Financial Crime World

Financial Institutions Urged to Establish Cyber and Technology Risk Appetite and Tolerance Statements

In an effort to enhance cybersecurity and technology resilience, financial institutions have been advised to establish a clear Cyber and Technology Risk Appetite and Tolerance Statement. This statement outlines the nature and level of cyber and technology risks that an institution is willing to assume in order to achieve its business goals and technological strategy.

Regular Reporting on Cyber Incidents and Threat Landscape

Financial institutions are required to receive regular and timely reports on Material Cyber Incidents, as well as updates on the evolution of the threat landscape, including current and emerging risks. These reports should be provided by:

  • Internal auditors
  • External auditors
  • Testing exercises
  • Other relevant sources

Strong Culture of Cyber Resilience

The report emphasizes the importance of promoting a Strong Culture of Cyber Resilience within financial institutions. This can be achieved through:

  • Regular training and awareness programs for staff and board members
  • Ensuring all employees have an adequate level of skills, experience, and expertise in cybersecurity and technology risk management

Appointment of Chief Information Security Officer (CISO)

Financial institutions are advised to appoint a senior officer as the CISO, who will be responsible for developing and implementing the cyber and technology risk management framework. The CISO should have:

  • Direct access to the board and designated sub-committees
  • Regular reporting on the institution’s cyber and technology risk position

Cyber and Technology Risk Management Framework

The report highlights the importance of having a Robust Cyber and Technology Risk Management Framework in place, which includes:

  • Policies
  • Procedures
  • Processes for managing cyber and technology risks

This framework should be regularly reviewed and updated to ensure it remains effective and relevant to the institution’s changing needs.

Implementation and Oversight

Financial institutions are responsible for implementing the cyber and technology risk management framework and strategy, as well as ensuring that the level of cyber and technology risk assumed by the institution is within its defined risk appetite and tolerance. Senior management should:

  • Monitor the threat landscape
  • Make timely changes to the strategy and risk management framework as needed

Conclusion

================

The establishment of a clear cyber and technology risk appetite and tolerance statement, regular reporting on cyber incidents and the threat landscape, and a strong culture of cyber resilience are essential for financial institutions seeking to mitigate cyber and technology risks. The appointment of a CISO and implementation of a robust cyber and technology risk management framework are also crucial for ensuring the ongoing effectiveness of these measures.