Financial Crime World

CBB to Give Financial Institutions More Flexibility in Cybersecurity Classification

The Central Bank of Bahrain (CBB) is introducing new guidelines that will allow financial institutions to choose their own classification scheme for critical assets, aimed at bolstering the cybersecurity posture of these institutions.

Simplifying Cybersecurity Classification

In a move to address the increasingly complex cyber threat landscape, the CBB’s decision comes as attacks become more sophisticated and frequent. The new guidelines are expected to generate incentives for institutions to significantly improve their cybersecurity posture by clarifying the responsibilities of the board and senior management in managing cyber risks.

“Specific cybersecurity guidelines create visibility for cyber risk to the members of the board and senior management,” said a CBB spokesperson. “This will help them better appreciate the business implications of cyber risks and make informed decisions.”

Enhanced Guidelines for Outsourcing Arrangements

The new guidelines require financial institutions to maintain a comprehensive register on their outsourcing arrangements, including:

  • Notifications
  • Formal rights to audit
  • Incident reporting requirements

Outsourcing agreements will need to explicitly accommodate audits from institutions and the CBB, as well as reporting requirements for relevant cyber incidents.

Regular Assessments and Exercises

The guidelines also stress the importance of regular control implementation effectiveness assessments, such as penetration testing, to identify weaknesses in financial institutions’ information systems and networks. Additionally, scenario-based cyber resilience planning and exercising are crucial for proactively developing incident management plans and conducting regular tests of these plans.

Enhanced Supervisory Practices

Under the new guidelines, the CBB’s supervisory practices will be enhanced, including:

  • Onsite examinations that identify IT expertise needed and preliminary information gathering activities
  • Conducting interviews and walkthroughs to identify issues
  • Follow-up reports detailing open findings, recommendations, and deadlines

Industry experts welcome the move, saying it is a step in the right direction towards improving cybersecurity in Bahrain’s financial sector.

“The CBB’s guidelines are an important step forward in enhancing the cybersecurity posture of financial institutions,” said a senior industry executive. “We expect these guidelines to provide greater clarity and consistency in cybersecurity practices across the sector.”

Effective Date

The new guidelines are expected to come into effect later this year, following a public consultation period.