The National Cyber Security Agency (NCSA) is exploring the development of a cyber fraud insurance framework to help organizations manage the risks posed by cyber-attacks and data breaches. The initiative aims to strengthen the country’s cybersecurity infrastructure and raise awareness about the implications of the Cybersecurity Act and the Personal Data Protection Act (PDPA), according to NCSA Secretary-General AVM Amorn Chomchoey.
Cyber fraud insurance, a relatively novel concept in Thailand, is currently not backed by a formal regulatory framework. Despite the increasing importance of personal data protection in the digital economy, there are no established guidelines or rules for this type of insurance in the country. This is particularly concerning given the frequent leakage of customer data by businesses, which can be exploited by scammers to cause financial harm.
Cyber fraud insurance, also known as cyber-risk insurance, is designed to protect against losses stemming from cybercrime. It covers a wide range of cyber threats, including phishing attacks, social engineering fraud, and data breaches. The service is already available in several international markets, where it helps organizations manage the financial consequences of cybercrime, such as the theft of money, data, or digital assets, as well as damage to IT systems and networks.
Additionally, the insurance offers third-party coverage, which protects businesses that suffer losses due to a cyber attack on an enterprise with which they have a business relationship. For individuals, the insurance can cover losses resulting from identity theft, online shopping fraud, or the unauthorized publication of personal data.
In cases of a cyber incident, the service may also assist with incident management, helping organizations address security breaches or data loss before and after the event. This includes covering the costs of notifying affected parties in the event of a breach.
AVM Amorn explained that the NCSA is in talks with the Office of the Insurance Commission (OIC) and other stakeholders to develop a cyber fraud insurance scheme. The OIC will be responsible for establishing criteria and promoting the system, potentially mandating enterprises to adopt the insurance.
In a previous instance, a major Thai mobile operator purchased an insurance policy to cover the potential damages suffered by customers whose personal data was leaked. The policy offered compensation of up to 10,000 baht per affected individual, although the company determined the compensation amount independently, without a unified framework.
A report from the Thailand Computer Emergency Response Team (CERT) revealed that there were 1,827 cyber-attack cases in 2024, of which 124 occurred in the private sector. The most common types of attacks included fraudulent websites, data theft, and distributed denial-of-service (DDoS) attacks. The sectors most affected were commerce, finance, retail, foreign trade, and IT and telecommunications.
In one notable case, AVM Amorn mentioned that an IT distributor was fined 7 million baht by a Personal Data Protection Committee panel for failing to comply with the PDPA. The penalties included 1 million baht for not appointing a personal data protection officer, 3 million baht for inadequate security measures, and another 3 million baht for not reporting a data breach within the required 72-hour window.
As the threat of cybercrime continues to rise, the push for cyber fraud insurance in Thailand reflects growing recognition of the need for stronger safeguards in the digital economy.
Related topics
