Defining 'cyber crisis': The new Thai guidelines on cyberthreat levels
Synopsis
Following our last article on the rights and obligations of Organizations of Critical Information Infrastructure (OCII), at the end of 2021, the Thai government issued guidelines intended to assist these organizations in classifying cyber threats they face. In this piece, we examine what these guidelines mean for OCIIs, and how OCIIs may appropriately consider these guidelines when conducting cybersecurity reviews or when responding to regulators.
Article
In our previous issue of SEAChange, we discussed the application of Thailand’s Cyber Security Act B.E. 2562 (2019) (CSA) to public and private organizations, which may be considered “Organizations of Critical Information Infrastructure” (OCII). One of the key obligations of an OCII is to notify the CSA regulators when faced with a cyberthreat. Additionally, OCIIs are expected to comply with the regulators’ orders, which may vary depending on their powers (which expand as the threat level in question escalates).
Depending on the threat level, CSA regulators have the following powers:
- Non-critical level – requesting OCIIs to gather information, analyze the situation, and evaluate the effects of the threat.
- Critical level – all powers prescribed under the “non-critical level,” and the power to subpoena documents, summon persons for inquiry with permission of a competent court, conduct dawn raids, seize properties and access computer data or computer systems.
- Crisis level – all powers prescribed under the “critical level” to the extent necessary to prevent and remedy the damages without the need for prior permission of a competent court. After the operation is completed, notification is then to be made to the competent court without delay. During the crisis, the “National Security Council” may exercise its authority to cope with the threat under the laws of the National Security Council.
Classifying cyberthreats into specific levels has always been difficult due to the absence of regulatory guidance. It was not until December 11, 2021, that the CSA regulator issued classification guidelines to assist in characterizing cyberthreats into different levels (the Guidelines).
The Guidelines mainly consider four factors associated with a cyber incident, and prescribe corresponding characteristics for each level, as follows:
While the CSA regulators ultimately determine the threat level, the Guidelines provide additional clarity for private organizations that are OCIIs in order to conduct a self-assessment on the threat levels posed to them.
We anticipate that an understanding of these threat levels will greatly assist private organizations in preparing for and possibly reacting to orders from CSA regulators. Our team has experience in assisting clients to conduct cybersecurity reviews, and can advise on how best to consider these Guidelines when conducting a review.