Thailand’s SEC Sets Security Measure Requirements for Digital Asset Custody

On January 16, 2023, Thailand’s Securities and Exchange Commission (SEC) prescribed a set of security measures that digital asset business operators must implement if they provide custody of digital assets for their customers. The new security measures are prescribed in two notifications from the SEC and its office on digital asset wallet management systems and cryptographic key management systems, with the aim of safeguarding digital assets in custody against loss, fraud, and cybertheft. The notifications took immediate effect.

The new security measures and the management systems are summarized below.

Policy and guidelines for managing systems related to digital asset custody
Digital asset business operators must have a written risk management policy for all systems relating to digital asset custody, approved by their board of directors and made accessible to all employees. The policy must be reviewed or revised at least once annually, or promptly if any potential risks are identified. Specific procedures must be implemented, such as establishment of a compliance team and internal controls.

Management of systems for digital asset wallets and cryptographic keys
Digital asset business operators must have policies and procedures for managing all systems relating to digital asset custody. This includes properly designing, developing, and managing digital asset wallets in a safe and secure manner. The same requirement on policies and procedures applies to cryptographic key management as well.

Management of incidents that may affect systems related to digital asset custody
Digital asset business operators must have measures in place to manage incidents that may impact systems related to digital asset custody. The measures include designating a person responsible for incident management, testing and reviewing the incident management policy annually, reporting any incidents affecting digital asset custody to the designated responsible person and the SEC immediately, and conducting a digital forensic investigation with an independent specialist, if necessary.

If an incident affects the security of systems related to digital asset custody and has a significant impact on customers’ assets, the digital asset business operator must conduct a digital forensic investigation and report the investigation results to the SEC. The operator must also develop a plan to resolve the issues, along with measures to prevent reoccurrence. Documentary evidence of the incident management must be maintained for at least two years.

Implementation
Digital asset business operators that provided digital asset custody services to customers prior to January 16, 2023, are required to implement the new security measures specified in the notifications at the earliest opportunity, and no later than July 16, 2023 (i.e., six months from the effective date of the notification). 

By Tilleke & Gibbins, Thailand, a Transatlantic Law International affiliated firm. 

For further information or for any assistance please contact thailand@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.