Cloud Compliance Center

Thailand

Select a Topic
Quick Links
Start Comparison
Contract requirements
3. Are there any specific contractual requirements for cloud outsourcing?

The Notification of the Capital Market Supervisory Board No. TorThor. 60/2561 re: Rules, Conditions and Procedures for Outsourcing Functions related to Business Operations with Third Parties requires that at least the following issues be addressed in the written contract with the cloud service provider:

  • The cloud service provider's duties and responsibilities, including details about liability, arrangements for business continuity, confidentiality and compliance with the relevant laws and regulations
  • The cloud service provider's consent for the Office of Securities and Exchange Commission of Thailand ("SEC") to inspect its operations and retrieve documentation for viewing or examination
  • Reasons, conditions and procedures for terminating the contract or suspending operation under the contract
  • Remuneration and charged expenses

In addition, the Notification of the Office of the Securities and Exchange Commission No. Nor Por. 7/2565 re: Guidelines for Establishment of Information Technology Systems, specifies that there must be a written contract on the use of services, connection or data access from a third party. This is to ensure that the third party is responsible for maintaining the appropriate security level for the IT system, with the details commensurate with the risk and importance of the third party as follows:

  • Scope of service, connection and access to data from the third party
  • Roles, duties and responsibilities of the third party and the financial institution
  • Minimum standards for the third party's operations, such as IT system security, confidentiality of data and use of data only for purposes specified in the service contract
  • Service level agreement for the use of services provided by the third party
  • Monitoring and reporting of the third party's performance, covering notification of any significant changes or problems and reporting of irregular events in a timely manner
  • The list of contact persons and channels in the case of IT system security-related problems and incidents
  • Disposal of data upon termination or cancellation of service, connection and access to data from the third party
  • Conditions or rights of the financial institution to change, terminate or cancel a contract with the third party, such as in the case that the third party breaches the contract
  • Provision of an IT contingency plan that conforms with the financial institution's IT contingency plan
  • Responsibility for damage caused by the third party, (e.g., the service provision is not as specified in the SLA)

The financial institution should assess the risk and consider adequate and appropriate measures for risk control.

The financial institution should specify the rights of the financial institution, the SEC and external auditors appointed by the financial institution or the SEC as part of the contract, to audit IT operation and internal control of the significant third party providing IT services. Otherwise, the financial institution should choose a third party whose IT operation has been audited by independent auditors that meet international standards.

Quick Links
{{ $store.state.loadingScreen.message }} ...