Cybersecurity and AI Governance

Digital technologies and innovation play a greater role in human daily life. Therefore, consumer expectations and behaviors have changed where they tend to more rely on technology to access products and services to enhance efficiency and swiftness. Moreover, a number of leading corporates in various industries and financial service providers are putting an effort to adopt innovations and technologies to enhance operational efficiency and create good customer experiences such as artificial intelligence (AI), machine learning (ML), and distributed ledger technology (DLT) or blockchain, and Robotic Process Automation (RPA). At the same time, the potential of innovation and technology has been developed to cope with advanced cyberthreats which cause substantial damages at national and international levels.

As a responsible financial service provider, the Bank places importance on preventing theft of financial data and risks arising from cyberattacks and AI Governance to ensure we can mitigate threats related to data leakage, misuse and unauthorized use of personal data, If AI systems lack measures to prevent unauthorized access, they may be vulnerable to attacks or data manipulation and other cyber risks. Krungsri takes a serious approaches on cybersecurity and AI Governance to protect data of employees, customers, and relevant parties as well as to ensure business continuity including service provision. This addition demonstrates the Bank’s accountability and commitment to comprehensive management and governance of AI technology.

Management Approaches

• Establish the “Policy for Enterprise Information Security” as a guideline to manage and protect the Bank’s IT data and communicate with the Bank’s employees and other stakeholders such as counterparties, temporary employees, vendors, and other third parties who need to use the Bank’s data to ensure that they acknowledge the said policy and abide by the legal requirements and regulations related to this policy. Actions regarding systems and data are taken under three key principles as follows:
  1. Confidentiality
  2. Integrity
  3. Availability
  This includes the stipulation of the IT Disaster Recovery Plan. The Policy for Enterprise Information Security applies to the Bank and the subsidiaries. Subsidiaries are required to use this policy as a common guideline for forming their own equivalent policy. Moreover, the policy contents are to be reviewed and updated at least once a year in line with the risk landscape and future trends that could impact the Bank’s IT security.
• Control enterprise-wide IT security, starting from employment, transfer of position, or resignation procedures and inform the IT security system administrator in case of transfer of employees or computer resources
• Classify information, maintain and erase data according to their class, manage cryptography and key management throughout the lifetime of encrypted keys which are reliable and meet international standards
• Determine access rights management and user authentication according to their respective access rights, level of necessity, and risk level to prevent access to and alteration of systems or data by unauthorized persons
• Maintain security of the data center and the areas used for key IT operations to prevent damage caused by intruders or natural disasters
• Establish “Information Technology Security Measures” to cope with various situations in line with ISO/ IEC 27001 Information Security Management and the Bank’s Policy for Enterprise Information Security. The measures covered 14 measures as follows:
  1. Information Security Policy Management
  2. Organization of Information Security
  3. Human Resources Security
  4. IT Asset Management
  5. Information Security
  6. Access Control
  7. Physical and Environmental Security
  8. Communications Security
  9. IT Operations Security
  10. System Acquisition and Development
  11. IT Incident and Problem Management
  12. IT Disaster Recovery Plan
  13. Third Party Management
  14. Compliance
• Establish “Guidelines for Cybersecurity Incident Response” to increase the Bank’s capability to maintain maximum cybersecurity to prevent cyberthreats and support IT advancements.
• Adopt domestic and international industry standards and apply best practices for cyber and IT security management in the organization’s processes, e.g.:
  • Use of the advanced persistent threat detection tool and the cyberthreat intelligence tool from reliable sources to enhance capabilities to detect incidents, which is part of the cyberthreat monitoring process performed by the Security Operations Center (SOC)
  • Compliance with the Customer Security Controls Framework of the Society for Worldwide Interbank Financial Telecommunications (SWIFT)
  • Enhancement of compliance with international standards by meeting the ISO/IEC 27001 (ISO 27001 Certification) for the Information Security Management System (ISMS) in the scope of management of provision of services in the Bank’s primary data center and critical applications regarding two systems, namely the Bank of Thailand Automated High-value Transfer Network (BAHTNET) for large-sized funds transfer transactions and the Imaged Cheque Clearing System (ICS)
  • Other relevant actions to strengthen cybersecurity
• Provide a channel for employees to report problems such as receiving phishing emails, emails with malware or virus, and other irregularities caused by cyberattacks to the Cyber Security Department at the Email address CSIRT@krungsri.com
• Develop an Artificial Intelligence (AI) Strategy Framework to manage AI demand in alignment with organizational strategy, while supporting workforce development, defining process and technology platform standards, managing risks, promoting responsible AI usage, and building strategic partnerships to develop AI-related skills within the organization.
• Develop AI governance policies and procedures to serve as a framework for the development, procurement, and usage of AI in an appropriate manner. This includes fostering innovation and sustainable growth while maintaining principles of good governance, transparency, accountability, and security, in compliance with ethical standards, laws, and regulations, to build trust among customers, partners, and all stakeholders.