Circular CN/2025/11212: Technology-Related Operational Incident Reporting Requirements

بسم الله الرحمن الرحيم

[MALDIVES MONETARY AUTHORITY LOGO]

MALDIVES MONETARY AUTHORITY

Circular no: CN/2025/11212

29th April 2025

To: All commercial banks

Dear Sir/Madam,

Technology-Related Operational Incident Reporting Requirements

To better manage reputational risks and uphold the integrity of the financial sector, particularly in relation to incidents involving technology-related operational incidents causing disruptions to critical systems, all banks are required to adhere to the requirements set forth in this circular.

Critical System refers to any activity, function, process, system or service, whose disruption (for even a short period of time) would:

• materially impact the continued operation of an entity,
• adversely affects the market it serves and the broader financial system, and/or
• compromise data integrity, damage the reputation of an entity or undermine confidence in the financial system.

The definition excludes cyber security events covered by circular no. CN-BSD/2019/18.

All banks are instructed to do the following when critical systems are affected:

1. Notify MMA within 1 hour of the incident including incidents where incident response plan, disaster recovery plan, or business continuity plan are activated.

   A. Incident Notification Banks should email to bofid@mma.gov.mv with the following minimum details in the event of a critical system incident.

   • Time and date the incident was identified
   • List of affected critical system(s)
   • Brief description of the incident
   • Action taken
   • Expected timeframe for resolution

   B. Summary Report A summary report should be submitted on the day that the incident is resolved.

[Signature] Maldives Monetary Authority Phone: +960 3314940 / +960 3339880 :ގުޅުއްވާ SWIFT: MMAUMVMV :سويفت Email: mail@mma.gov.mv :އީމެއިލް mma.gov.mv

---

C. Full Incident Report Banks are required to submit to MMA a detailed report of the incident within 7 working days of the occurrence.

• The full incident report should include:
  • Impact Assessment (Business impact, Stakeholders impact, Financial and market impact, Reputational impact, Regulatory and Legal impact)
  • Detailed Chronological order of events
  • Detailed Root Cause Analysis
  • Final assessment and Remediation
  • Steps taken to prevent future occurrences

2. Banks should notify MMA at least 24 hours in advance for any scheduled downtimes affecting systems including justification for the downtime.

3. Banks should inform customers regarding scheduled downtimes of systems that may impact the customers at least 12 hours in advance. Customers should be notified using most appropriate and effective mass media channels such as social media, in-app messages and public announcements.

4. In the event of unexpected downtime caused by a technology-related operational incident, banks should promptly notify customers, and once the normal services are restored, customers should be informed of the cause of the disruption, and they should be assured about the safety of their funds and integrity of data. Banks should ensure customers are informed through mass media channels, including official platforms of the bank's website and social media accounts. In addition, banks should address individual customer concerns and complaints in a timely manner.

Banks should be mindful of the public sentiment and perception, ensuring that in the aftermath of a technology-related operational incident, banks actively manage public concerns. Furthermore, banks should work to minimize ambiguity arising from lack of communication, which may lead to reputational risks for both the institution and the broader financial sector.

Yours sincerely,

[Signature] Mohamed Muaz Managing Director Financial Stability

[Social Media Icons] Maldives Monetary Authority Phone: +960 3314940 / +960 3339880 :ގުޅުއްވާ SWIFT: MMAUMVMV :سويفت Email: mail@mma.gov.mv :އީމެއިލް mma.gov.mv