Notice No. 08/2020 on Cybersecurity Policy and Cloud Computing Adoption

PUBLISHED IN THE OFFICIAL GAZETTE, FIRST SERIES, NO. 41, OF APRIL 2 NOTICE NO. 08/2020 SUBJECT: FINANCIAL SYSTEM - Cybersecurity Policy and Cloud Computing Adoption

Considering the need to establish rules regarding the cybersecurity component, as well as the terms and conditions for contracting data processing and storage services and cloud computing, to be observed by Financial Institutions under the supervision of the Bank of Angola; Considering also the need to define reporting mechanisms regarding any situations with significant impact on the stability of the Angolan Financial System, namely events with potential negative impact on the results or equity of Financial Institutions, including operational incidents, in a context of growing importance of operational risk associated with information and communication technologies; In these terms, under the combined provisions of item j) of Article 90 of Law No. 12/15, dated June 17 – Law on the Basic Framework of Financial Institutions, and item f) of paragraph 1 of Article 21 and Article 51, both of Law No. 16/10, dated July 15 – Bank of Angola Law.

IT IS DETERMINED: CHAPTER I General Provisions Article 1. (Object) This Notice establishes the rules on cybersecurity policy and the terms and conditions for contracting data processing and storage services and cloud computing to be observed by Financial Institutions authorized to operate by the Bank of Angola.

Article 2. (Scope) This Notice applies to Financial Institutions under the supervision of the Bank of Angola, hereinafter abbreviated as Institutions, in accordance with the terms and conditions set forth in the Law on the Basic Framework of Financial Institutions.

Article 3. (Definitions) For the purposes of this Notice, it is understood that: a) Cybersecurity: set of policies and controls, means and technologies aimed at protecting programs, computers, networks, and data from unlawful intrusion or digital attacks that cause damage to them. b) Cloud Computing: model that allows convenient and direct access and provision of a set of configurable computing resources and data storage, which can be rapidly provisioned and accessed with minimal management effort or interaction between service providers. c) Critical Technological Infrastructure: information systems and assets, whether physical or virtual, that are vital for the normal functioning of Financial Institutions, whose failure or destruction entails a high impact on institutional operations.

CHAPTER II Cybersecurity Policy Article 4. (Implementation of Cybersecurity Policy)

1. Institutions must define, implement, and maintain a cybersecurity policy based on internationally accepted standards, principles, and guidelines, aiming to ensure the confidentiality, integrity, and availability of networks, data, and information systems used.
2. The aforementioned cybersecurity policy must provide, at a minimum, the following: a) The size, risk profile, and business model of the Institution; b) The nature of operations and the complexity of products, services, activities, and processes of the Institutions; and c) The sensitivity of data and information under the responsibility of the Institutions.
3. The procedures and controls adopted to reduce institutional vulnerability to incidents and meet the other objectives of the cybersecurity policy, in accordance with ISO/IEC 27035 and ISO 27001 guidelines regarding information technology security incident management and information security management, respectively, must include: a) Authentication, authorization, encryption, intrusion prevention, and detection; b) Prevention of information leakage; c) Periodic testing and audits to detect vulnerabilities; d) Protection against malicious software; e) Access control and computer network segmentation; f) Maintenance of data and information backups; g) Specific controls to ensure the security of sensitive information, including traceability of information; h) Procedures for recording, root cause and impact analysis, as well as control of incident effects on institutional activities; i) Mechanisms for dissemination, staff training, and periodic evaluation to elevate cybersecurity culture within the Institution; j) Reporting to clients and users regarding precautions in the use of financial products and services; and k) Commitment by the governing body to continuous improvement of procedures related to the cybersecurity policy.
4. Institutions must define necessary guidelines for: a) Developing incident scenarios considered in technology and business service continuity tests; b) Defining procedures and controls for prevention and handling of incidents to be adopted by third-party service providers that handle sensitive data or information or are relevant for conducting institutional operations; c) Defining parameters to be used in assessing the relevance of incidents; and d) Classifying data and information according to business criticality.

Article 5. (Duty to Disclose Security Policies) The cybersecurity policy must be disclosed to the public, employees, and service providers using clear, objective, and accessible language, according to the levels of functions performed, as well as the sensitivity of information inherent to said policy.

Article 6. (Action and Incident Response Plan) For the implementation of the cybersecurity policy, Institutions must develop an action plan capable of responding to incidents, containing at a minimum the following requirements: a) Adequacy of organizational and operational structures; b) Routines, procedures, controls, and technologies to be used in incident prevention and response, in compliance with cybersecurity policy guidelines; c) Actions to be developed by Institutions to align organizational and operational structures with the principles and guidelines of the cybersecurity policy; d) Indication of the area responsible for recording, monitoring, and controlling relevant incidents; and e) Cybersecurity policy procedures manual, approved by the governing body or management, which must be reviewed annually or whenever relevant changes occur in the Institution.

Article 7. (Institutionalization of Security Structures) Institutions must establish a dedicated structure or team(s) responsible for the cybersecurity policy and the execution of the action and incident response plan.

Article 8. (Incident Notification Obligation)

1. Institutions must report to the Bank of Angola breaches of information networks and systems or integrity losses with significant impact on the functioning of said networks and services.
2. The aforementioned communication must occur obligatorily upon detection of the incident, followed by subsequent communications with status updates at 4-hour intervals until normal service restoration.
3. Without prejudice to the duty of professional secrecy and free competition, whenever necessary, Institutions must develop initiatives to share information on relevant incidents, aiming to mitigate impact and strengthen the resilience of the financial system against cyberattacks.

CHAPTER III Contracting Cloud Computing Services Article 9. (Adoption of Cloud Computing)

1. The adoption of cloud services by Institutions implies the adaptation of policies, strategies, and structures for managing risks inherent to outsourcing said services.
2. In assessing the relevance of the service to be provided in the cloud, the Institution must consider the criticality and sensitivity of data and information supported by said service, according to its classification, as well as the associated risk in case of unauthorized access.
3. Institutions must ensure the capacity building of their human resources for the correct management of implemented services, aiming to ensure internal autonomy for accessing and using cloud technology.
4. Whenever contract termination becomes impossible, Institutions must ensure the continuity management of contracted cloud services.

Article 10. (Communication of Cloud Computing Adoption)

1. The intention to contract cloud computing-supported services must be communicated to the Bank of Angola at least 60 (sixty) days prior to said contracting for evaluation and approval, containing the following detailed information: a) The company to be contracted; b) The business continuity plan; c) The services to be provided; d) The location or country of "hosting" for infrastructure, systems, and processing; e) Type of information to be migrated to the cloud; f) Indication of the governing law for the intended contract; g) Demonstration of competencies and resources necessary to maintain and monitor the contracted service; and h) Availability of the cloud computing service provider to cooperate with national supervisory authorities overseeing the Institution.
2. Whenever contractual changes occur, Institutions must likewise communicate such occurrences to the Bank of Angola within a period not less than 90 (ninety) days, which may be shorter in exceptional cases if duly justified when the full functioning of Institutions is compromised;
3. Institutions must also create conditions ensuring business continuity.
4. For already contracted services, communication to the Bank of Angola must occur within a maximum period of 30 (thirty) days after the publication of this regulation.

Article 11. (Contracting Cloud Services)

1. Prior to contracting cloud computing services, Institutions must verify and document the potential service provider's capacity to ensure compliance with the following aspects: a) Confidentiality, integrity, availability, and recovery of data and information processed or stored by the service provider; b) Institutional access to data and information to be processed or stored, as well as the provision of adequate management information and resources for monitoring services; and c) Availability of reports prepared by specialized, independent audit firms regarding procedures and controls used in service provision.
2. In contracting cloud computing services, Institutions must observe, at a minimum, the following requirements: a) Corporate governance and management practices proportional to the relevance of the contracted service and associated risks; b) Verification of the potential service provider's capacity; c) Licensing and certification of cloud computing service providers, whose datacenter hosting location must comply with market best practices; d) Integrity, availability, professional experience, and financial capacity, in accordance with the prevailing legislation of the country; e) Institutions must assess service relevance and information classification, according to the annex of this Notice; f) Support data centers ensuring recovery in case of disaster and backup access during abnormal situations; g) 24/7 technical support (twenty-four hours a day, seven days a week); h) Security measures adopted for data transmission and storage, logical and physical segregation, and adequate access control to protect information; i) Prior communication to Institutions regarding service subcontracting and eventual limitations that may affect service provision or compliance with prevailing legislation and regulation; j) Transfer of data to the new service provider or to Contracting Institutions upon contract termination, and consequently, data elimination by the replaced contracted company after confirmation of integrity and availability of received data; k) Permission for Institutions to access management information and resources adequate for monitoring services provided by the contracted company, aiming to verify compliance with item f) of paragraph 2 of this article; and l) Access to documentation and information regarding services provided by Contracting Institutions, namely stored and processed data, backups, and access codes.
3. Contracting Institutions are responsible for ensuring the security of contracted services, as well as compliance with prevailing legislation.

Article 12. (Classification of Information to be Migrated to the Cloud)

1. Institutions must classify information considered essential for societal security, their clients, and the State, in terms of information confidentiality level: highly confidential, confidential, reserved, internal, and public.
2. For information classification purposes, Financial Institutions must consider the requirements set forth in the Annex, which constitutes an integral part of this Notice.
3. The aforementioned information classification must comply with provisions in Law No. 22/2011, dated June 17 – Personal Data Protection Law, combined with Law No. 7/17, dated February 16 – Information Systems Network and System Protection Law, as well as Articles 76 and 77 of Law No. 12/2015, dated June 17 – Law on the Basic Framework of Financial Institutions.
4. Based on the classification assigned to each type of information, Institutions determine eligibility for cloud migration, considering each available cloud implementation model, namely: a) Cloud services provided within an organization offering all basic cloud computing functions, regarding increased productivity, flexibility, and scalability, with restricted remote access limited to a single organization, without sharing IT resources with other organizations or users outside the organizational environment; b) Service provided by a provider to common users or organizations, with the service provider responsible for implementing protection mechanisms, hosting, maintenance, and data management, charging only for used resources, whether application infrastructure, physical infrastructure, or software; c) Service based on sharing IT infrastructure by multiple organizations sharing similar concerns such as mission, security requirements, policies, etc., which may be administered by the organizations themselves or a third party, and may exist within or outside the organizational environment; and d) Service based on a computing environment combining public and private cloud, allowing data and applications to be shared between them.

CHAPTER IV Final Provisions Article 13. (Sanctions) Non-compliance with this Notice constitutes an offense provided for and punishable under Law No. 12/15, dated June 17 – Law on the Basic Framework of Financial Institutions.

Article 14. (Doubts and Omissions) Doubts and omissions resulting from the interpretation and application of this Notice are resolved by the Bank of Angola.

Article 15. (Repealing Clause) All provisions contrary to this Notice are hereby repealed.

Article 16. (Entry into Force) This Notice enters into force 30 (thirty) days after the date of its publication. PUBLISHED. Luanda, March 16, 2020. THE GOVERNOR JOSÉ DE LIMA MASSANO ANEXO

For information classification purposes by Financial Institutions, special treatment measures are necessary, considering the implications and responsibilities associated with this classification. Financial Institutions must classify information according to the following criteria:

1. Highly Confidential Information 1.1 It is all information associated with relevant interests of the Institution. If disclosed, it may bring serious financial losses, enormous impact on business, or repercussions for the image of the Institution or the Government of Angola. These information require exceptional control and protection measures against unauthorized access; 1.2 Highly confidential information is generally restricted to the Board of Directors, Managers with relevant management functions, executives, and previously designated employees who, due to the nature of their function, are obliged to know it; 1.3 All highly confidential information must possess rigorous control regarding its disclosure, as well as historical records with unequivocal identification of users who accessed it. 1.4 Copies of highly confidential documents must be pre-approved by their owner (the originator) and possess a unique identification; 1.5 Highly confidential information must be stored in an access-controlled location and possess physical security measures for transport, requiring the owner's authorization for transport outside the Institution; 1.6 For electronic transmission of highly confidential information, encryption is mandatory in any communication medium, internal or external to the Institution.

2. Confidential Information 2.1 It is all information whose knowledge should be limited to a small number of authorized persons. If disclosed, it may bring great impact on business or repercussions for the Institution's image, administrative embarrassment with employees, or advantages to third parties. These information require a high degree of control and protection against unauthorized access. 2.2 This classification includes: information guaranteeing the Institution competitive advantages, those describing a significant part of the Institution's business, those containing long-term operational strategies, those important for the technical or financial success of a product, and those with potentially serious impact on Human Resources policies and practices. 2.3 Confidential information is generally restricted to Institution managers and previously designated employees who, due to the nature of their function, are obliged to know it. 2.4 Internal disclosure of confidential information to employees not belonging to the same function as the recipient, as well as copies of confidential documents, must be pre-approved by the owner; 2.5 All confidential information must be stored in an access-controlled location and possess physical security measures for transport, requiring the owner's authorization for transport outside the Institution; 2.6 For electronic transmission of confidential information, encryption is mandatory.

3. Reserved Information 3.1 It is all information whose knowledge and use must be restricted to a specific group of employees or areas of the Institution. It should not be disclosed, published, and must be accessible to any employee or non-employee; 3.2 Reserved information is generally limited to a unit or working group and employees who, due to the nature of their function, are obliged to know it. 3.3 When classifying information as reserved, it must be explicit for which group or purpose the information is reserved. 3.4 Internal disclosure of reserved information, as well as copying reserved documents for other employees who need them to perform their tasks, is permitted. 3.5 All reserved information must be stored in an access-controlled location, requiring the owner's authorization for transport outside the Institution.

4. Internal Information 4.1 It is all information whose knowledge and use is restricted exclusively to the internal scope and purposes of the Institution, available to all employees and authorized non-employees circulating in its premises. It should only be revealed to the external public upon authorization; 4.2 This classification includes: information related to internal company program development; lists for locating employees within the company; etc.

5. Public Information 5.1 It is all information that may or should be disclosed to the external public of the Institution; 5.2 This classification includes: informational information to be published and information that the Institution is obliged to disclose based on prevailing legislation; 5.3 All public information must receive special treatment regarding its presentation and content, so as not to prejudice the Institution's image.