Financial Crime World

FINANCIAL INSTITUTIONS URGED TO TAKE CONTROL OF CYBER RISK MANAGEMENT

Central Bank of Bahrain Issues Guidelines for Strengthening Cyber Risk Management Practices

The Central Bank of Bahrain (CBB) has issued guidelines to help financial institutions in the country strengthen their cyber risk management practices. The guidelines aim to ensure that institutions are better equipped to identify, assess, and mitigate the growing threats posed by cyber attacks.

Key Recommendations

  • Financial institutions should be free to choose their own classification scheme for cyber incidents, provided they clearly identify critical assets.
  • Clear responsibilities for board and senior management in managing cyber risks should be established. These individuals should approve and implement the institution’s cybersecurity strategy while recognizing the business implications of cyber risks.
  • Outsourcing agreements should require service providers to accommodate audits from financial institutions and the CBB, as well as reporting requirements for relevant cyber incidents.

Incident Reporting Requirements

  • The guidelines recommend that incident reporting requirements specify a comprehensive classification scheme for cyber incidents and materiality thresholds. This move aims to make incident reporting information more actionable.
  • Regular control implementation effectiveness assessments, such as penetration testing, should be conducted to identify vulnerabilities in financial institutions’ systems.

Scenario-Based Cyber Resilience Planning and Exercising

  • The CBB has emphasized the need for scenario-based cyber resilience planning and exercising to improve financial institutions’ ability to respond to cyber incidents.
  • This approach could help institutions develop effective detection, response, and recovery capabilities.

Other Key Areas Covered by the Guidelines

  • Governance: Establish clear roles and responsibilities for managing cyber risks.
  • Strategy: Develop a comprehensive cybersecurity strategy that is aligned with business objectives.
  • Monitoring and Detection: Implement robust monitoring and detection capabilities to identify potential security breaches.
  • Response: Develop an effective response plan to deal with cyber incidents, including incident reporting and communication protocols.
  • Recovery: Establish procedures for recovering from cyber incidents and minimizing downtime.
  • Information Sharing: Promote operational threat intelligence sharing between financial institutions, national computer emergency response teams, and other stakeholders.

IT Supervision Framework

The CBB has also adopted a general supervisory framework and methodology for IT supervision, which is grounded on international best practices. The framework includes:

  • Onsite examination planning
  • Preliminary information gathering activities
  • Follow-up reporting

Conclusion

The guidelines aim to enhance the resilience of Bahrain’s financial sector against cyber threats and promote a culture of cybersecurity awareness among financial institutions. By implementing these recommendations, financial institutions can better protect themselves against the growing threat of cyber attacks and ensure the integrity of their operations.