Financial Crime World

Enhancing Cybersecurity Guidelines for Financial Institutions in Trinidad and Tobago

The Central Bank of Trinidad and Tobago (CBTT) is taking a proactive approach to strengthen cybersecurity guidelines for financial institutions in the country. In a recent meeting with international experts, the CBTT discussed the need for a comprehensive guideline to address the increasing threats posed by ICT/cyber risks.

Current Regulatory Framework

The CBTT currently supervises various entities including banks, non-banks, insurance companies, pension firms, bureaux de change, and payment systems. The Trinidad and Tobago Securities and Exchange Commission (TTSEC) oversees the securities market and intermediaries, while the Cooperative Development Division within the Ministry of Youth and National Development is responsible for the supervision of credit unions.

Challenges in Current Regulatory Framework

However, a review of the current regulatory framework has revealed that banks appear to be better informed on ICT/cyber risks compared to other entities like insurance and pension firms. The CBTT’s Risk-Based Supervision (RBS) Manual, although outdated, provides some guidance on assessing IT risks as part of operational risk.

Proposed Guideline

The proposed guideline is intended to address both banks and insurance firms, with a focus on developing technology-neutral guidelines that are outcome-focused. The draft guideline will cover areas such as:

  • Scope and applicability
  • Proportionality issues
  • Need for elaborating instructions based on local needs

Feedback from Financial Institutions

In a meeting with two major banks, one locally owned and the other foreign-owned, discussions revealed that banks are taking various steps to mitigate ICT/cyber risks, including outsourcing IT services to parent companies. However, there was a willingness to report cyber incidents to the CBTT but reservation in sharing information among peers.

Collaboration and Expertise

The working group provided key inputs in the preparation of the draft guideline, and the CBTT team is responsible for developing the guideline, with expertise available from other financial regulators.

Leveraging Available Resources

Despite the challenges, the CBTT has recognized the need to leverage the capacity available at the ‘Risk Management’ and ‘Audit’ functions of the bank for supervisory purposes. The current practice of involving ICT/cyber expertise available in staff attached to risk management and audit function is useful, given the acute shortage of resources within supervision.

IMF Recommendations

The International Monetary Fund (IMF) has recommended that the CBTT augment its resources in ICT/cyber risk supervision to keep pace with the rapidly evolving digital landscape of financial services. With consumer demand for digital services increasing, it is essential that financial institutions have robust cybersecurity measures in place to protect customers’ data and prevent potential losses.

Conclusion

The proposed guideline is expected to play a critical role in enhancing the overall cybersecurity posture of financial institutions in Trinidad and Tobago. The CBTT’s efforts to strengthen cybersecurity guidelines will help ensure the stability and integrity of the country’s financial system, protecting consumers and promoting confidence in the banking sector.