confirm a head of security. Define the role, reporting line, and authority clearly.
  • Run a controls gap analysis. Benchmark current practice against the draft requirements, especially multi-factor authentication, penetration testing, and data leakage prevention.
  • Map your data and AI use. Identify where customer data sits, who can access it, and which automated systems rely on it.
  • Tighten vendor contracts. Ensure cloud providers and InsurTech partners can meet the same standards your firm is now expected to uphold.
Key Takeaway Early preparation is a commercial advantage, not just a compliance task. A documented governance trail, a tested incident response plan, and clean vendor contracts position an insurer to absorb the new rules with minimal disruption.

How These Rules Fit Thailand’s Wider Compliance Landscape

The OIC initiative does not stand alone. Rather, it reflects a broader regulatory push across Thailand to strengthen digital governance, data protection, and platform accountability. Sector regulators are increasingly coordinating on cyber and data standards, which raises the baseline for every regulated business.

Insurers should therefore read these amendments alongside parallel developments, such as Thailand’s tightening rules for digital operators discussed in our guide to the Thailand digital platform competition law. Viewed together, these reforms signal a clear direction of travel toward stricter accountability for any firm that holds significant volumes of customer data.

Official guidance and consultation materials are published by the Office of Insurance Commission, which remains the primary regulator for the sector.

Frequently Asked Questions

When do the new Thailand insurance cybersecurity rules take effect?
The amendments are currently in public consultation, which closes on 9 June 2026. They are not yet final. Once the OIC reviews feedback and publishes the notification in the Royal Gazette, an effective date and any transition period will be confirmed. Insurers should monitor the OIC’s announcements closely and begin gap assessments in advance.
Do these insurance cybersecurity rules apply to foreign-owned insurers?
Yes. The framework applies to life and non-life insurance companies licensed in Thailand, regardless of ownership. Foreign-owned subsidiaries and branch operations are covered in the same way as domestic insurers. Multinational groups can often leverage existing global controls, but they must still demonstrate compliance at the Thai entity level.
What new technical controls does the OIC require?
Key measures include multi-factor authentication for material systems, data masking, data leakage prevention, security hardening, web filtering, and mandatory vulnerability assessment and penetration testing at least annually. The draft also introduces requirements for mobile application security, API security, and safeguards for cloud computing and post-quantum cryptography.
How does AI governance fit into the insurance cybersecurity reforms?
The proposal places responsible AI use under direct board oversight. Because insurers use AI for underwriting, pricing, and fraud detection, the OIC wants documented policies, accountable committees, and data quality controls. In practice, firms should be able to explain how their AI systems use customer data and how they manage the associated risks.
What happens if an insurer fails to comply?
Non-compliance with OIC notifications can expose insurers to regulatory scrutiny, remediation orders, and reputational harm, in addition to the operational impact of a cyber incident itself. Because external IT auditors are also covered, weaknesses are more likely to surface during review. Professional legal and compliance support helps insurers close gaps before they become enforcement issues.

Need Help With Thailand Insurance Cybersecurity Compliance?

Lex Bangkok advises insurers, InsurTech firms, and foreign investors on regulatory compliance, data governance, and cyber-risk frameworks in Thailand. Our team translates evolving OIC requirements into clear, board-ready action plans.

Schedule a Consultation