Financial Crime World

Here is the converted article in markdown format:

Cybersecurity Guidelines for Financial Institutions: A Call for Clarity and Consistency

In an effort to strengthen the cybersecurity posture of financial institutions in Bahrain, the Central Bank of Bahrain (CBB) has issued guidelines outlining the responsibilities of boards and senior management, as well as the requirements for outsourcing arrangements, incident reporting, and cyber resilience planning.

Clear Responsibilities for Boards and Senior Management


The CBB emphasizes that boards and senior management should have clear responsibilities when it comes to cybersecurity. This includes:

  • Specifying their roles in approving and implementing the institution’s cybersecurity strategy
  • Creating visibility for cyber risk among board members and senior management, ensuring they understand the business implications of cyber risks

Material Outsourcing Arrangements


The CBB has outlined specific provisions for material outsourcing arrangements, including:

  • Requirements for notifications
  • Formal rights to audit
  • Incident reporting
  • Maintaining a comprehensive register of outsourcing arrangements using a predefined template

This will enable supervisors to conduct more effective assessments of cyber risk.

Comprehensive Incident Reporting Scheme


The guidelines specify a comprehensive classification scheme for cyber incidents and materiality thresholds, including:

  • Criteria such as the criticality of affected systems, value, number of transactions involved, downtimes, economic/reputational impact, and incident category

The CBB is also considering outlining related thresholds to determine whether an incident is reportable and within what timeframe.

Regular Control Implementation Effectiveness Assessments


Financial institutions are required to conduct regular control implementation effectiveness assessments, including:

  • Penetration testing as an important risk management activity
  • Simulating complex attack vectors to identify areas where the institution is most vulnerable

Scenario-Based Cyber Resilience Planning and Exercising


Financial institutions are encouraged to proactively develop cyber incident management plans, recognizing the multiple facets of dealing with cyber incidents. This includes:

  • Scenario-based testing of incident response plans using recently observed attack vectors as a basis for testing

Additional Key Areas


The guidelines cover additional key areas, including:

  • Governance: establishing, implementing, and reviewing cyber risk management processes
  • Strategy: outlining the institution’s cybersecurity strategy and approach
  • Monitoring and detection: identifying potential security threats and vulnerabilities
  • Response: developing incident response plans and procedures
  • Recovery: recovering from a cyber incident
  • Information sharing: sharing operational threat intelligence between financial institutions and national computer emergency response teams

Effective Information Sharing


Effective sharing of operational threat intelligence requires:

  • Trust relations between technical experts from financial institutions
  • A rulebook for information sharing
  • Sharing indicators of compromise between information assurance professionals from financial institutions and national computer emergency response teams

Supervisory Practices


The CBB has adopted a general supervisory framework and methodology grounded on international best practices for IT supervision. This includes:

  • Onsite examination planning, including identifying the IT expertise needed and preliminary information gathering activities
  • Exception-based supervisory reporting, with an opportunity for institutions to comment on factual correctness before the report is issued

Overall, these guidelines aim to provide a clear and consistent approach to cybersecurity risk management in Bahrain’s financial institutions, ensuring a safer and more resilient digital environment for consumers and businesses alike.