Financial Crime World

Cybersecurity Threats Loom Large Over Malawi’s Finance Industry: Reserve Bank Implements New Guidelines

The Reserve Bank of Malawi (RBM) has recently introduced new guidelines aimed at helping banks effectively manage data amidst growing concerns over cybersecurity risks. The ‘Information and Cyber Security Risk Management Guidelines’ were finalized in October 2019, replacing the existing IT risk management policies that have been in place since 2016.

Cybersecurity Risks: A Growing Concern

According to RBM Governor Dalitso Kabambe, cyber security risk if not properly managed has the potential to cause disruption to the financial industry. He warned that any breaches could result in:

  • Denial of service to customers
  • Exposure of private information
  • Deletion or tampering with customers’ and banks’ records
  • Inability to manage both the bank’s own as well as customers’ assets

New Guidelines: Minimum Requirements for Managing Information and Cyber Security Risk

The guidelines, issued pursuant to Section 96 of the Financial Services Act, 2010, are expected to apply in addition to all other Risk Management Guidelines issued by the central bank. The document outlines minimum requirements for managing information and cyber security risk, with banks expected to put in place more robust measures to meet these standards.

Objectives of the Guidelines

The guidelines feature five objectives, including:

  • Provision of minimum requirements on management of information and cyber security risk
  • Strengthening banks’ information system security
  • Protection of critical information infrastructure
  • Establishing an effective Information and Cyber Security Risk Management Framework
  • Implementing regular vulnerability assessments (VAs) to detect security vulnerabilities in the IT environment

Key Recommendations

The guidelines recommend:

  • Adopting effective encryption algorithms that are in line with international standards and best practices
  • Conducting regular vulnerability assessments (VAs) to detect security vulnerabilities in the IT environment
  • Evaluating security requirements associated with e-banking services
  • Establishing a Chief Information Security Officer to oversee the implementation of the guidelines

Outsourcing: A Comprehensive Policy Required

Where banks intend to outsource or engage third-party service providers for some of its IT-related functions, the guidelines advocate that this should only be done when there is a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced.

Conclusion

The RBM’s new guidelines aim to ensure that Malawi’s finance industry remains secure and resilient in the face of growing cybersecurity threats. By implementing these guidelines, banks can protect their customers’ data and prevent potential disruptions to the financial system.