Good Corporate Governance

​​

Third-Party Management Policy

1. Purpose

     In implementing strategies to achieve business goals in a competitive environment with rapidly changing technology, the Company may engage third-party service providers with proven capabilities and expertise or establish business partnerships to enhance operational efficiency in delivering services and meeting the needs of customers and prospects. Therefore, the Company has established this policy to provide a framework for managing associated risks, including information technology security risks, to ensure they remain within an acceptable level and are aligned with the announcements and guidelines issued by relevant regulatory agencies.

2. Scope

     This policy applies to the engagement of third-party service providers across the Company and its subsidiary. Personnel of the Company and its subsidiary must study, understand, and strictly adhere to this policy.

3. Effective Date

     This policy shall be effective from the date of approval by the Board of Directors.

4. Review Frequency and Revision

     This policy must be reviewed annually, or when a significant change arises.

5. Responsible Function

     The Administration Department and the IT Security and Risk Department are the responsible functions of this policy.

6. Definition

            “The Company” means Bangkok Life Assurance Public Company Limited.

            “Subsidiary” means companies in which the Company holds shares directly or indirectly over 50%.

            “Engagement of Third-Party Service Provider” ” means the use of a third-party service provider to perform, in whole or in part, functions typically performed in-house by the Company.

            “Third-Party Service Provider” means any natural or legal entity that enters into a contract to manage work for the Company as agreed upon, including vendors who supply goods or services, business partners who contribute to the Company's services, business partners who are distribution channels for the Company's products, insurance brokers, and other service providers.

            “Third-Party Risk Management (TPRM)” means the process of identifying, assessing, and managing potential risks arising from the use of services, such as disruption of third-party services and its impact on the Company's customers, the use of system connectivity services, or third-party service providers’ access to critical data of the organization, in order to ensure operational continuity and security.

            “Third Party-Management Life Cycle” means the process of managing third-party service providers, encompassing risk assessment, selection, contract or agreement drafting, ongoing performance monitoring, contract or agreement termination, and information technology security.

            “Service Level Agreement (SLA)” means a contract or agreement between a service provider and a service recipient, which is a document that specifies the details of the service provided and clearly defines the roles and responsibilities of both the service provider and the service recipient.

            “Business Continuity Management (BCM)” means an approach for establishing the Company's policies, standards, and operational procedures to ensure that in the event of a disruption to normal operations, critical systems can continue to operate or be resumed within an appropriate timeframe.

            “Disaster Recovery Plan (DRP)” means a documented plan established for system recovery in the event of a failure, facilitating the recovery of systems and their corresponding functions to a normal operational state.

            “Cyber Incident Response Plan (CIRP)” means a documented plan that specifies the operational procedures for responding to a cyber threat incident.

7. General Principle

     This policy is established to ensure that the Company's operations involving the engagement of third-party service providers maintain a consistent standard for governing and managing associated risks, taking into account business continuity management, customer protection, and the security of the Company's systems and data, in order to effectively achieve the Company's business objectives.

8. Policy

8.1 To establish a transparent and auditable process and criteria for the selection and approval of third-party service providers. This process must assess their readiness, suitability, operational resilience for continuous service delivery, and their compliance with applicable laws.
8.2 To establish a risk management structure with clearly defined roles and responsibilities for all parties involved in the oversight and management of risks arising from the engagement of third-party service providers, including guidelines and designated personnel for risk management.
8.3 To establish criteria for classifying the risk level and materiality of third-party engagements, such as risks associated with connectivity to the Company's information systems or the level of access to corporate data of third-party service providers.
8.4 To ensure a comprehensive risk assessment and management covering the entire third-party management life cycle, including prior to engagement, during the service period, and upon termination of engagement or service, whereby risks must be controlled to an acceptable level.
8.5 To ensure a written third-party service contract or service level agreement (SLA) that addresses material risks and the proper governance and management of personal data and customer complaints.
8.6 To require that third-party service providers whose services involve information technology systems maintain information technology security and personal data protection standards that are at least equivalent to those established by the Company, taking into account the three core principles of information security: confidentiality, integrity, and availability. This also applies to cloud computing service providers.
8.7 To establish a register of third-party service providers to control the completeness of the engagement of third-party service providers, covering the risk level of third-party service providers, information assets and/or data connected to third-party service providers. This will enable the Company to understand the overall picture of engagement of third-party service providers, which will help reduce risk and increase security of critical data management.
8.8 8.8 To ensure periodic reviews of risks arising from engagement of third-party service providers, covering all risk dimensions, including strategic risk, reputational risk, information technology and cybersecurity risk, operational risk, access risk, concentration risk, and compliance risk, etc.
8.9 To ensure business continuity management (BCM) plans to support operations in the event of irregular incidents, including a business continuity plan (BCP), a disaster recovery plan (DRP), and a cyber incident response plan (CIRP), all of which must be tested regularly.
8.10 To ensure that results of risk management and performance of third-party service providers are reported to designated management for consideration at least quarterly, or in the event of an incident with a significant impact on the Company, and to the Risk Management Committee at least annually.

9. Penalty

     Violation of this policy is considered violation of the Company’s Code of Conduct for All Personnel and may constitute an offense against applicable laws, regulations, rules, or requirements.