Regulatory Alerts2025-11-24
Circular No. 03/EFI/2025, of November 19 – Cyber Risk Self-Assessment
The Bank of Mozambique mandates credit institutions and financial companies to conduct an annual cyber risk self-assessment and submit a completed report alongside a remediation plan detailing corrective measures, deadlines, and responsible parties by March 31. The directive establishes a standardized reporting model via the Banking Supervision Application portal, with fallback email procedures for operational disruptions, and requires institutions to evaluate intrinsic risk across organizational, technological, channel, product, and threat categories. Compliance is measured against a nine-domain framework covering governance, identification, protection, detection, response, awareness, testing, outsourcing, and learning, with responses categorized from fully compliant to non-compliant.
Bank of Mozambique Administration
FINANCIAL STABILITY DEPARTMENT CIRCULAR NO. 03/EFI/2025
Maputo, November 19, 2025
SUBJECT: CYBER RISK SELF-ASSESSMENT
Given the need to define the reporting model for completing the cyber risk self-assessment questionnaire, the Bank of Mozambique, in accordance with Article 5(1) of Notice No. 02/GBM/2024, of March 15, which approves the Guidelines for Cyber Risk Management and Cyber Resilience, determines:
- Credit institutions and financial companies must conduct an analysis of their cyber risk management and resilience processes, based on the self-assessment model set out in the Annex to this Circular.
- Following the provisions of the preceding paragraph, credit institutions and financial companies must submit to the Bank of Mozambique: a) The completed Cyber Risk Self-Assessment Report; and b) The Remediation Plan, indicating corrective measures, deadlines, implementation responsible parties, and supporting documents.
- The documents referred to in the preceding paragraph must be submitted via the BSA Portal (Banking Supervision Application) or through other means that may be indicated by the Bank of Mozambique.
- In cases where credit institutions and financial companies temporarily lack the operational capacity to ensure submission via the indicated means, or when these means are unavailable, reporting must be carried out, exceptionally, via email: dsp_riscocibernetico@bancomoc.mz
- This Circular enters into force immediately.
Questions regarding the interpretation and application of this Circular must be submitted to the Prudential Supervision Department of the Bank of Mozambique.
BANK OF MOZAMBIQUE Financial Stability Department
Benedita Guimino Administrator
Bank of Mozambique Administration
BANK OF MOZAMBIQUE CYBER RISK MANAGEMENT AND RESILIENCE SELF-ASSESSMENT
Institution Name: Submission Date: Person Responsible for Completion: Title/Role: e-mail:
Instructions:
- The cyber risk management and resilience self-assessment questionnaire is a tool based on Notice No. 02/GBM/2024, of March 15, on Cyber Risk and Resilience Management, intended to measure intrinsic cyber risk and assess the maturity of cybersecurity processes implemented at the institutional level.
- It must be completed annually and submitted by March 31 by the senior executive responsible for implementation, cyber risk management and resilience, and subsequently submitted to the Bank of Mozambique via the indicated channels.
- The questionnaire has 2 components: intrinsic risk and processes distributed across 9 domains, respectively: *D1 - Governance *D2 - Identification *D3 - Protection *D4 - Detection *D5 - Response and Recovery *D6 - Situational Awareness *D7 - Testing *D8 - Outsourcing *D9 - Learning and Evolution
- For intrinsic risk, this must be completed considering the following categories and risk levels: 4.1. Risk Categories: 4.1.1. Organizational Characteristics: mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security personnel, number of users with privileged access, changes in the IT environment, business presence locations, and location of operations and data centers. 4.1.2. Technologies and Connection Types: certain connection and technology types may expose the institution to high intrinsic risk depending on the complexity and maturity of connections and the specific nature of technological products and services. 4.1.3. Channels: the diversity of product and service delivery channels may expose the institution to high intrinsic risk depending on the specific nature of products or services offered, which may include digital channels and agents. 4.1.4. Products and Services: different technological products and services offered by credit institutions and financial companies may expose the institution to high intrinsic risk depending on the specific nature of the products or services offered. 4.1.5. External Threats: The volume and type of attacks (attempted or successful) affect exposure to intrinsic risk. This category considers the volume and sophistication of cyberattacks against the institution.
Bank of Mozambique Administration
4.2. Intrinsic Risk Levels
Low: limited use of technology with few terminals, applications, systems, and no connections. The product and service portfolio is limited. The institution has few employees and a small geographic footprint.
Medium: has reduced complexity in terms of technology used. Offers a limited range of lower-risk products and services. Critical business systems are outsourced. Main technologies used are already established. It has few types of connections with reduced complexity with clients and external entities.
Critical: generally uses technology with a moderate degree of complexity in terms of volume and sophistication. The institution may have outsourced some critical services or support them internally. It offers various products and services through multiple channels.
High: uses complex technology in terms of scope and sophistication. The institution offers high-risk products and services that may incorporate emerging technologies. The institution may host a significant number of applications internally. The institution allows the use of a high number of personal devices or a diversity of device types. The institution maintains a considerable number of connections with clients and external entities. A diversity of payment services are directly offered instead of relying on external entities and may reflect a high volume of transactions.
4.3. Read the declarative risk statement and determine the appropriate risk level based on the criterion described to the right of the declarative statement. Select from the list in column C the most appropriate criterion for the institution's environment.
| Category | Select Risk Level for Risk Criterion | Low | Medium 2 | High 3 |
|---|---|---|---|---|
| Organizational Characteristics | Low 1 | Medium 2 | High 3 | |
| Mergers and acquisitions (including divestitures and joint ventures) | Medium | None planned | In discussions with at least one entity | A sale or acquisition was publicly announced in the previous year, in negotiations with 1 or more entities |
| Direct employees (including IT and cybersecurity contractors) | Low | Total number of employees is <50 | Total number of employees between 50 - 2,000 | Total number of employees between 2,001 - 10,000 |
| Changes in IT and information security personnel roles | Medium | Key positions filled; low or non-existent personnel turnover | Some turnover in key or management positions | Frequent turnover of key personnel or management positions |
-
To complete domains D1 to D9, for each requirement, the user must choose between the following response options: Where: Fully Compliant: Appropriate, implemented Largely Compliant: Appropriate and implemented, but with minor gaps Partially Compliant: Appropriate but largely not implemented Non-Compliant: Inappropriate, not implemented
-
In case of "Fully Compliant" and "Largely Compliant" responses, whenever applicable, all supporting documents must be provided electronically, indicating the title(s) and reference.
-
Questions regarding the interpretation and application of this Questionnaire must be submitted to the Prudential Supervision Department of the Bank of Mozambique.
Bank of Mozambique Administration
| Category | Select Risk Level for Risk Criterion | Low 1 | Medium 2 | High 3 | Critical 4 | Comments |
|---|---|---|---|---|---|---|
| Organizational Characteristics | Low 1 | Medium 2 | High 3 | Critical 4 | ||
| Mergers and acquisitions (including divestitures and joint ventures) | Medium | None planned | In discussions with at least one entity | A sale or acquisition was publicly announced in the previous year, in negotiations with 1 or more entities | Critical | Multiple integrations from acquisitions are underway |
| Direct employees (including IT and cybersecurity contractors) | Low | Total number of employees is <50 | Total number of employees between 50 - 2,000 | Total number of employees between 2,001 - 10,000 | >10,000 | Total number of employees is >10,000 |
| Changes in IT and information security personnel roles | Medium | Key positions filled; low or non-existent personnel turnover | Some turnover in key or management positions | Frequent turnover of key personnel or management positions | High turnover of administrators; most are external; high IT/security staff turnover | Vacancies in management/key positions for long periods; high IT/security staff turnover |
| Privileged access (Network, database, application system administrators, etc.) | Medium | Limited number of admins; external admins non-existent or limited | Admin turnover affects operations; may use some external admins | High dependence on external admins; insufficient number for support volume/change demand | Significant volume of changes; substantial changes in external IT service providers. | |
| Changes in IT environment (network, infrastructure, critical applications, technologies supporting new products or services) | Medium | Stable IT environment | 2-3 provinces | 4-6 provinces | 7-11 provinces | 7-11 provinces |
| Branch locations/presence | Medium | 1 province | 2-3 provinces | 4-6 provinces | 7-11 provinces | 7-11 provinces |
| Operations/data center locations | Medium | 1 province | 2-3 provinces | 4-6 provinces | 7-11 provinces | 7-11 provinces |
Bank of Mozambique Administration
| Category | Select Risk Level for Risk Criterion | Low 1 | Medium 2 | High 3 | Critical 4 | Comments |
|---|---|---|---|---|---|---|
| Technologies and Connection Types | Low 1 | Medium 2 | High 3 | Critical 4 | ||
| Total number of ISP connections, including connections to | Low | No connections | Moderate complexity (2-6 connections) | Significant complexity (21 - 100 connections) | Substantial complexity (> 101 connections) | |
| Wireless network access | Low | No wireless network access | Separate access points and wireless networks for visitors and corporate; 1-25 / 26-100 users; access | Corporate wireless network access, significant number of users and access points (251-1,000 users; 26-100 access points) | Corporate wireless network access; all employees have access; substantial number of access points (> 1,000 users; > 100 access points) | |
| Personal devices with permission to connect to corporate network. | Low | Only one device type, allowed to <5% of employees (staff, managers) and only email access | Multiple devices used, allowed to <10% of employees (staff, managers) and only email access | Multiple devices used; allowed to >25% of employees (staff, managers), managers and admins, and some applications | Any device types used, allowed to >25% of employees (staff, managers) and admins to all applications | |
| External connections, including a number of instantiated (e.g., transfer protocol) | Low | Few connection instances (1-5) | Several connection instances (6-10) | Significant connection instances (11-25) | Substantial connection instances (>25) | |
| External entities, including a number of institutions and service provider/contractor employees with access to internal systems | Low | Limited number of entities (0-3) and limited service providers/contractors (<5) with access to system access mode | Number of external entities (4-6) and service provider/contractor employees (6-15) with access; some high complexity in system access mode | Number of external entities (7-10) and significant number of service provider/contractor employees (16-25) with access; high complexity level in system access mode | Number of external entities (>10) and service provider/contractor employees (>25) with access; high complexity level in system access mode | |
| Applications developed by service providers, internally hosted that support | Low | Non-existent | 1-5 internally developed systems | Applications (4-7) | 6-10 developed systems | Number of applications (> 11) |
| Internally developed systems that support critical activities | Low | No internally developed systems | 1-5 internally developed systems | 6-10 internally developed systems | >11 developed systems | >11 developed systems |
| End-of-life (EOL) hardware | Low | No EOL hardware or hardware past EOL | EOL hardware past EOL or with minimal impact in case of failure and replacement alternatives available. | EOL hardware or with impact on hardware operation but with replacement alternatives or mitigation methods in medium/long term. | EOL hardware or with significant impact on hardware operation in case of failure but with medium/long-term mitigation | EOL hardware or with significant impact on hardware operation in case of failure but with medium/long-term mitigation |
Bank of Mozambique Administration
| Category | Select Risk Level for Risk Criterion | Low 1 | Medium 2 | High 3 | Critical 4 | Comments |
|---|---|---|---|---|---|---|
| End-of-Life (EOL) Software | Low 1 | Medium 2 | High 3 | Critical 4 | ||
| End-of-life (EOL) software | Low | No EOL software or software past EOL | EOL software past EOL with minimal impact in case of failures and update alternatives available. | EOL software past EOL with impact on system operation but with update alternatives available for devices (501-1,000) | EOL software past EOL with significant impact on system operation and no possibility of provider assistance. Number of devices (> 1,001) | |
| Network devices (includes physical and virtual) | Medium | Limited network devices (<250) | Multiple devices (250-500) | Number of devices (501-1,000) | > 7 external entities supporting critical activities; 1 or more are based abroad | |
| External service providers that store and/or process information supporting critical activities and do not have access to internal systems, but the institution depends on their | Medium | No external entity supporting critical activities | 1-3 external entities supporting critical activities | 4-6 external entities supporting critical activities; 1 or more are based abroad | > 7 external entities supporting critical activities; 1 or more are based abroad | |
| Cloud computing services hosted that support institution operations. | Medium | No cloud computing provider | Multiple cloud computing providers; only cloud computing (1-3) | Multiple cloud computing providers (4-7) | Number of cloud computing providers (8-10); cloud provider locations are international, use of |
Bank of Mozambique Administration
| Category | Select Risk Level for Risk Criterion | Low 1 | Medium 2 | High 3 | Critical 4 | Comments |
|---|---|---|---|---|---|---|
| Channels | Low 1 | Medium 2 | High 3 | Critical 4 | ||
| Online services (Interbanking, social networks) | Medium | No Internet-based application or social media presence | Website and/or social media page | Website and/or social media page | Website and/or social media page. Number of subscribers: > 800,000 | |
| Mobile telephony services (mobile app, USSD- Unstructured Supplementary Service Data) | Medium | None | Mobile apps and USSD for clients offering services. Number of subscribers: <5,000 | Mobile apps and USSD for clients offering services. Number of subscribers: 5,000 - 800,000 | Mobile apps and USSD for clients offering services. Number of subscribers > 100,000 | |
| ATMs | Medium | No ATMs | Number of ATMs <25 | Number of ATMs: 25 - 100 | Number of ATMs > 100 | |
| Point of Sale (POS) | Medium | No POS | Number of POS < 1,000 | Number of POS: 1,000 - 8,000 | Number of POS > 8,000 | |
| Agents (banking, non-banking) | Medium | Does not have agents. | Has agents, < 100 agents | Has agents, between 100 - 200 agents. | Has agents; > 200 agents. | |
| Products and Services | Low 1 | Medium 2 | High 3 | Critical 4 | ||
| Cards (debit, credit, prepaid) | Low | Does not have cards or has <10,000 cards | Has cards: 10,000 - 499,000 | Has cards: 500,000 - 1,000,000 | Has cards >1,000,000 | |
| Mobile wallets (e-money wallet and other digital currency) | Low | Does not have mobile wallet service. | Number of subscribers < 5,000,000 | Number of subscribers: 5,000,000 - 8,000,000 | Number of subscribers > 8,000,000 | |
| Electronic transfers | Medium | Does not perform electronic transfers. | Monthly transfer volume < 250,000 | Monthly transfer volume: 250,000 - 750,000 | Monthly transfer volume > 750,000 | |
| External Threats | Low 1 | Medium 2 | High 3 | Critical 4 | ||
| Cyberattack Threats | Medium | No cyberattack or reconnaissance threats | Few monthly attempts (<100). | Several monthly attempts (100 - 500), may have suffered Distributed Denial of Service (DDoS) attack attempts in the last year, | Monthly attempts > 500; may have suffered multiple DDoS attack attempts in the last year, |
Bank of Mozambique Administration
CYBER RISK SELF-ASSESSMENT TOOL
| D1 - Governance | Institution Response | Institution Comments | Supporting Document (Title_Ref) | Action Plan |
|---|---|---|---|---|
| Board of Directors | ||||
| Responsibilities for all cyber risk management and oversight functions are defined, including defense lines and respective necessary committees. | Fully Compliant | |||
| The board of directors or a committee delegated by it ensures oversight of the implementation of the requirements established in Notice No. 02/GBM/2024, of March 15. | Largely Compliant | |||
| An adequate resource structure exists for the security function, with appropriate authority and direct access to the board of directors. | Largely Compliant | |||
| The effectiveness and efficiency of the internal audit function in assessing cyber risk management processes and monitoring recommendations, external audits, and independent certifications is ensured. | Non-Compliant | |||
| Top Management | ||||
| A senior executive responsible for implementing the cyber risk management strategy and structure has been designated. | Fully Compliant | |||
| A report is presented at least annually to the board of directors on the overall state of cyber risk and resilience. | Largely Compliant | |||
| The senior executive has adequate competencies, knowledge, and experience in the specialty. | Largely Compliant | |||
| The senior executive acts independently and has direct access to the board of directors. | Non-Compliant | |||
| Cybersecurity Strategy | ||||
| The cybersecurity strategy was approved by the board of directors and is aligned with the business strategy. | Fully Compliant | |||
| The cybersecurity strategy incorporates: (i) importance of cyber resilience; (ii) high-level stakeholder requirements; (iii) vision and mission regarding cyber resilience; (iv) cyber resilience objectives; (v) cyber risk appetite; (vi) cyber resilience targets and respective implementation plan; (vii) high-level scope of technology and assets used to manage cyber resilience; (viii) cyber resilience initiatives; (ix) integration of cyber resilience into people, processes, technology; (x) data management; and (xi) cybersecurity awareness. *If it has: 1 to 3 requirements--> Partially; 4 to 9 --> Largely Compliant. | Largely Compliant | |||
| The strategy is reviewed at least annually to incorporate possible changes in the cyber threat landscape, allocate resources, identify and correct gaps, and incorporate lessons learned. | Non-Compliant | |||
| Cybersecurity Framework | ||||
| The cybersecurity framework incorporates: (i) identification, including asset classification and risk; (ii) protection, including logical and physical controls; (iii) human resource security; (iv) change and patch management; (v) third-party management; (vi) detection; (vii) cyber security incident management mechanisms; (viii) response and recovery; (ix) testing; and (x) situational awareness. *If it has: 1 to 3 requirements--> Partially; 4 to 8 --> Largely Compliant. | Fully Compliant | |||
| The cybersecurity framework is consistent with the organizational risk management framework. | Largely Compliant | |||
| The framework is reviewed at least annually to verify the adequacy and effectiveness of controls. | Largely Compliant | |||
| The framework determines the necessary controls to keep risk within the established appetite. | Non-Compliant | |||
| Cybersecurity Policies and Procedures | ||||
| Business tolerance is defined and quantified at a minimum annual frequency regarding cyber risk and its consistency with organizational strategy and risk appetite is ensured. | Not Applicable (N/A) | |||
| Metrics have been established to collect information enabling the preparation of reports, both at the technical and executive levels. | Fully Compliant | |||
| Cyber Risk Management | ||||
| Cyber risk management has been established as an integral part of the organizational risk management program, in which |