Reconix LogoReconix
OIC Thailand

OIC Cybersecurity Requirements for Insurance Companies

Insurance companies and insurtech firms operating in Thailand must meet OIC IT security governance requirements to protect policyholder data and maintain operational resilience.

OIC
Regulatory Oversight
IT Governance
Framework
Annual
Assessment Cycle
Policyholder
Focus
Get OIC Compliance Assessment

What is OIC Cybersecurity Regulation?

The Office of Insurance Commission (OIC / คปภ.) is the regulatory body overseeing the insurance industry in Thailand. The core of the OIC's cybersecurity mandate is the Notification of the Insurance Commission Re: Criteria for Life and Non-life Insurance Companies' Governance and Management of Information Technology Risk B.E. 2563 (2020).

This framework mirrors the Bank of Thailand's (BOT) IT risk guidelines but is specifically tailored to protect the sensitive personal and health data held by the insurance sector. It covers IT governance, information security policies, data protection, operational resilience, and secure system development life cycle (SDLC) controls.

Under the OIC's "Three Lines of Defense" principle, insurance companies must establish operational management controls, risk management and compliance functions, and independent assurance. The approach is entirely risk-based — the Board of Directors must actively review major risks found during security assessments and ensure the IT department has the budget and mandate to fix them.

Who Must Comply?

OIC cybersecurity requirements apply to all entities regulated by the Office of Insurance Commission.

Life insurance companies
Non-life (general) insurance companies
Health insurance providers
Insurance brokers and agents (with significant IT operations)
Insurtech companies under OIC oversight
Reinsurance companies operating in Thailand

Key OIC Cybersecurity Requirements

Core areas mandated under OIC IT security management guidelines for insurance companies.

IT Governance & Three Lines of Defense

Board-level oversight under the Three Lines of Defense principle. Directors must actively review IT security risks identified during assessments, approve remediation budgets, and ensure accountability across the organization.

Information Security Policy

Documented security policies, standards, and procedures covering all IT operations including the System Development Life Cycle (SDLC). Must integrate secure coding practices and be regularly reviewed.

Security Risk Assessment

Mandatory vulnerability assessments and penetration testing, especially for E-Insurance platforms. Requires systematic CVE identification, risk-based prioritization, and documented remediation with re-testing evidence.

Policyholder Data Protection

Safeguarding sensitive customer data including personal information, health records, and financial details through appropriate technical controls.

Incident Response & Business Continuity

Documented plans for detecting, responding to, and recovering from security incidents, with tested business continuity procedures. Cyber threats must be integrated into Enterprise Risk Management (ERM).

Third-Party Risk Management

Security assessment and ongoing monitoring of vendors and outsourced service providers. Insurers remain fully responsible for ensuring third-party developers conduct secure code reviews, even when development is outsourced.

Policyholder Data Protection

Insurance companies handle highly sensitive data that requires robust security controls.

Sensitive Data Types Handled by Insurers

  • Personal identification information
  • Health records and medical history
  • Financial information and payment data
  • Claims history and settlement details
  • Beneficiary details and family information

Cross-Compliance with PDPA Section 37

Insurance companies must also comply with PDPA Section 37, which mandates appropriate technical safeguards for all personal data processing. The combination of OIC and PDPA requirements means insurers face dual regulatory obligations for data protection.

Consequences of Non-Compliance

  • Regulatory sanctions from the Office of Insurance Commission
  • Increased supervisory oversight and more frequent examinations
  • Potential restrictions on business operations or new product approvals
  • Reputational damage from security incidents affecting policyholders
  • PDPA penalties also apply: administrative fines up to ฿5,000,000 per violation for data protection failures

How Security Testing Addresses OIC Requirements

Each assessment type maps to specific OIC compliance mandates under the B.E. 2563 (2020) notification.

Vulnerability Assessment (Mandatory)
Systematic vulnerability management across all IT infrastructure — identifying CVEs, ranking by risk severity, and patching within documented timeframes.
Penetration Testing (Mandatory)
Required annually and before launching major customer-facing applications. Especially stringent for E-Insurance platforms. Critical findings must be remediated and re-tested.
Secure Code Review (Required under SDLC)
Static analysis (SAST) and manual code inspection to address OWASP Top 10 vulnerabilities. Insurers remain responsible even when application development is outsourced to third parties.
Red Teaming (Expected for Large Operators)
Simulates advanced attacks targeting people, processes, and technology. Strongly encouraged by OIC and NCSA for top-tier insurers handling critical data, to prove operational resilience.
Smart Contract Audit (Required for DeFi/Blockchain)
Practically mandatory under "Adoption of Information Technology" risk clauses for insurers using blockchain or parametric insurance. Requires both automated verification and manual code review.

OIC Compliance Checklist

Key items to validate for OIC cybersecurity alignment under B.E. 2563 (2020).

  • IT governance framework with Three Lines of Defense and board-level oversight of IT risks
  • Security policies documented, approved, and reviewed — including SDLC security practices
  • Mandatory vulnerability assessments conducted with systematic CVE tracking and documented remediation
  • Annual penetration testing completed, with pre-launch testing for E-Insurance platforms
  • Secure code review integrated into development processes (including outsourced development)
  • Incident response plan documented, tested, and integrated with Enterprise Risk Management
  • Third-party vendors assessed for security compliance with ongoing monitoring
  • Policyholder data protection controls validated across all systems

Official References

Consult the original regulatory documents for full requirements.

OIC IT Risk Governance for Non-Life Insurance B.E. 2563 (EN PDF)OIC IT Risk Governance for Life Insurance B.E. 2563 (EN PDF)OIC Law Search (ค้นหากฎหมาย คปภ.)

Related Services

Vulnerability Assessment

Systematic identification of security weaknesses across your insurance IT infrastructure.

Learn more

Network Penetration Testing

Validate network security controls protecting policyholder data and critical operations.

Learn more

Cybersecurity Consulting

Strategic guidance on IT governance frameworks and security policy development.

Learn more
Back to Compliance

Frequently Asked Questions

Common questions about OIC cybersecurity requirements for insurance companies.

Secure Your Insurance Operations

Ensure your insurance company meets OIC cybersecurity requirements with expert security assessments and compliance guidance.

Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.