Regulatory Alerts2017-06-19
Draft Guidance Note on Cyber Risk
Thank you for providing this comprehensive guide on Cybersecurity Framework for Financial Institutions in Kenya. It is clear that the Central Bank of Kenya (CBK) has put significant thought into developing a robust framework to help financial institutions protect their systems and data against cyber threats. To summarize, here are the key points you should focus on: 1. Board Commitment and Oversight: The board must demonstrate its commitment to cybersecurity by ensuring that there is an appropriate governance structure in place, with a clear responsibility for overseeing cybersecurity risks and controls. 2. Risk Assessment and Management: Regular risk assessments should be conducted to identify potential cyber threats and vulnerabilities. This involves understanding the threat landscape, identifying critical assets, assessing existing controls, and prioritizing actions based on risk appetite and risk tolerance. 3. Incident Response Plan: An incident response plan must be in place that outlines the steps to be taken during and after a security incident. This should include roles and responsibilities of staff, incident detection and assessment, reporting, escalation, and strategies deployed. 4. Chief Information Security Officer (CISO): The introduction of the role of the CISO is crucial for proactive cybersecurity management. They are responsible for overseeing and implementing the institution's cybersecurity program, enforcing the cybersecurity policy, maintaining comprehensive cyber risk registers, and reporting to the board on a regular basis. 5. Regular Independent Assessment and Test: Both internal auditors (within the Internal Audit team) and external auditors should conduct regular independent threat and vulnerability assessment tests. This includes understanding the institution's IT infrastructure, use of IT, and the impact of IT on financial statements. 6. Training/Awareness: Institutions must implement IT security awareness training programs for all employees. They should also provide ongoing technical training to cybersecurity specialists within the institution and offer information about good IT security practices, common threat types, and the institution's policies and procedures to customers and clients as well. 7. Reporting: Financial institutions are required to submit their Cyber Security Policy, strategies, and frameworks to the Central Bank of Kenya by 31st August 2017. They must also notify CBK immediately if they become aware of a cybersecurity incident that could have a significant and adverse impact on the institution's ability to provide adequate services to its customers, its reputation, or financial condition. Remember, the key to effective cybersecurity is not just about implementing security measures but also about understanding the risks involved and continuously monitoring and updating those measures accordingly. So, keep this comprehensive framework handy as you work towards strengthening your institution's cybersecurity posture.