The Office of the National Cyber Security Agency (NCSA) is developing a framework for cyber fraud insurance to help organisations mitigate the risk of cyber-attacks and data breaches.
The service could strengthen the cybersecurity landscape and increase risk awareness related to the Cybersecurity Act and Personal Data Protection Act (PDPA), according to NCSA secretary-general AVM Amorn Chomchoey.
He said cyber fraud insurance is uncommon in Thailand and the nation does not have a framework, rules or guidelines for this form of insurance, even though personal data protection is an important issue in the digital economy.
Customer data leakage from business services happens from time to time and scammers use such data to contact customers, causing damage.
Cyber fraud insurance, also known as cyber-risk insurance, protects against losses caused by cybercrime. It helps businesses and individuals mitigate the risk of cyberthreats, such as phishing, social engineering fraud and data breaches.
The service is available in many markets, helping organisations cover the cost of theft of money, data or digital assets, as well as damage to IT systems and networks, said AVM Amorn.
The insurance also includes third-party coverage, which means losses suffered by other enterprises that have a business relationship with the organisation affected by the cybercrime.
For personal risk, the insurance covers losses due to identity theft, online shopping fraud, or if personal data is published online without the data owner's permission.
The service may cover incident management by providing assistance for the management of cyber-incidents before and after they occur, as well as covering the cost of notifying relevant parties about a security breach or data loss.
AVM Amorn said NCSA is discussing with the Office of the Insurance Commission (OIC) and related parties developing a cyber fraud insurance scheme.
The OIC needs to establish various criteria to support the service, including guidelines promoting the system to force enterprises to use the insurance, he said.
A major mobile operator previously bought an insurance policy covering possible damage to their customers whose personal data was leaked, offering compensation of 10,000 baht per person.
However, the company determined the compensation amount independently, without a central framework.
According to a 2024 Thailand Computer Emergency Response Team report, there were 1,827 cyber-attack cases last year, of which 124 were in the private sector.
Among the top five forms of cyber-attack were fake websites or URLs, data theft, and disruption of services using a distributed denial-of-service attack.
The five most attacked sectors were commerce, finance and banks, foreign commerce, retail, and IT and telecom.
AVM Amorn said an IT distributor was recently ordered to pay a total administrative fine of 7 million baht by a Personal Data Protection Committee expert panel.
Of the total, 1 million baht was for the company's failure to appoint a personal data protection officer, even though it is a large business with personal data processing as its main activity.
Another 3 million baht was for its failure to have appropriate security measures, both in terms of access control and authorisation.
The final amount of 3 million baht was for its unwillingness to report a personal data breach as required, or because it did not report the incident within 72 hours in accordance with the PDPA law.