Financial Crime World

Central Bank of Trinidad and Tobago Unveils Cybersecurity Incident Reporting Guidelines

Introduction

The Central Bank of Trinidad and Tobago has introduced new guidelines for reporting cybersecurity incidents to ensure the financial sector’s resilience against cyber threats.

Requirements for Reporting Significant Cybersecurity Incidents

The guidelines outline the requirements for reporting significant cybersecurity incidents that may disrupt business operations, impact customers, or have a negative reputational effect. These incidents include:

  • Disrupting business systems and/or operations
  • Causing disaster recovery teams to be activated or a disaster declaration has been made by a third-party vendor
  • Impacting a large number of external customers or resulting in a negative reputational impact
  • Being assessed as high or critical severity, or ranked Priority/Severity/Tier 1 or 2 based on the company’s internal assessment
  • Breaching internal risk appetite or thresholds as per the cybersecurity strategy or policy

Cyber Incident Reporting Template

The guidelines also provide a Cyber Incident Reporting Template that financial institutions must complete and submit to the Central Bank within 72 hours of an incident. The template requires detailed information about the incident, including:

  • Impact
  • Root cause analysis
  • Corrective actions taken

Consequences of Non-Compliance

Failure to report incidents as outlined in the guidelines may result in increased supervisory oversight, including enhanced reporting by the company, and/or compliance directions being issued.

Purpose and Benefits of the Guidelines

The Central Bank’s Director of Financial Stability said, “The new guidelines are designed to ensure that financial institutions prioritize cybersecurity incident reporting and response. This will help to protect customers’ information, maintain public trust, and safeguard the stability of the financial system.”

International Standards and Best Practices

The guidelines also reference various international standards and best practices, including those from:

  • Banks for International Settlements
  • Federal Financial Institutions Examination Council
  • Financial Stability Board
  • G-7
  • NIST
  • Others

Next Steps

Financial institutions are encouraged to review the guidelines and ensure that they have adequate incident reporting procedures in place.