Financial Crime World

Brunei Darussalam Central Bank Issues New Guidelines for Banks’ Critical Systems

Ensuring Continuous Operations and Security

The Brunei Darussalam Central Bank has issued new guidelines to ensure that banks’ critical systems remain operational for at least 240 minutes in a rolling 12-month period. This is aimed at preventing disruptions to financial services, protecting customer data, and maintaining public trust and confidence in the banking system.

Risk Assessments and Gap Analysis

To achieve this goal, banks must regularly perform risk assessments and gap analysis to identify vulnerabilities in their systems. They must also have effective measures in place to promptly address any gaps found. This includes having a plan for responding to IT incidents and ensuring that all critical systems are properly secured.

IT Incident Categorization

The guidelines define three categories of IT incidents: minor, moderate, and major. Minor incidents have minimal impact on daily operations, while moderate incidents cause partial disruption. Major incidents, however, result in complete system failure or significant financial loss.

Here is a breakdown of each category:

Schedule 1: IT Incident Categorisation

  • Minor Incidents
    • Malware attacks on less than 5 users with no known data breach
    • Attempted spear phishing attack that is directed to at least two employees but no successful fraud took place
  • Moderate Incidents
    • Unplanned downtime in any critical system that causes partial disruption for more than 30 minutes
    • Malware outbreak that spreads through the bank’s network or directly on its critical systems
  • Major Incidents
    • Unplanned downtime in any critical system that causes complete system failure for more than 30 minutes
    • Data breach, ransomware attack, or other cyber-attacks that result in significant financial loss or reputational damage

Reporting Requirements

Banks must report all major incidents to the Brunei Darussalam Central Bank within a specified timeframe. This is crucial in ensuring that any disruptions are addressed promptly and effectively.

By implementing these new guidelines, banks can ensure that their critical systems remain available and secure, allowing customers to access their accounts and conduct transactions without disruption.