Circular No. 01/EFI/2026, of January 14 – Model for Reporting Technological and Cyber Incidents

Bank of Mozambique Administration

FINANCIAL STABILITY DEPARTMENT CIRCULAR NO. 01/EFI/2026

Maputo, January 14, 2026

SUBJECT: MODEL FOR REPORTING TECHNOLOGICAL AND CYBER INCIDENTS

The Bank of Mozambique established, through Notice No. 8/GBM/2025, of December 9, the guidelines for reporting technological and cyber incidents. Under this Notice, credit institutions and financial companies must report technological and cyber incidents by completing reporting models to be defined by Circular.

Therefore, pursuant to paragraph 1 of Article 5 and subparagraph b) of Article 8 of the aforementioned Notice, the Bank of Mozambique determines:

1. Credit institutions and financial companies must submit to the Bank of Mozambique reports on technological and cyber incidents according to the reporting model contained in Annex I.
2. The aggregated report of technological and cyber incidents must be submitted to the Bank of Mozambique, according to the reporting model contained in Annex II.
3. The models referred to in items I and II must be submitted via the BSA Portal (Banking Supervision Application) and other means indicated by the Bank of Mozambique.
4. In cases where credit institutions and financial companies temporarily lack operational capacity to ensure incident communication via the means indicated in the previous item, or if said means are unavailable, the report must be submitted, exceptionally, via email: dsp_riscocibernetico@bancomoc.mz
5. This Circular enters into force on March 9, 2026.

1

---

Bank of Mozambique Administration

Questions regarding the interpretation and application of this Circular must be submitted to the Prudential Supervision Department of the Bank of Mozambique.

Maria Esperança Majimeja (Administrator)

2

---

Annex I - Model for Reporting Technological and Cyber Incidents

Preliminary	[ ]	Within 24 hours, counted from the moment of occurrence
Intermediate	[ ]	Within 10 business days, counted from the moment of submission of the preliminary report
Final	[ ]	Within 30 business days, after the preliminary report

Incident Identification:
Institution Code
Fiscal Year
Date
Reporting Time to BM

A - Preliminary Report
Contact Details (1)
Contact 1
Name:
Position:
E-mail
Phone:
Contact 2 (if available)
Name:
Position:
E-mail
Phone:
Incident Details (2)
Occurrence Date
Time
Incident Type
Incident Description

B - Intermediate Report
(1) Information on the origin

1

---

(2) Is there a relation to another incident reported previously?	[ ] Yes <br> [ ] No	Provide details: <br> Date: <br> Time:
(3) Affected components	[ ] Workstations (laptops, PCs, mobile devices) <br> [ ] Operating Systems <br> [ ] Core systems (computer systems supporting business areas) <br> [ ] Peripheral systems (computer systems supporting control and support areas) <br> [ ] Digital channels (internet banking, mobile applications) <br> [ ] Data management and storage systems (file servers, databases, data warehouse) <br> [ ] Office applications <br> [ ] Email <br> [ ] Networks and telecommunications (switches, routers, firewalls, PBX, VoIP, call center) <br> [ ] Servers <br> [ ] Middleware components (processors, intermediate layer equipment) <br> [ ] Others. Specify: _________

(4) Affected Areas
(4.1) Affected business areas
(4.2) Affected control areas
(4.3) Affected support areas

2

---

TECHNOLOGICAL INCIDENT
(5) Classification of the incident according to nature
CYBER INCIDENT
Abusive content <br> [ ] SPAM <br> [ ] Hate crime <br> [ ] Pornography <br> [ ] Others. Specify: _________ <br><br> Malicious code <br> [ ] Worm <br> [ ] Trojan <br> [ ] Spyware <br> [ ] Dialler <br> [ ] Rootkit <br> [ ] Others. Specify: _________ <br><br> Information gathering <br> [ ] Scanning <br> [ ] Sniffing <br> [ ] Social engineering <br> [ ] Others. Specify: _________

3

---

| Intrusion attempt <br> [ ] Exploitation of known vulnerabilities <br> [ ] Access attempt with credential breach <br> [ ] Unknown attack <br> [ ] Others. Specify: _________ <br><br> Intrusion <br> [ ] Compromise of privileged account <br> [ ] Compromise of an unprivileged account <br> [ ] Compromise of applications <br> [ ] Others. Specify: _________ <br><br> Availability <br> [ ] DoS (Denial-of-Service) <br> [ ] DDoS (Distributed Denial-of-Service) <br> [ ] Misconfiguration <br> [ ] Sabotage <br> [ ] Disruptions <br> [ ] Others. Specify: _________ <br><br> Information compromise <br> [ ] Unauthorized access to information <br> [ ] Unauthorized alteration of information <br> [ ] Data loss <br> [ ] Others. Specify: _________ <br><br> Fraud <br> [ ] Unauthorized use of resources <br> [ ] Copyright infringement <br> [ ] Identity theft <br> [ ] Phishing <br> [ ] Others. Specify: _________ <br><br> APT (Advanced Penetration Threat) <br> Others (to be specified) | | :--- | :--- | | (6) Classification of the incident according to severity | [ ] Critical <br> [ ] High <br> [ ] Medium | | (7) What actions or responses were taken by the institution | | | (8) Incident identified by: | [ ] Cybersecurity or IS security <br> [ ] Information Technologies <br> [ ] Internal audit <br> [ ] External audit <br> [ ] Service provider <br> [ ] Client <br> [ ] Employee <br> [ ] Others. Specify: _________ |

4

---

(9) Incident impact
(9.1) Reputational impact
(9.2) Financial impact
(9.3) Operational impact
(10) Service providers originating the incident

5

---

(11) Was the incident resolved?	[ ] Yes <br><br> [ ] No	Measures taken for incident resolution <br><br> Proposed remediation actions <br>
		Remediation Action

6

---

C - Final Report Investigation and incident resolution

1. Sequential order of events
(1.1) Duration of disruption	HH:MM
(1.2) Description of origin
(1.3) What was the incident's entry vector?	[ ] Internal agent (institution employees) <br> [ ] External agent (service providers) <br> [ ] Natural disasters <br> [ ] Cut or interruption of electricity supply <br> [ ] Cut or interruption of telecommunications services <br> [ ] Technological infrastructure equipment <br> [ ] Internet network <br> [ ] Instant messaging <br> [ ] Telephone <br> [ ] Administrative credentials <br> [ ] Email <br> [ ] Unauthorized devices <br> [ ] Lost/stolen devices <br> [ ] Social networks <br> [ ] Security vulnerabilities <br> [ ] Phishing or pop-ups on Web forms <br> [ ] Social engineering <br> [ ] Malicious internal threats <br> [ ] Spoofing <br> [ ] Identity-based attacks <br> [ ] Code injection attacks <br> [ ] Other (please specify) _________
(1.4) Exposed vulnerabilities/weaknesses	[ ] Obsolete equipment <br> [ ] Unupdated software (firmware and applications) <br> [ ] Inadequate patch management [ ] Inadequate privileged account management <br> [ ] Inadequate email/web browser protection <br> [ ] Inadequate malware defenses <br> [ ] Inadequate access management <br> [ ] Inadequate hardware security configurations (terminal devices, laptops, workstations, servers) <br> [ ] Inadequate software security configurations <br> [ ] Inadequate security perimeter configuration <br> [ ] Inadequate control of network ports, protocols, and services <br> [ ] Inadequate backup of systems or files <br> [ ] Insecure network devices (firewalls, routers, switches) <br> [ ] Inadequate application software security controls (web-based applications and others) <br> [ ] Inadequate DDoS defense <br> [ ] Inadequate penetration and security testing <br> [ ] Inadequate network segmentation <br> [ ] Lack of team awareness and/or compliance <br> [ ] Inadequate log maintenance and monitoring

7

---

	[ ] Staff shortage <br> [ ] Weak cryptography <br><br> Others. Specify: _________
(1.5) Was the incident internally escalated to top management, at group level, for actions outside usual procedures?	[ ] No <br><br> [ ] Yes
(1.6) Stakeholders informed or involved	[ ] No <br><br> [ ] Yes
(1.7) Escalation measures taken, including approvals requested on provisional measures to mitigate the event and reasons for taking such measures
(1.8) Did the occurrence require activation of crisis management procedures?	[ ] No <br><br> [ ] Yes
(1.9) Who is leading the incident investigation?	[ ] The institution <br> [ ] Service provider <br> [ ] Police authorities or other security agencies <br> [ ] If other, specify: ________________
(1.10) Who is leading the remediation actions	[ ] The institution <br> [ ] Service provider <br> [ ] If other, specify: ________________
(1.11) Factors that caused the problem/ Reasons for occurrence, cause and effects of the incident
(1.12) Was the action plan defined for the resolution of the	[ ] Yes

8

---

incident was fully complied with	[ ] No	If no, state the reasons
(1.13) Corrective actions taken to prevent future occurrences of similar types of incidents	[ ] No <br><br> [ ] Yes	Steps identified or to be taken to resolve the incident long-term
	(2) Final assessment and remediation:
(2.1) Direct and indirect financial losses in Meticais
(2.2) Conclusion on cause
(2.3) Summary of similar incidents caused by the same root cause in the last 12 months
(2.4) Other complementary information
(2.5) Was there notification to the client/public announcement/report to other relevant regulatory bodies regarding the incident resolution?	[ ] No <br><br> [ ] Yes	Description of the mechanism adopted to communicate the incident to the client/public announcement/report to other relevant regulatory bodies
(2.6) Was the incident resolved?	[ ] Yes	Indicate the resolution date
	[ ] No	Submit to the Bank an action plan with proposals for incident resolution and respective deadlines for monitoring
		Remediation Action

9

---

Annex II - Model for Aggregated Reporting of Technological and Cyber Incidents

I. STATISTICAL INFORMATION (QUANTITATIVE)

(1) Total incidents reported by the institution
Institution Code
Fiscal Year
Date
Reporting Time to BM
	(2) Incident Classification	(3) Exposed Vulnerability	(4) Incident Frequency	(5) Reported Incident IDs	(6) Entry Vector	(7) Affected Components	(8) Affected Services (support, control, or business area)	(9) No. Compromised Transactions
(2.1) According to nature	(2.2) According to severity
<Example of completion: Spam>	<high>	<weak cryptography>	<2>	<dim01>	<internet network>	OS	IT	<10>
				<dim02>	<instant message>	core system	markets	<5>

10

---

II. ANALYSIS OF THE IMPACT OF REPORTED INCIDENTS IN THE PERIOD

<Place the global description of the incident impact based on the following table>

(12) Reputational
(13) Financial
(14) Operational

III. ADDITIONAL INFORMATION

(15) Other information considered relevant:

We declare that the information contained in Annex II - Model for Aggregated Reporting of Cyber Incidents is in accordance with the record of cyber incidents that occurred at the institution during the reported period.

---

Signature of Board of Directors member

---

Signature of responsible person

<Place>, on <Date>

11

---

1. EXPLANATORY NOTES TO THE CYBER INCIDENT REPORTING MODEL

A. Preliminary Report

Column	Description	Data type
(1)	Contact details of information responsible persons	Text
(2)	Incident details	Text

B. Intermediate Report

Column	Description	Data type
(1)	Indication of incident origin	Text
(2)	Indication of the reported incident's relation to other incidents	Text
(3)	Description of the incident regarding affected components	Text
(4)	Indication of affected areas (business, control, and support)	Text
(5)	Classification of the incident according to nature per Annex II of the incident reporting Notice	Text
(6)	Classification of the incident according to severity per Annex I of the incident reporting Notice	Text
(7)	Description of actions taken for incident resolution	Text
(8)	Indication of the mechanism used to identify the incident	Text
(9)	Description of the incident's impact at reputational, financial, and operational levels	Alphanumeric (Text/ Number)
(10)	Indication of incident origin and affected service provider	Text
(11)	Indication of incident status considering resolution level and time	Text

12

---

C. Final Report

Column	Description	Data type
(1)	Detailed description of investigations conducted considering origin, vulnerabilities, and actions taken for resolution
(1.1)	Indication of incident duration in hours	Integer
(1.2)	Detailed description of the intruder originating the incident	Text
(1.3)	Indication of mechanisms used in the intrusion	Text
(1.4)	Indication of weaknesses/vulnerabilities the system was exposed to	Text
(1.5)	Description of escalation level in incident management	Text
(1.6)	Indication of parties involved in incident resolution	Text
(1.7)	Indication of measures taken considering approval levels	Text
(1.8)	Description of crisis management procedures activated for incident mitigation	Text
(1.9)	Indication of the party responsible for incident investigation	Text
(1.10)	Indication of the party responsible for incident remediation	Text
(1.11)	Indication of the incident cause	Text
(1.12)	Indication of the action plan compliance level in incident resolution	Text
(1.13)	Description of corrective actions implemented to prevent incident recurrence	Text
(2)	Detailed description of incident nature, economic impacts, lessons learned
(2.1)	Amount of direct and indirect financial losses resulting from incident occurrence	Numeric
(2.2)	Detailed description regarding incident origin	Text
(2.3)	Description of incidents with the same root cause occurring in the last 12 months	Text
(2.4)	Description of other relevant information not captured in previous items	Text
(2.5)	Description of the type of notification carried out after incident resolution	Text
(2.6)	Description of incident status	Text

13

---

2. EXPLANATORY NOTES TO THE AGGREGATED CYBER INCIDENT REPORTING MODEL

I. STATISTICAL INFORMATION (QUANTITATIVE)

Column	Description	Data type
(1)	Indication of the number of incidents reported in the reference period	Integer
(2.1)	Classify the incident according to nature per Annex II of the incident reporting Notice	Text
(2.2)	Classify the incident according to severity per Annex I of the incident reporting Notice	Text
(3)	Indication of weaknesses/vulnerabilities the system was exposed to	Text
(4)	Indication of the number of times the incident occurred	Integer
(5)	Indication of the reported incident's identification number	Integer
(6)	Indication of the mechanism used by the intruder	Text
(7)	Indication of affected components and systems	Text
(8)	Indication of affected services, business, support, and control areas	Text
(9)	Indication of the total number of transactions affected by the incident	Integer
(10)	Indication of the total number of users affected by the incident	Integer
(11)	Indication of incident status considering resolution level	Text

14

---

II. ANALYSIS OF THE IMPACT OF REPORTED INCIDENTS IN THE PERIOD

Column	Description	Data type
(12)	Description of the magnitude of the aggregated impact (whether national or international) and the level of media disclosure of incidents occurring in the period	Text
(13)	Total amount of direct and indirect financial losses resulting from incident occurrence	Number
(14)	Indication of the total number of hours of service unavailability	Number

III. ADDITIONAL INFORMATION

Column	Description	Data type
(15)	Description of other relevant information not captured in previous items	Text

15