LogoRegulatory Alerts
2019-12-31

Circular CN-BSD/2019/18: Cyber Security Framework in Banks

The Maldives Monetary Authority mandates all commercial banks to implement a Board-approved cyber security policy addressing risk mitigation, access control, and crisis management. Licensed banks must report specific cyber security events within one working day of detection and submit quarterly summaries within ten days of each quarter's end. Additionally, banks are required to discontinue processing payments via email instructions by the end of January 2020 to mitigate business email compromise risks.

Maldives Monetary Authority logo

Maldives

Maldives Monetary Authority

Click to view thumbnail

MALDIVES MONETARY AUTHORITY MALDIVES

Circular no: CN-BSD/2019/18

31st December 2019

To: All Commercial banks

Dear Sirs,

Cyber Security Framework in Banks

With the growing threat of cyber risk, banks are required to take measures to enhance security of its IT infrastructure, reduce probability of exposure and loss from cyber-attacks or data breaches. In view of strengthening cyber security of banks; banks are required to implement a robust cyber-security policy approved by the Board. In addition to the above, banks are required to report to MMA cyber security events as mentioned under point 2 of this letter.

  1. The policy at a minimum should address the following;

    • Identify risks from cyber security threats facing the bank and measures to mitigate such risks.
    • Access right management and secure system configuration.
    • Cyber security awareness program for staff and customers.
    • Measures to prevent data loss.
    • System life cycle management.
    • Continuous security monitoring and mechanisms for continuous vulnerability assessment and penetration testing.
    • Maintain up-to-date inventory of authorized software, hardware (workstation, servers, network devices etc.), other network devices, and internal and external network connections and ensuring all system components and software are updated.
    • Robust cyber crisis management plan.

  2. All licensed banks are required to submit reports on Cyber Security Events (CSE) as follows: a. CSE-I (refer annexure) within one working day from the detection of any CSE. b. CSE-II (refer annexure) within 10 calendar days from the end of each quarter.

c. Assign a focal point who can be contacted to report potential threats identified by the MMA. The idea behind this is to create a cyber-incident response community within the banking industry who can share experiences and preventive measures. d. The above details should be e-mailed to bsd@mma.gov.mv or delivered in confidential cover to the Assistant Governor of Area 2 - Financial Stability.

In addition, with the increase in incidents of business email compromise, banks should take immediate measures to address the issue, and discontinue processing of payments through email instructions no later than end of January 2020.

Yours sincerely,

(Signature)

Mariyam Shifa Assistant Governor, Financial Stability

To: Assistant Governor - Financial Stability CSE-I-Annexure

Report on Cyber Security Events

Name of Bank: Reporting time period:

Type of IncidentSummary of IncidentDate of detectionPhysical location/ branch (if applicable)Estimated/actual impact of the incident (Financial and Operational)Internal Reporting authorityLaw enforcement authorities involved (if applicable)

.................................................................. Name and designation of authorized officer

(a) Type of incident: Intrusion/hacking, Malware Malicious code, Virus, Phishing, Denial of service, Social engineering, Unauthorized system usage, Other (Specify) (b) Please provide the amount in case of financial impact and description in case of operational impact. (c) To whom the event has been internally escalated.

[Email to bsd@mma.gov.mv or delivered in confidential cover to the Assistant Governor of Area 2 - Financial Stability.]

To: Assistant Governor of Area 2 - Financial Stability CSE-II-Annexure

Quarterly Report on Cyber Security Events

Name of Bank: Reporting time period:

Type of IncidentSummary of IncidentTime period of incidentDate of detectionPhysical location/ branch (if applicable)Impact of the incident (Financial and Operational)Internal reporting and authorityLaw enforcement authorities involved (if applicable)

.................................................................. Name and designation of authorized officer

(a) Type of incident: Intrusion/hacking, Malware Malicious code, Virus, Phishing, Denial of service, Social engineering, Unauthorized system usage, Other (Specify) (b) Please provide the amount in case of financial impact and description in case of operational impact. (c) To whom the event has been internally escalated.

[Uploaded to Extranet Portal.]

Share