Financial Crime World

Third Parties Pose Greatest Risk to Institutions, Experts Warn

Institutions are facing significant risks from third-party providers, with nearly 60% of cyber breaches caused by vulnerabilities in contracted services. To mitigate these risks, experts urge organizations to closely monitor their partners and develop robust exit strategies.

Monitoring Third-Party Providers

  • A recent study found that nearly 60% of cyber breaches are caused by third-party vulnerabilities.
  • Institutions must regularly assess the business and cybersecurity posture of their partners.
  • Service Level Agreements (SLAs) should include provisions for security, service availability, and performance metrics or penalties.

Implementing Exit Management Strategies

  • Experts recommend implementing exit management strategies and contingency plans to address potential risks.
  • Institutions must be prepared to quickly terminate contracts with third-party providers if necessary.

Institutional Cybersecurity Awareness Training

A separate report highlights the importance of institutional cybersecurity awareness training. The goal is to educate employees on good IT security practices, common threat types, and institution policies and procedures.

Reporting Requirements

The Central Bank of Kenya has issued new reporting requirements for institutions regarding cybersecurity incidents. Institutions must:

  • Notify the Central Bank within 24 hours of any significant and adverse cyber incident.
  • Submit a quarterly report detailing the occurrence and handling of cybersecurity incidents.

Cybersecurity Policy Guidelines

The Central Bank has outlined high-level contents for a cybersecurity policy, including:

  • Governance: Mechanisms for establishing, implementing, and reviewing institutional approaches to managing cyber risks.
  • Identification: Critical business functions and supporting information assets must be identified to safeguard them against compromise.
  • Protection: Effective security controls must be implemented to prevent unauthorized access or disclosure of sensitive data.
  • Incident Management: A cybersecurity incident response plan should provide a roadmap for actions during and after a security incident.

Annexes

Annex I: High-Level Contents of a Cybersecurity Policy

  • Governance: Mechanisms for establishing, implementing, and reviewing institutional approaches to managing cyber risks.
  • Identification: Critical business functions and supporting information assets must be identified to safeguard them against compromise.
  • Protection: Effective security controls must be implemented to prevent unauthorized access or disclosure of sensitive data.
  • Incident Management: A cybersecurity incident response plan should provide a roadmap for actions during and after a security incident.

Annex II: Cybersecurity Incident Record (Immediate)

Institutions are required to submit a cybersecurity incident report within 24 hours of an incident occurring. The report must include:

  • Date and time of reporting
  • Nature of the incident
  • Impact assessment
  • Action taken to mitigate future incidents

Annex III: Cybersecurity Incident Record (Quarterly)

A quarterly report is also required, which should detail the occurrence and handling of cybersecurity incidents. The report must include:

  • Date and time of incident
  • Nature of incident
  • Action taken
  • Time of resolution
  • Actions taken to mitigate future incidents

By implementing these guidelines, institutions can significantly reduce their risk exposure and better protect against cyber threats.