Regulatory Alerts2015-06-15
Instruction No. 009-06-2015 of June 15, 2015 on the IT Security Devices of Credit Information Bureaus
The Governor of the Central Bank of West African States (BCEAO) issued Instruction No. 009-06-2015 to mandate Credit Information Bureaus, including their subsidiaries and branches, to establish comprehensive IT security frameworks. The directive requires these entities to develop, approve, and regularly update an IT security policy aligned with international standards and UMOA data protection laws, while implementing continuous risk assessment, robust physical and logical access controls, malware protection, and secure off-site data backup. Furthermore, it obligates Credit Information Bureaus to conduct annual external audits, report security incidents and compliance status to the BCEAO annually, and face sanctions for non-compliance with these IT security obligations.
The Governor of the Central Bank of West African States (BCEAO), Having regard to the Treaty of the West African Monetary Union (UMOA) dated January 20, 2007, particularly Article 34; Having regard to the Statutes of the Central Bank of West African States (BCEAO), annexed to the UMOA Treaty dated January 20, 2007, particularly Articles 30 and 59; Having regard to the Uniform Act regulating Credit Information Bureaus in UMOA Member States, particularly Articles 27, 28, 29, 31, 35, 37, 41, 56, 64 and 76,
DECIDES
Article 1: Purpose This Instruction aims to specify the rules regarding IT security devices for Credit Information Bureaus, their subsidiaries, branches, and representative offices.
Article 2: IT Security Policy Credit Information Bureaus are required to develop their IT security policy. It must comply with: – the strictest security requirements recognized in the credit information services industry, particularly international IT security standards; – the legal and regulatory provisions in force in UMOA Member States regarding personal data protection.
Avenue Abdoulaye FADIGA BP 3108 – Dakar – Sénégal Tel. (221) 33 839 05 00 / Fax. (221) 33 823 93 35 www.bceao.int INSTRUCTION NO. 009-06-2015 ON THE IT SECURITY DEVICES OF CREDIT INFORMATION BUREAUS
2 The IT security policy of Credit Information Bureaus is approved by their management and communicated to all employees. It is regularly updated, at least every three years, to account for changes in the internal and external environment.
Article 3: IT Risk Management Strategy In the context of managing risks inherent to IT systems, Credit Information Bureaus must implement a mechanism enabling continuous identification and assessment of risks, with the aim of reducing or managing them. They develop their risk management strategy, approved by their management.
Article 4: Protection against Malware and Cyberattacks Credit Information Bureaus implement prevention, detection, and remediation measures to protect their IT systems against malware and cyberattacks.
Article 5: Securing Networks, Terminals, and Information Credit Information Bureaus take appropriate security measures to protect information transmitted through their networks, as well as via their connections with users, data providers, and the BCEAO. Credit Information Bureaus ensure that terminals accessing their systems have the necessary authorizations. Furthermore, they implement adequate configuration to manage risks inherent to external users connecting to their IT systems.
Article 6: Management of Identities and Logical Access to IT Systems Credit Information Bureaus ensure that each user, data provider, or staff member is identified and authenticated before any access to IT systems, and holds adequate access rights. Each action must be traceable to its author.
Article 7: Physical and Environmental Security Devices Credit Information Bureaus implement physical access management devices for their staff and third parties to their secure premises. Premises housing the data centers of Credit Information Bureaus must be equipped with appropriate environmental protection devices, including smoke and water detectors, fire suppression systems, as well as temperature and humidity sensors.
3 Article 8: Data Backup Credit Information Bureaus ensure that their IT security policy guarantees data backup integrity on appropriate media, the conduct of regular restoration tests, and the off-site relocation of backup media to a site located in another UMOA Member State.
Article 9: IT Security Incident Management Credit Information Bureaus implement an IT security incident management framework to address them and contain their impact.
Article 10: IT System Control Credit Information Bureaus define, implement, and maintain an appropriate internal control mechanism for IT-related operations. Credit Information Bureaus commission an annual external audit of their IT system to ensure the effectiveness of internal control.
Article 11: Central Bank Reporting Credit Information Bureaus prepare, in the compliance report submitted to the BCEAO at the end of each year, a statement of implemented security devices and procedures, test results, and recorded incidents.
Article 12: Compliance with Obligations and Sanctions Failures to meet obligations related to IT security are sanctioned in accordance with the provisions of the Uniform Act regulating Credit Information Bureaus in UMOA Member States, without prejudice to legislative and regulatory provisions in force in the Union's member state of establishment.
Article 13: Entry into Force This Instruction enters into force on the date of its signature. It shall be published wherever necessary.
Done in Dakar, on JUNE 15, 2015 Tiémoko Meyliet KONE