Technology and Cyber Risk Management Guideline

Confidential TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE CENTRAL BANK OF BARBADOS March 2026

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Table of Contents Cyber Lexicon.................................................................................................................................................................................. 4 Technology and Cyber Risk Management Guideline ............................................................................................................14

1. Introduction.................................................................................................................................................................15
2. Application and Scope...............................................................................................................................................17
3. Oversight of Technology and Cyber Risks by the Board and Senior Management......................................19 3.1 The Role of the Board and Senior Management..................................................................................................19 3.2 IT Policies, Standards and Procedures....................................................................................................................21 3.3 IT Policies, Standards and Procedures specific for Payment Service Providers.............................................24 3.4 People Selection Process...........................................................................................................................................25 3.5 IT Security Awareness................................................................................................................................................25 3.6 People and Security Awareness...............................................................................................................................25
4. Technology and Cyber Risk Management Framework ........................................................................................27 4.1 Information System Assets .......................................................................................................................................28 4.2 Risk Identification .......................................................................................................................................................28 4.3 Risk Assessment..........................................................................................................................................................29 4.4 Risk Treatment.............................................................................................................................................................29 4.5 Risk Monitoring and Reporting................................................................................................................................30
5. Operational IT Risk Guidelines..................................................................................................................................31 5.1 IT Project Management.............................................................................................................................................32 5.2 System Security Requirements and Testing..........................................................................................................33 5.3 System Security Requirements and Testing Specific for Payment Service Providers...................................35 5.4 End User Development..............................................................................................................................................36 5.5 IT Audit..........................................................................................................................................................................36 5.6 Audit Planning and Remediation Tracking............................................................................................................37
6. IT Service Management.............................................................................................................................................37 6.1 Change Management................................................................................................................................................38 6.2 Program Migration.....................................................................................................................................................40 6.3 User Access Management.........................................................................................................................................40 6.4 Privileged Access Management...............................................................................................................................42 6.5 Remote Access Management...................................................................................................................................42 6.6 Incident Management...............................................................................................................................................43 6.7 Incident Reporting Criteria specific for Payment service providers.................................................................47

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 6.8 Problem Management...............................................................................................................................................48 7. Operational Infrastructure Security Management...............................................................................................48 7.1 Data Loss Prevention .................................................................................................................................................49 7.2 Technology Refresh Management..........................................................................................................................50 7.3 Networks and Security Configuration Management...........................................................................................51 7.4 Vulnerability Assessment and Penetration Testing (VAPT)................................................................................52 7.5 Patch Management....................................................................................................................................................53 7.6 Security Monitoring and Detection.........................................................................................................................54 8. Online Financial Services...........................................................................................................................................56 8.2 Online Systems Security ............................................................................................................................................56 8.3 Mobile Online Services and Payments Security....................................................................................................58 8.4 Payment Card Security (ATMs, Credit and Debit Cards).....................................................................................58 8.5 Payment Card Fraud...................................................................................................................................................59 8.6 ATMs and Payment Kiosks Security ........................................................................................................................60 9. Systems Reliability, Availability and Recoverability.............................................................................................61 9.1 Systems Availability....................................................................................................................................................61 9.2 Data Backup Management.......................................................................................................................................62 9.3 Data Backup Management Specific for Payment Service Providers................................................................62 9.4 Disaster Recovery Plan...............................................................................................................................................62 9.5 Disaster Recovery Testing.........................................................................................................................................64 9.6 Data Centre Protection..............................................................................................................................................64 9.7 Data Centre Resiliency ...............................................................................................................................................65 9.8 Cyber-Attack Exercises...............................................................................................................................................66 9.9 Crisis Communication and Responsible Disclosure.............................................................................................67 10. Management of IT Outsourcing Risks.....................................................................................................................68 10.1 Sub-Outsourcing of Critical or Important Functions...........................................................................................69 10.2 Cloud Computing .......................................................................................................................................................71 11. Internet of Things........................................................................................................................................................71 12. Artificial Intelligence (AI) and Machine Learning (ML) .......................................................................................72 13. Forensic Analysis.........................................................................................................................................................75 14. Information and Intelligence Sharing ....................................................................................................................76

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 4 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Cyber Lexicon1 Notes: • Terms defined in the lexicon are italicized when used in definitions within the lexicon. • When used in the lexicon, “entity” includes a natural person where the context requires. Term Definition Access Control Means to ensure that access to assets is authorised and restricted based on business and security requirements. Source: ISO/IEC 27000:2018 Accountability Property that ensures that the actions of an entity may be traced uniquely to that entity. Source: ISO/IEC 2382:201 Advanced PersistentThreat (APT) A threat actor that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple threat vectors. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to execute its objectives. Source: Adapted from NIST Artificial Intelligence The theory and development of computer systems able to perform tasks that traditionally have required human intelligence. Source: FSB (2017) Asset Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation. Source: ISACA Fundamentals 1 The Cyber Lexicon was developed by the Financial Stability Board (FSB) in an effort to foster a common understanding of relevant cyber security and cyber resilience terminology across the financial sector and other industry sectors. The terms and definitions in the lexicon were developed only for use with respect to the financial services sector and the financial institutions therein. The lexicon is not intended for use in the legal interpretation of any international arrangement or agreement or any private contract.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 5 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Authenticity Property that an entity is what it claims to be. Source: ISO/IEC 27000:2018 Availability Property of being accessible and usable on demand by an authorised entity. Source: ISO/IEC 27000:2018 Campaign A grouping of coordinated adversarial behaviours that describes a set of malicious activities that occur over a period of time against one or more specific targets. Source: Adapted from STIX Compromise Violation of the security of an information system. Source: Adapted from ISO 21188:2018 Confidentiality Property that information is neither made available nor disclosed to unauthorised individuals, entities, processes or systems. Source: Adapted from ISO/IEC 27000:2018 CourseofAction (CoA) An action or actions taken to either prevent or respond to a cyber incident. It may describe technical, automatable responses but can also describe other actions such as employee training or policy changes. Source: Adapted from STIX Critical (Shared) Service An activity performed within the institution or outsourced to third parties where failure would lead to the inability to perform critical functions and, therefore, to the disruption of functions vital for the functioning of the real economy or for financial stability. Source: Adapted from the FSB Recovery and Resolution Planning for Systemically Important financial Institutions; Guidance on Identification of Critical functions and Critical Shared Services.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 6 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Cyber Relating to, within, or through the medium of the interconnected information infrastructure of interactions among persons, processes, data, and information systems. Source: Adapted from CPMI-IOSCO (citing NICCS) Cyber Advisory Notification of new trends or developments regarding a cyber-threat to, or vulnerability of, information systems. This notification may include analytical insights into trends, intentions, technologies or tactics used to target information systems. Source: Adapted from NIST Cyber Alert Notification that a specific cyber incident has occurred, or a cyber-threat has been directed at an organisation’s information systems. Source: Adapted from NIST Cyber Event Any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring. Source: Adapted from NIST (definition of “Event”) Cyber Incident A cyber event that: i. jeopardizes the cyber security of an information system or the information the system processes, stores or transmits; or ii. violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not. Source: Adapted from NIST (definition of “Incident”) Cyber Incident Response Plan The documentation of a predetermined set of instructions or procedures to respond to and limit consequences of a cyber- incident. Source: Adapted from NIST (definition of “Incident Response Plan”) and NICCS

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 7 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Cyber Risk The combination of the probability of cyber incidents occurring and their impact. Source: Adapted from CPMI-IOSCO, ISACA Fundamentals (definition of “Risk”) and ISACA Full Glossary (definition of “Risk”) Cyber Security Preservation of confidentiality, integrity and availability of information and/or information systems through the cyber medium. In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved. Source: Adapted from ISO/IEC 27032:2012 Cyber Threat A circumstance with the potential to exploit one or more vulnerabilities that adversely affects cyber security. Source: Adapted from CPMI-IOSCO Data Breach Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to data transmitted, stored or otherwise processed. Source: Adapted from ISO/IEC 27040:2024 Defence-in-Depth Security strategy integrating people, processes and technology to establish a variety of barriers across multiple layers and dimensions of the organisation. Source: Adapted from NIST and FFIEC Denialof Service (DoS) Prevention of authorised access to information or information systems; or the delaying of information system operations and functions, with resultant loss of availability to authorised users. Source: Adapted from ISO/IEC 27033-1:2015 Detect(function) Develop and implement the appropriate activities to identify the occurrence of a cyber-event. Source: Adapted from NIST Framework Distributed Denial of Service (DDoS) A denial of service that is carried out using numerous sources simultaneously. Source: Adapted from NICCS

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 8 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Exploit Defined way to breach the security of information systems through vulnerability. Source: ISO/IEC 27039:2015 Identify (function) Develop the organisational understanding to manage cyber risk to assets and capabilities. Source: Adapted from NIST Framework Indicators of Compromise (IoCs) Identifying signs that a cyber-incident may have occurred or may be currently occurring. Source: Adapted from NIST (definition of “Indicator”) Identity and Access Management (IAM) Encapsulates people, processes and technology to identify and manage the data used in an information system to authenticate users and grant or deny access rights to data and system resources. Source: Adapted from ISACA Full Glossary Incident Response Team (IRT) [also known asCERT or CSIRT] i. Team of appropriately skilled and trusted members of the organisation that handles incidents during their life cycle. Source: ISO/IEC 27035-1:2016 ii. A group of individuals usually consisting of Security analysts organised to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also referred to as CERT (Computer Emergency Response Team) or CIRT Computer Incident Response Team) Source: NIST SP 800-137

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 9 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Incident i. An unplanned interruption to a service, a reduction in the quality of a service or an event that has not yet impacted the service to the customer or user. Source: ISO/IEC 20000-1 ii. A violation or imminent threat of violation of computer security policies, acceptable use policies, guidelines or standard security practices. Source: ISACA Information Sharing An exchange of data, information and/or knowledge that can be used to manage risks or respond to events. Source: Adapted from NICCS Information System Set of applications, services, information technology assets or other information-handling components, which includes the operating environment. Source: Adapted from ISO/IEC 27000:2018 Integrity Property of accuracy and completeness. Source: ISO/IEC 27000:2018 IT incident i. A single event or set of events that are not part of the ordinary delivery of IT services that causes, or may cause, an interruption to, or a reduction in, the quality and operation of that IT service. Examples include virus outbreaks, malware infiltration, system hacking, account impersonation or compromise, phishing attacks, internal sabotage or denial of service attacks. Source: Adapted from ISACA ii. Malware Software designed with malicious intent containing features or capabilities that can potentially cause harm directly or indirectly to entities or their information systems. Source: Adapted from ISO/IEC 27032:2012 Licensee An entity which has been issued with a license under the Financial Institution Act, CAP324A (FIA).

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 10 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Machine Learning A subset of AI, defined as a “method of designing a sequence of actions to solve a problem, known as algorithms, which optimise automatically through experience and with limited or no human intervention. Source: FSB (2017) Multi-Factor Authentication The use of two or more of the following factors to verify a user’s identity:

• knowledge factor,“somethingan individual knows”.
• possession factor, “something an individual has”.
• biometric factor, “something that is a biological and/or behavioural characteristic of an individual”. Source: Adapted from ISO/IEC 27040:2015 and ISO/IEC 2832- 37:2017 (definition of “biometric characteristic”). Patch Management The systematic notification, identification, deployment, installation and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes and service packs. Source: NIST Payment Service Provider A licensee or an entity authorized by the CBB pursuant to the National Payment System Act, 2021-1 (NPSA) to provide payment services. Penetration Testing A test methodology in which assessors, using all available documentation (e.g. system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system. Source: NIST Protect (function) Develop and implement the appropriate safeguards to ensure delivery of services and to limit or contain the impact of cyber incidents. Source: Adapted from NIST Framework Quantum Computing A multidisciplinary field that leverages the principles of quantum mechanics-specifically superposition, entanglement, and interference-to process information in fundamentally different ways than classical computing. Source: ISO/IEC 4879:2024

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 11 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Recover (function) Develop and implement the appropriate activities to maintain plans for cyber resilience and to restore any capabilities or services that were impaired due to a cyber￾incident. Source: Adapted from NIST Framework Regulated Entity It refers to a licensee and a payment service provider, as defined under the Financial Institutions Act, Cap. 324A and the National Payment System Act, 2021, respectively, to which this Guideline applies, unless otherwise stated. Reliability Property of consistent intended behaviour and results. Source: ISO/IEC 27000:2018 Respond (function) Develop and implement the appropriate activities to take action regarding a detected cyber event. Source: Adapted from NIST Framework Scenario-based testing A test that assesses a financial institution’s response, resumption and recovery plans in order to strengthen operational resilience. Scenario-based tests address an appropriately broad scope of scenarios including simulation of extreme but plausible cyber-attacks, and are designed to challenge the assumptions of response, resumption and recovery practices, including governance arrangements and communication plans. Scenario-based tests may use cyber threat intelligence and cyber threat modelling to the extent possible to imitate the unique characteristics of cyber threats. Examples of security incidents include virus outbreaks, malware infiltrations, systems hacking, account impersonation or compromise, phishing attacks, internal sabotage or denial of service attacks. Source: CPMI-IOSCO Guidance on cyber resilience for FMIs Security Incident An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, store or transmits or that constitutes a violation of security policies, security procedures or acceptable user policies. Source: NIST SP 800-128

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 12 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Situational Awareness The ability to identify, process and comprehend the critical elements of information through a cyber-threat intelligence process that provides a level of understanding that is relevant to act upon to mitigate the impact of a potentially harmful event. Source: CPMI-IOSCO Social Engineering A general term for trying to deceive people into revealing information or performing certain actions. Source: Adapted from FFIEC Tactics, Techniques and Procedures (TTPs) The behaviour of a threat actor. A tactic is the highest￾level description of this behaviour, while techniques give a more detailed description of behaviour in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique. Source: Adapted from NIST 800-150 Threat Actor An individual, a group or an organisation believed to be operating with malicious intent. Source: Adapted from STIX Threat Assessment Process of formally evaluating the degree of threat to an organisation and describing the nature of the threat. Source: Adapted from NIST Threat Intelligence Threat information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes. Source: NIST 800-150 Threat-Led Penetration Testing (TLPT) [also known as Red Team Testing] A controlled attempt to compromise the cyber resilience of an entity by simulating the tactics, techniques and procedures of real-life threat actors. It is based on targeted threat intelligence and focuses on an entity’s people, processes and technology, with minimal foreknowledge and impact on operations. Source: G-7 Fundamental Elements

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 13 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Term Definition Threat Vector A path or route used by the threat actor to gain access to the target. Source: Adapted from ISACA Fundamentals Traffic Light Protocol(TLP) A set of designations used to ensure that information is shared only with the appropriate audience. It employs a pre-established color-code to indicate expected sharing boundaries tobe applied by the recipient. Source: Adapted from FIRST Verification Confirmation, through the provision of objective evidence that specified requirements have been fulfilled. Source: ISO/IEC 27042:2015 Vulnerability A weakness, susceptibility or flaw of an asset or control that can be exploited by one or more threats. Source: Adapted from CPMI-IOSCO and ISO/IEC 27000:2018 Vulnerability Assessment Systematic examination of an information system, and its controls and processes, to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures and confirm the adequacy of such measures after implementation. Source: Adapted from NIST

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE Technology and Cyber Risk Management Guideline The Technology and Cyber Risk Management Guideline (“The Guideline”) is general in nature and is not intended to replace or override any legislative provisions. It should be read in conjunction with the provisions of applicable legislation as well as related guidelines issued by the Central Bank of Barbados (“the Bank”).

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 15 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE

1. Introduction 1.1 The Bank, in furtherance of its responsibilities for the regulation and supervision of entities under the FIA and section 2 of the NPSA, has issued the Technology and Cyber Risk Management Guideline to provide guidance to regulated entities on their obligations as it relates to the management of technology and cyber risk. The Guideline sets out risk management principles and best practice standards to ensure: a) The establishment of a sound and robust technology and cyber risk management framework, b) The protection of customer data, transactions and systems, and c) The consistent enhancement of system security, reliability and resilience. 1.2 The advancement of information technology (“IT”) has brought about rapid changes to the way businesses and operations are being conducted in the financial sector. Financial systems and networks supporting regulated entity’s business operations have also grown in scope and complexity over the years. In most cases, IT is no longer a supportfunction for regulated entities, but a key enablerfor business strategies including reaching out to and meeting customer needs. Regulated entities offering a diversity of products and services could have their financial systems operating in multiple locations and supported by different service providers. 1.3 Regulated entities are also faced with the challenge of keeping pace with the needs and preferences of consumers who are getting more IT-savvy and switching to internet and mobile devices for financial services, given their speed, convenience and ease of use. Increasingly, digital transformation in the financial sector, broadly characterized by the adoption of new or advanced technology, innovation, and automation, is applied to deliver improved financial services. 1.4 Regulated entities are deploying more advanced technology and online systems, including online payments systems, online financial services and apps with financial components, to reach their customers. In this regard, regulated entities must fully understand the technology and cyber risks arising from these systems. They must also implement adequate and robustrisk management systems as well as operating processes to manage these risks. 1.5 The growing use of electronic information systems, including for the provision of payment services, also makes cyber risk an increasingly important form of operational risk for the financial system, including for payment service providers.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 16 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 1.6 The Guideline also addresses key cyber risks that payments systems face, including: a) Disruption of critical services: Typically, one of the most relevant considerations for payment service providers is the availability of payment￾related services. Often, retail payment services need to be available on a continuous basis. Ensuring cyber resilience and the continuous availability of such services, especially when consumers expect 24/7 operations and the immediate availability of funds is often a top priority. Cyber-attacks such as distributed denial of service (DDoS), or ransomware may render critical systems and services unavailable. Similarly, the disruption of services at a key service provider or other sectors of the economy may affect the payment service provider’s ability to provide its services as expected. For example, a DDoS attack on an internet service provider (ISP) of a payment service provider, which disrupts Internet-based processes, may cause payment services to become unavailable to consumers. An important aspect to consider here is that even when a payment service provider has more than one internet service provider, payments may still be affected if multiple internet service providers are affected by a cyber-incident simultaneously, or within a short period of time. b) Unauthorized disclosure: As with other financial institutions, ensuring the confidentiality of sensitive information is critical for payment service providers. The unauthorized disclosure of sensitive information about the organization (e.g., the Board’s internal discussions) may lead to serious reputational damage. Similarly, the unauthorized disclosure of privilege IT and business users’ credentials in a hacker’s forum may be used to craft further attacks to the organisation or conduct fraudulent activities. c) Compromise of data integrity: Another critical aspect to consider is the authenticity and correctness of payments. Users of payment services expect that their transactions have not been modified and are not altered. Protection against data interception, wiretapping and the alteration of transaction-related messages must be implemented to ensure the integrity of the transactions. d) Third-Party compromise: Payment service providers commonly rely on a complex supply chain ecosystem that encompasses third parties providing a variety of services such as cloud infrastructure hosting and data processing, telecommunication channels, software development, etc. Third-party risk must be viewed within the context of outsourcing risk. The compromise of a trusted third-party may allow an attacker to get unauthorised access to the organisations’ network and systems. The end-result of unauthorised access stemming from third-party compromise may vary widely. This can include events ranging from payment-related fraud to the sabotage of payment-related service and the destruction of critical data, or information. e) Compromise of data privacy: A data breach arising from the unauthorised

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 17 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE disclosure of sensitive customer information may lead to serious reputational damage and monetary loss due to non-compliance penalties and increase the risk of fraudulent transactions. f) Loss of information: Payment service providers may lose critical operational information due to ransomware or the inability to restore information after a cyber incident. This may affect the organisation’s business continuity. g) Access channel compromise: A breach of the security of access channels used in the payment ecosystem such as QR codes or mobile banking applications could lead to fraud, identity theft or compromise of data confidentiality. Scammers may replace a legitimate QR code with a fraudulent one to route payments to a different destination or lead the customer to a malicious website to install malware on the end-user’s device or request the customer to enter bank account information such as login credentials. Security vulnerabilities in mobile banking applications may lead to similar risks if exploited by an attacker. This may negatively affect the consumers’ confidence regarding the payment system arrangement. h) Proxy service compromise: Inappropriate protection of proxy identifiers or aliases database may lead to the registration of fraudulent aliases or unauthorized changes to the aliases, allowing cybercriminals to conduct fraudulent transactions. 1.7 This Guideline is based on the international standards and industry best practices established by a number of standard setting bodies, inclusive of, inter alia the National Institute of Standards and Technology (NIST), CPMI-IOSCO, ISACA, and ISO/IEC 27000. 1.8 The structure of this document is presented in Figure 1. 2. Application and Scope 2.1 This Guideline is intended to establish a standardised approach for the Technology & Cyber Risk Mgmt. 1-4 Operational IT Guidelines 5-7 Online Financial Services 8 BCM/DRP 9 Outsourcing 10 IoT 11 AI and ML 12 Forensic Analysis 13 Information & Intelligence Sharing 14 Figure 1: Structure of Guideline

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 18 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE management of technology and cyber risk and is applicable to: a) all entities that are licensed under the Financial Institutions Act, Cap. 324A (FIA) (“licensees”). b) payment service providers as defined under section 2 of the National Payment System Act, 2021 (Act 2021-1). For the purposes of this Guideline, unless otherwise stated, licensees and payment service providers are hereinafter collectively referred to as “Regulated Entities”. Sections specifically applicable to payment service providers only are identified separately. 2.2 Regulated entities (including parent companies or financial holding companies for banking groups) must ensure that, at a minimum, this Guideline is also implemented in their branches and majority-owned subsidiaries abroad and, where permitted in the host country, ensure that those operations apply the higher of local and host standards. Regulated entities must inform the Bank if the host laws and regulations prohibit the implementation of this Guideline and take appropriate additional measures to effectively address technology and cyber risks. 2.3 The Bank recognizes that there may be differences in the approaches adopted by institutions. Regulated entities are therefore expected to design and implement a technology and cyber risk management framework, commensurate with the: a) Nature and scale of the business, b) Level of Complexity of financial services offered and supporting technologies, c) Degree of risk associated with each area of operation. 2.4 Notwithstanding section 2.1, where material deviations from this Guideline are contemplated, regulated entities must demonstrate to the Bank that the alternative measures have at least an equivalent effect of ensuring strong and effective cyber resilience. Moreover, the acceptable and proven alternative should ensure the security of the institution’s and customers’ assets, relative to an agreed and established maturity level. 2.5 The Guideline contains both advisory and obligatory requirements. Advisory matters are expressed by way of the phrase “the regulated entity or regulated entities may” or “the payment service provider or payment service providers may” and regulated entities are permitted to implement alternative but effective measures in these circumstances. Mandatory requirements are

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 19 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE expressed using the phrase the “regulated entity or regulated entities must” or “the payment service provider or payment service providers must”. 3. Oversight of Technology and Cyber Risks by the Board and Senior Management 3.0.1 IT is a core function that facilitates the delivery of an institution's products and services. If critical systems fail and users cannot access financial services, the impact on customers would be far reaching. This would result in significant consequences to the regulated entity, including financial and reputational damage as well as significantly disrupting financial stability. In view of the importance of the IT function in supporting a regulated entity’s operations, their respective Board of Directors (“the Board”) and Senior Management must have full oversight of technology and cyber risks and ensure that the regulated entity’s IT function is capable of supporting its business objectives and regulatory obligations. 3.1 The Role of the Board and Senior Management 3.1.1 Regulated entities must utilize their existing governance structure to establish, document and oversee the implementation of an effective cyber resilience approach that enables them to respond and adapt to, as well as recover and learn from, disruptive events in order to minimize their impact on delivering critical operations through disruption. 3.1.2 The Board must demonstrate its commitment to the oversight of technology and cyber risk management and seek to: a) Ensure that the Board approved IT and cyber security strategy is in alignment with the institution’s overall business strategy. b) Ensure that the regulated entity’s IT and cyber security strategy encompasses the management of technology and cyber risk and documents its cyber resilience approach considering the institution’s tolerance for disruption to its critical services and functions. c) Ensure that the regulated entity’s policies effectively address instances where the entity’s capabilities are insufficient to meet its stated tolerance for disruption. d) Ensure to take an active role in establishing a broad understanding of the regulated entity’s cyber resilience approach ensuring its objectives are clearly communicated to all relevant parties, including personnel, third

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 20 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE parties and intragroup entities. e) Ensure that the quantity and skills of the regulated entity’s ICT staff are adequate to support its operational needs, their risk management processes on an ongoing basis and to ensure the implementation of its IT and cyber resilience strategy. f) Ensure that Senior management set clear roles and responsibilities and establish organizational committees to ensure adequate oversight, risk ownership and accountability. For example, the three Lines of Defense. g) Ensure that the Board comprises of member(s) with adequate IT and Cyber risk management expertise. 3.1.3 Senior Management is responsible for the implementation of the Board approved IT and cyber security strategy and must ensure that a sound and robust technology risk management framework is established and maintained. 3.1.4 Senior Management must assign responsibility for managing technology and cyber risks to senior officers. It must also ensure an appropriate organisational structure and adequate resourcing are in place for managing technology and cyber risks across the regulated entity. 3.1.5 Senior Management must be involved in key IT decisions and: a) Assume full responsibility for ensuring that effective internal control and risk management practices are implemented to achieve security, reliability, resiliency and recoverability. b) Ensure that adequate technology and cyber risk awareness and management is applied throughout the regulated entity. c) Inform the Board promptly of technology and cyber risk developments and incidents that may have a significant impact on the regulated entity, in a timely manner. d) Ensure to monitor and evaluate existing and future trends in technology that may impact the business strategy, including monitoring of overall industry trends. 3.1.6 The Board must see to it that Section 3.1.3 is complied with, and that the corresponding risk tolerance for the regulated entity is understood and approved.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 21 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 3.1.7 Depending on the nature, scale and complexity of its business, a regulated entity must establish roles for the Chief Information Security Officer (CISO) or an appropriately designated senior level officer. Key responsibilities that fall under this role must include inter alia: a) Implementing and overseeing the cyber security program b) Aligning cybersecurity and business objectives c) Reporting on cybersecurity d) Monitoring Incident Response Activities e) Managing Incident Response Activities f) Managing Business continuity and disaster recovery g) Promoting a culture of strong information security and risk awareness h) Managing Information security vendor relationships i) Utilising cybersecurity budgets effectively j) Overseeing cybersecurity personnel within the organization k) Ensuring cybersecurity awareness and training. 3.1.8 In addition to the above, it is expected that regulated entity’s IT and cyber policies must document additional roles and responsibilities for senior management as appropriate, to further facilitate cyber resilience. These roles may include the Chief Risk Officer (CRO), the Incident Coordinator, the Business Continuity Manager, etc. 3.1.9 Regulated entities must also ensure structures and programmes are in place to ensure that senior management are continually equipped to fulfil their roles and responsibilities and remain highly skilled in regard to cyber security. 3.2 IT Policies, Standards and Procedures 3.2.1 Regulated entities must establish IT policies, standards, and procedures to manage technology and cyber risks and safeguard information system assets2 in the organization in line with current industry standards. The regulated entity’s Board (or delegated committee) must remain responsible for IT policy approvals, while Senior Management or an equivalent committee assumes responsibility for the approval of IT procedures. This facilitates the protection of regulated entities’ information systems and information processed by such systems. 3.2.2 Regulated entities must identify and document all critical functions, key roles, processes and information assets that support those functions, and update this information on a regular basis. 2 Information systems assets refer to data, systems, network devices and other IT equipment.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 22 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 3.2.3 IT Policies and procedures reflect Board and Senior Management guidance and direction in developing controls over information systems and related resources. They must also be in alignment with business objectives and relevant laws and regulations. 3.2.4 Regulated entities must identify and document all processes that are dependent on third-party service providers and identify their interconnections and update this information on a regular basis. 3.2.5 Due to rapid changes in the IT operating and security environment, prudent implementation of policies, standards, and procedures must be reviewed, updated and approved at least annually or as needed. 3.2.6 Compliance processes must be implemented to verify that IT security standards and procedures are enforced. Follow-up processes must be implemented so that compliance deviations are appropriately ameliorated on a timely basis. 3.2.7 All regulated entities must establish an information security policy based on the regulated entity’s risk assessment and mitigate the identified cyber risk threats commensurate with its risk tolerance. 3.2.8 Regulated entities must maintain an up-to-date inventory of all the critical functions, key roles, processes, information assets, third-party service providers and interconnections. Regulated entities must integrate identification efforts with other relevant processes, such as acquisition and change management, in order to facilitate a regular review of its inventory. 3.2.9 The information security policy must be a high-level document that outlines the principles and rules to protect the confidentiality, integrity and availability of customer data and information. In defining the institution’s approach to managing information security, the policy document must contain: a) Information security and its overall objectives and scope, as well as its alignment to business strategy and objectives. b) A description of the main roles and responsibilities of information security management as well as staff service providers. This must also include reporting security incidents to regulators. c) A framework for establishing and implementing security measures to

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 23 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE mitigate IT and cyber risk and must address: • Organisation and governance.  Enterprise risk management framework to identify risks and conduct risk assessments on a regular basis and of all the critical functions, key roles, processes, information assets, third-party service providers and interconnections to determine, classify and document their level of criticality. • Logical security – procedures for logical access controls must be monitored and periodically reviewed and must include the following control elements inter alia:  Need to know, least privilege  Regular review of privileged access rights  Logging of user activities  Access management  Authentication methods  Maintenance of a comprehensive inventory individual and system accounts  Regular review of account inventory • Cryptographic controls – controls to prevent unauthorized access to cryptographic keys. A corresponding policy and procedures must be developed for the management of and access to cryptographic materials. • Physical security – procedures for physical access must be documented and implemented to protect against unauthorised entry and environmental hazards. • IT operations security programme – these procedures to prevent the occurrence of security issues in IT systems and its services and minimize the impact on service delivery. The measures implemented must include inter alia:  Identification of potential vulnerabilities.  Implementation of secure configuration baselines of all network components.  Implementation of network segmentation, data loss prevention and the encryption of network traffic (in accordance with data classification).  Implementation of protection of end points inclusive of

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 24 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE servers, workstations, and mobile devices.  Ensure mechanisms exist to verify the integrity of software and data  Encryption of data at rest and in transit (in accordance with the data classification).  Conduct risk assessments before implementing new or updated technologies, products, services or connections, including reassessment when new cyber‑risk information arises (e.g., new vulnerabilities, test results or configuration changes). The results of the risk assessments must be incorporated into the cyber resilience strategy and framework.  Creation and maintenance of a simplified network map of network resources with an associated plan addressing IPs which locate routing and security devices and servers supporting the regulated entity’s critical functions and which identify links with the outside world. • Security Monitoring – this must allow the regulated entity to:  Detect anomalous activities that may impact its information security and result in the generation of appropriate alerts  Actively monitor technological developments to identify new vulnerabilities in hardware and software  Identify relevant trends in support of new or ongoing investigations  Ensure information security reviews and assessment  Ensure information security testing  Ensure information security training and awareness 3.3 IT Policies, Standards and Procedures specific for Payment Service Providers 3.3.1 Payment service providers must establish processes to manage the creation, modification or deletion of user access rights. These actions must be submitted to and approved by appropriate staff and must be recorded for review if necessary. 3.3.2 Payment service providers must have a dedicated policy that covers all the characteristics of its authentication mechanisms (e.g. password, smart cards and biometrics, etc.) and is in line with relevant standards (such as NIST SP 800-63B Rev.4). Default authentication settings (e.g. passwords and unnecessary default accounts) must be deactivated, changed or removed before systems, software and/or services go live.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 25 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 3.4 People Selection Process 3.4.1 Careful selection of staff, vendors and contractors is crucial to minimize technology risks due to system failure, internal sabotage or fraud. 3.4.2 Regulated entities must implement a screening process that is comprehensive and effective, as people play an important role in managing systems and processes in an IT environment. 3.4.3 Staff, vendors and contractors, who are authorized to access a regulated entity’s systems, must also be required to adhere to the regulated entity’s information system security policy. 3.5 IT Security Awareness 3.5.1 A comprehensive Information security awareness training program must be established to enhance the overall IT security awareness levelswithin the regulated entity’s organizational structure. 3.5.2 The training program must include information on information security policies and standards as well as each employee’s individualresponsibility to protectinformation system assets. 3.5.3 Designated employees of the regulated entity based on his/her role, must be made aware ofthe applicable laws,regulations, and guidelines pertaining to the usage, deployment and access to information security resources. 3.5.4 The information security awareness training program must be conducted and updated at least annually. This would ensure that the contents of the program remain current and relevant. The review must also take into consideration the evolving nature of technology as well as emerging risks. 3.5.5 Regulated entities must also ensure to take the necessary steps in order to measure and monitor the effectiveness of the security awareness training program implemented. 3.6 People and Security Awareness 3.6.1 Regulated entities must embed cybersecurity at each stage of the employment life cycle, specifying security-related actions required during the induction of each employee and their ongoing management, and upon

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 26 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE the termination of their employment. This includes: a) Prior to employment, regulated entities must carry out background security checks on all candidates (employees and/or contractors) commensurate to their future role and depending on the criticality of the assets and information they might have access to in order to fulfil their duty. Responsibilities for cybersecurity must be clearly stated in the contractual agreement or equivalent binding document of the regulated entity (e.g., Code of Conduct). b) During employment, regulated entities must ensure that employees and contractors comply with established policies, procedures and controls. When an employee is changing responsibilities, the regulated entities must ensure that all access rights that are related to his/her previous position and are not necessary for his/her new responsibilities are revoked in due time. Employees in sensitive positions (for example those who change to roles requiring privileged access to critical systems or who become high-risk staff) must be pre-screened. c) Regulated entities must establish procedures to revoke all departing employees’ access rights from the information assets in a timely manner. On termination of employment, staff must be required to return all assets that belong to the regulated entity, including important documentation (e.g. related to business processes, technical procedures and contact details), equipment, software and authentication hardware, etc. 3.6.2 At least once per year, regulated entities must provide their entire staff (employees and/or contractors) with training to support cybersecurity policy compliance and the incident reporting process. This training must include elements aimed at maintaining appropriate awareness of cyber￾related risks and good practices for dealing with potential cyber incidents, including how to report unusual activity. Cybersecurity awareness training must be part of the onboarding program for new staff. 3.6.3 Regulated entities must ensure that high-risk staff receive dedicated security awareness training that is relevant to their responsibilities. 3.6.4 A training programme should also be annually conducted for Board members and include incident response, and current cyber threats such as phishing, spear phishing, social engineering, mobile security as well as emerging issues. 3.6.5 Prior to going into service operations, staff operating new payment systems must receive appropriate user training and be familiar with the operating procedures.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 27 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 4. Technology and Cyber Risk Management Framework 4.0.1 A technology risk management framework must be established to manage technology and cyber risks in a systematic and consistent manner and must encompass the following attributes: a) Roles and responsibilities for the management of technology risks b) Periodic updating of identification of information system assets and their criticality c) Definitions for risk appetite and risk tolerance d) Periodic updating of the identification and assessment of impact and likelihood of current and emerging threats, risks, and vulnerabilities e) Implementation of appropriate practices and controls to mitigate risks f) Periodic update of the risk assessments to include changes in systems, environmental or operating conditions that could affect risk analysis. 4.0.2 Effective risk management practices and internal controls must be instituted to achieve data confidentiality, 3 integrity, availability, information security, reliability, resiliency and recoverability in the organization. 4.0.3 Regulated entities must regularly review and update their technology and cyber risk management framework to make continuous improvements based on implementation, monitoring and other lessons learned (such as past incidents). 4.0.4 Regulated entities must consider the following elements of risk management when establishing the cyber risk management framework: a) Accountability for technology and cyber risk management, including for relevant oversight functions. b) Technology and cyber risk appetite and measurement such as limits, thresholds and tolerance levels c) A technology and cyber risk taxonomy. d) Control domains for technology and cyber security. e) Policies, standards and processes governing technology and cyber risk, which are approved, regularly reviewed and consistently implemented enterprise wide. f) Processes for identifying, assessing, managing, monitoring and reporting on technology and cyber risks, including processes for 3 Data confidentiality refers to the protection of sensitive or confidential information such as customer data from unauthorized access, disclosure, etc.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 28 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE managing exceptions. g) Management of unique risks posed by emerging threats and technologies. h) Reporting to Senior Management on technology and cyber risk appetite measures, exposures and trends to inform the regulated entity’s current and emerging risk profile. 4.1 Information System Assets 4.1.1 Information system assets must be adequately identified, inventoried, and protected from unauthorized access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure. 4.1.2 Regulated entities must establish clear policies on information system asset protection. Criticality of information system assets must be identified and ascertained in order to develop appropriate plans to protect them. Security and risk-based classification processes must be in place to prescribe a criticality assessment, mitigating controls, business continuity requirements, ownership, and treatment. 4.2 Risk Identification 4.2.1 Risk identification entails the determination ofthe threats and vulnerabilities to a regulated entity’s IT environment which comprises the internal and external networks, hardware, software, applications, (third party) services, systems interfaces, operations and human elements throughout the supply chain. 4.2.2 A threat may take the form of any condition, circumstance, incident or person with the potential to cause harm by exploiting a vulnerability in a system. The source of the threat can be natural, human or environmental. Humans are significant sources of threats through deliberate acts or omissions which could inflict extensive harm to a regulated entity and its information systems. 4.2.3 Cybersecurity threats, such as those manifested in denial of service attacks, ransomware, internal sabotage, malware infestation, or other, could cause severe harm and disruption to the operations of a regulated entity with consequential losses for all parties affected. Regulated entities must be vigilant in identifying and monitoring such risks as it is a crucial step in the risk containment exercise.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 29 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 4.3 Risk Assessment 4.3.1 Following risk identification, regulated entities must perform an analysis and quantification of the potential impact and consequences of these risks on their overall business and operations. 4.3.2 Regulated entities must analyse the impact and likelihood of the threats and vulnerabilities that could cause harm to the organization, including severe but plausible scenarios. 4.3.3 Regulated entities must develop a means to prioritize IT risk mitigation based on likelihood and impact assessments. In addition, regulated entities must assess their risk tolerance for damages and losses in the event that a given risk-related event materializes. 4.3.4 Regulated entities must maintain/include an IT operations security program designed to protect the confidentiality, integrity and availability of the regulated entity’s information systems. The cybersecurity program must be based on the regulated entity’s assessment of cyber risk and must be designed to perform the following core cybersecurity functions: a) Identify and assess internal and external cyber risks that may threaten the security and integrity of private information stored on the regulated entity’s information systems. b) Use defensive infrastructure and the implementation of policies and procedures to protect the regulated entity’s information systems, and the non-public information stored on those information systems, from unauthorized access, use or other malicious acts. c) Detect cybersecurity events. d) Respond to identified or detected cybersecurity events to mitigate any negative effects. e) Recover from cybersecurity events and restore normal operations and services. f) Fulfil applicable regulatory reporting obligations. 4.4 Risk Treatment 4.4.1 For each type of risk identified, regulated entities must develop and implementrisk mitigation and control strategies that are consistent with the criticality and value of the information system assets and the level of risk tolerance. 4.4.2 Risk mitigation entails a methodical approach for evaluating, prioritizing and implementing appropriate risk-reduction controls. A combination of

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 30 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE technical, procedural, operational and functional controls would provide a rigorous mode of reducing risks and remediating identified vulnerabilities. In addition, taking insurance cover for various insurable risks, including recovery and restitution costs must be considered. 4.4.3 As it may not be practical to address all known risks simultaneously or in the same timeframe, regulated entities must give priority to threat and vulnerability pairings that could cause significant harm or impact to a regulated entity’s operations. 4.4.4 It is imperative that regulated entities are able to manage and control risks in a manner that will maintain their financial and operational viability and stability. When deciding on the adoption of risk controls and security measures, regulated entities must balance the impact to all stakeholders against the benefits to be derived. 4.4.5 Regulated entities must refrain from implementing and running a system where the threats to the safety and soundness of their core and critical IT services are insurmountable and the risks cannot be adequately controlled. 4.5 Risk Monitoring and Reporting 4.5.1 Regulated entities must maintain a risk register which facilitates the monitoring and reporting of risks. Risks of the highest severity must be accorded top priority and monitored closely with regular reporting on the actions that have been taken to mitigate them. Regulated entities must update the risk register periodically, and institute a monitoring and review process for continuous assessment and treatment of risks. 4.5.2 To facilitate risk reporting to management, regulated entities must develop IT risk metrics to highlight systems, processes or infrastructure that have the highest risk exposure. In determining the IT risk metrics, regulated entities must consider risk events, regulatory requirements and audit observations. 4.5.3 An overall cyber risk profile of the organization must also be provided to the Board and Senior Management which highlights the effective implementation of the cyber resilience strategy and framework on a regular basis and its evolution over time. The report must include relevant information and indicators. For example, inter alia: a) The percentage of incidents reported within a defined timeframe per applicable incident category. b) The percentage of vulnerabilities mitigated within a defined time period after discovery.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 31 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE c) The percentage of vulnerabilities mitigated within a defined time period after discovery. d) The percentage of staff that have received cyber security training. 4.5.4 Risk parameters may shift as the IT environment and delivery channels change. Thus, regulated entities must review and update the risk processes accordingly, and conduct, at a minimum, an annual evaluation of risk-control methods that includes an assessment of the adequacy and effectiveness of IT controls and risk management processes. The frequency of the evaluations must be determined by changes to the regulated entity’s environment, business circumstances, legal conditions, or the IT environment. 4.5.5 Management of the IT function must review and update its IT risk control and mitigation approach, considering the changing cyber landscape and variations in the regulated entity’s risk profile. 5. Operational IT Risk Guidelines 5.0.1 Many systems fail due to poor system design and implementation, as well as inadequate testing. Regulated entities must identify system deficiencies and defects at the system design, development and testing phases. Moreover, Regulated entities must establish a foundation for IT maturity and IT project management where the focus specifically lies on security requirements, testing of systems and end user risks to solidify the IT landscape. 5.0.2 Ongoing attention must be given to the sufficiency of the IT security measures in place and risk management throughout the project life cycle.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 32 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 5.1 IT Project Management 5.1.1 The management of all projects initiated within regulated entity must be in alignment with the Board approved IT strategy and conducted using the standard project management approach which would include phases such as initiation, planning, control and execution, closure and post implementation review. 5.1.2 In establishing a project management framework, regulated entities must ensure inter alia, that: a) Roles and responsibilities are defined which facilitates governance and management review, decision making and delivery management activities. b) The nature and scope of the project is defined to confirm and develop a common understanding of project scope among stakeholders. c) Tasks and processes for developing or acquiring new systems include project risk assessment and classification and critical success factors are defined for each project phase. d) The approach to project quality and implementation is well and a record is maintained of any risks faced by project management. e) Project performance is measured against project performance criteria. f) Project resources are managed effectively. 5.1.3 Regulated entities must also establish a steering committee for large or complex projects, consisting of business owners, the development team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realized at each phase of the project and milestones to be reached according to the project timetable. The steering committee must have a clear communication line with Senior Management. 5.1.4 Regulated entities must clearly document project plans for all IT projects. In the project plans, regulated entities must clearly set out the deliverables to be realized at each phase ofthe project as well as milestones to be reached. 5.1.5 Regulated entities must ensure that functional, performance and security requirements, business cases, cost benefit analysis, systems design, technical specifications and test plans are approved by the relevant business and IT management. 5.1.6 Regulated entities must establish management oversight of the project to ensure that milestones are reached, and deliverables are realized in a timely manner. Regulated entities must escalate issues or problems which could not be resolved at the project committee level to Senior Management for

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 33 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE attention and intervention. 5.2 System Security Requirements and Testing 5.2.1 Regulated entities must define and implement all necessary security and cyber‑resilience requirements at the earliest stage of system design, development, or acquisition and maintain them throughout the system development life cycle. This includes specifying controls for access, authentication, transaction authorization, data integrity, logging, security event tracking, exception handling and ensuring that vulnerabilities are minimized and security controls are embedded from inception. 5.2.2 Regulated entities must adopt a bespoke system development life cycle (SDLC) methodology that embeds the resilience-by-design approach when designing, building, acquiring or modifying its systems, processes and products. At each stage of the SDLC, regulated entities must manage cyber risk accordingly and integrate resilience based on risk analysis results. 5.2.3 Regulated entities must develop security controls that address cybersecurity, physical security and people-related security risk. These controls must be designed in alignment with the threat landscape and the entity’s business objectives. For payment service providers, security controls must also be prioritized and implemented based on the specific risks to payment services (risk‑based security approach). 5.2.4 A methodology for system testing4 must be established. The scope of tests must cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions. 5.2.5 Regulated entities must ensure that appropriate testing is performed based on the risk of the system changes being deployed. This includes full regression testing for major systems. Users whose systems and operations are affected by the system changes mustreview and sign off on the outcome of the tests. 5.2.6 Regulated entities must conduct penetration testing prior to the commissioning of a new system which offers internet accessibility and open network interfaces. In the event that a regulated entity deviates from this decision, they must document exceptions properly and have them available to the Bank upon request. In case no prior penetration testing is possible, penetration testing must be performed within the first six (6) months after implementation, explained and documented. Regulated entities unable to 4 System testing is broadly defined to include unit, modular, integration, system and user acceptance testing.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 34 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE commit to this timeframe must write to the Bank to advise of any challenges experienced accompanied with an action plan. Regulated entities must also perform continuous vulnerability scanning of external and internal network components that support the changed and current system landscape. 5.2.7 Regulated entities must establish and maintain a comprehensive testing program that covers both business continuity and incident response, among others, as an integral part of its cyber risk management framework. The testing program must incorporate a wide range of methodologies, practices and tools for monitoring, assessing and evaluating the effectiveness of the core components of the cyber risk management framework. 5.2.8 Regulated entities must adopt a risk-based approach in developing the comprehensive testing program. This must be reviewed and updated on a regular basis taking into due account the evolving landscape of threats and the criticality of information assets. 5.2.9 Regulated entities must develop appropriate capabilities and involve, if deemed necessary, all relevant internal stakeholders (including business lines and operational units) when implementing its testing program. 5.2.10 Regulated entities must ensure that the tests are undertaken by independent parties, whether internal or external. 5.2.11 For continuous improvement of its cyber resilience posture, regulated entities must establish policies and procedures to prioritize and remedy issues identified from the various tests and perform subsequent validation to assess whether gaps have been fully addressed. 5.2.12 Regulated entities must ensure that Senior Management incorporate lessons learned from the test results and report the resultant framework changes to the Board. 5.2.13 Regulated entities must test critical systems, applications and data recovery plans at least annually. 5.2.14 In addition, regulated entities must test response, resumption and recovery plans, including governance and coordination, and crisis communication arrangements and practices, at least annually. 5.2.15 Regulated entities must test the information backups periodically to verify they are accessible and readable. 5.2.16 Regulated entities must develop a documented and regularly updated

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 35 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE vulnerability management process in order to classify, prioritize and remedy potential weaknesses identified in vulnerability assessments and perform subsequent validation to assess whether gaps have been fully addressed. 5.2.17 The regulated entity’s vulnerability management process must help identify technical, processual, organizational and emerging weaknesses in critical functions. 5.2.18 Regulated entities must conduct vulnerability scanning for external-facing services and internal systems and networks on a regular basis. 5.2.19 Regulated entities must perform vulnerability assessments before any deployment or redeployment of new or existing services supporting critical functions, applications and infrastructure components for fixing bugs and weaknesses, consistently with change and release management processes in place. 5.2.20 Regulated entities must perform different scenario-based tests, including extreme but plausible scenarios, to evaluate and improve its incident detection capability, as well as response, resumption and recovery plans. Scenario-based tests can take the form of desktop exercises or crisis simulation exercises (CSEs). 5.2.21 The regulated entity’s Board and Senior Management must be engaged in the scenario-based test, when appropriate. 5.2.22 The regulated entity must test the extent to which internal skills, processes and procedures can adequately respond to extreme but plausible scenarios, with a view to achieving stronger operational resilience. 5.2.23 Regulated entities must perform penetration tests, engaging all critical internal and external stakeholders in the penetration testing exercises: system owners, business continuity, and incident and crisis response teams. 5.3 System Security Requirements and Testing Specific for Payment Service Providers 5.3.1 Payment service providers must conduct penetration tests on their external￾facing services and the internal systems and networks to identify vulnerabilities in the adopted technology, organization and operations regularly, or at least on an annual basis. Penetration tests must be conducted using a risk-based approach and, at the very least, in cases of major changes and new system deployment.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 36 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 5.3.2 The payment service provider’s vulnerability management process must explicitly address weaknesses in payment‑critical functions and supporting processes. 5.3.3 Payment service providers must regularly review the effectiveness and adequacy of their information security management system, via audits, certification or other relevant forms of assurance. 5.3.4 Payment service providers must develop processes and procedures and explore potential technologies to constantly adjust and refine the implemented security countermeasures (controls). This will help to ensure that Payment service providers are protected against known and emerging threats, based on knowledge and best practices obtained from other Payment service providers across the ecosystem and through the use of threat intelligence. 5.3.5 Payment services provider’s information systems must implement transaction recovery mechanisms for transaction-based systems, which might include transaction rollback and logging. 5.4 End User Development 5.4.1 There are common business application tools and software which allow business users to develop simple applications to automate their operations, perform data analysis and generate reports for the regulated entity and customers. Regulated entities must perform an assessment to ascertain the importance of these applications to the business. 5.4.2 Recovery measures, user access and data protection controls, at a minimum, must be implemented for such applications. 5.4.3 Regulated entities mustreview and test, end user developed program codes, scripts and macros based on the risk assessment conducted. This must be done before these applications are used to verify their integrity and reliability. 5.5 IT Audit 5.5.1 As technology risks evolve with the growing complexity of the IT environment, there is an increasing need for regulated entities to develop effective internal control systems to manage technology risks. 5.5.2 IT audit provides the Board and Senior Management with an independent

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 37 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE and objective assessment of the effectiveness of controls that are applied within the IT environment to manage technology and cyber risks. 5.5.3 Regulated entities must establish an organizational structure and reporting lines for IT audit in a way that preserves the independence and objectivity of the IT audit function. 5.6 Audit Planning and Remediation Tracking 5.6.1 Regulated entities must ensure that the scope of IT audit is comprehensive and includes all critical IT operations. An IT audit plan, comprising auditable IT areas for the coming year, must be developed. The IT audit plan must be approved annually by Senior Management and the Board. 5.6.2 Regulated entities must establish an audit cycle that determines the frequency of IT audits. The auditfrequency must be commensurate with the criticality and risk of the IT system or process. 5.6.3 The audit must be performed independently by an Internal audit function, or an external auditor, employing a risk-based approach, with the capacity to review and provide objective assurance of compliance with the regulated entity’s information security policies and procedures as well as regulatory guidance. 5.6.4 The auditors must be sufficiently knowledgeable and possess the requisite skills and expertise in IT and cyber risk controls in order to conduct the audit efficiently and effectively. 5.6.5 A formal follow-up process including provisions or the timely verification and remediation of critical IT and cybersecurity audit findings must be established. 6. IT Service Management 6.0.1 A robust IT service management framework is essential for supporting IT systems, services and operations, managing changes, incidents and problems aswell as ensuring the stability of the production IT environment. 6.0.2 The framework must comprise the governance structure, processes and procedures for change management, software release management, incident and problem management as well as capacity management, program migration and managing of (privileged) user access onto the IT landscape.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 38 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 6.1 Change Management 6.1.1 Regulated entities must establish a change management process to ensure that changes to production systems are logged, assessed, prioritized, approved, scheduled, implemented, and reviewed in a controlled manner. The framework must be based off of well-established and industry￾recognized standards and best practices (e.g. the information technology infrastructure library). 6.1.2 Regulated entities must have policies, procedures and controls in place for change management, which must include criteria for prioritizing and classifying the changes (for example normal vs. emergency change). Prior to any change, regulated entities must ensure that the change request is: a) reviewed to ensure that it meets regulated entities business needs. b) categorized and assessed for identifying potential risks and to ensure that it will not negatively impact confidentiality, integrity and availability, as well as the regulated entity’s systems and data. c) approved before it is implemented by the appropriate level of management. d) documenting all associated procedures, such as specific configurations required. 6.1.3 A tracking and reporting system must be maintained to document rejected changes and communicate the status of approved, in-process and completed changes. 6.1.4 All change requests must be evaluated to determine the impact on business processes, IT services, and assessed to determine any adverse effect on the operational environment and any introduction of unacceptable risk. 6.1.5 The change management process must include automated system and security configurations, patches for hardware devices and software updates. 6.1.6 Prior to deploying changes to the production environment, regulated entities must perform a risk and impact analysis of the change request in relation to existing infrastructure, network, up-stream and downstream systems. 6.1.7 Regulated entities must also determine if the introduced change would spawn security implications or software compatibility problems to affected systems or applications. Regulated entities must adequately test the

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 39 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE impending change and ensure that it is accepted by users prior to the migration of the changed modules to the production system. 6.1.8 Regulated entities must develop and document appropriate test plans for the impending change. Regulated entities must also obtain test results with user signoffs prior to the migration. Tests may include integration tests, non￾regression tests and user acceptance tests, systems acceptance testing or other instruments. 6.1.9 Regulated entities must ensure that processes are in place to schedule change implementation and communicate to those impacted prior to implementation, including consulting them when necessary. 6.1.10 All changes to the production environment must be approved by personnel delegated with the authority to approve change requests. The changes to information systems include, but are not limited to, modifying hardware, software or firmware components and system and security configuration settings. 6.1.11 Regulated entities must have processes to identify, assess and approve credible and genuine emergency changes. Post-implementation reviews should be conducted to validate that emergency procedures were appropriately followed and to determine the impact of the emergency change. 6.1.12 Regulated entities must ensure that the cybersecurity team is involved throughout the life cycle of the change management process, as appropriate. 6.1.13 To minimize risks associated with changes, regulated entities must perform backups of affected systems or applications prior to the change. Regulated entities must consider building a segregated or separate environment that mirrors the production environment, allowing rapid testing and changes and patches to be implemented. 6.1.14 Regulated entities must also establish a rollback plan to revert to a former version of the system or application if a problem is encountered during or after the deployment. Regulated entities must establish alternative recovery options to address situations where a change does not allow a regulated entity to revert to a prior status. 6.1.15 Audit and security logs are useful information which facilitates investigations and troubleshooting. Regulated entities must ensure that the logging facility is enabled to record activities that are performed during the migration process.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 40 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 6.2 Program Migration Program migration involves the movement of software codes and scripts from the development environment to test and production environments. Unauthorized and malicious codes which are injected during the migration process could compromise data, systems, and processes in the production environment. 6.2.1 Regulated entities must separate physical or logical environments for systems development, testing (e.g. user and system acceptance testing), staging, and production. 6.2.2 Regulated entities must closely monitor vendor and developers’ access to all their environments. 6.2.3 Where controls in the non-production environment are different or less stringentfrom those in the production environment,regulated entities must perform a risk assessment and ensure that sufficient preventive and detective controls have been implemented before connecting a non￾production environment to the internet. 6.2.4 Segregation of duties must be enforced where feasible so that no single individual has the ability to develop, compile, and move object codes from one environment to another. In cases where segregation of duties is not completely possible, regulated entities must document and explain this process as well as present a suitable alternative. 6.2.5 After a change has been successfully implemented in the production environment, the change must also be replicated and migrated to disaster recovery systems or applications for consistency. 6.3 User Access Management 6.3.1 Regulated entities must establish and administer user accounts in accordance with a Role-Based Access Control (RBAC) scheme that organizes allowed information system access rights and privileges into roles. Role assignments must be reviewed regularly by appropriate staff (for example management and system owners, or others as needed.) in order to take appropriate action when privileged role assignments are no longer appropriate. 6.3.2 Regulated entities must only grant user access to IT systems and networks on a need-to-use basis and within the period when the access is required. Regulated entities must ensure that the resource owner duly authorizes and approves all requests to access IT resources.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 41 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 6.3.3 Regulated entities must implement specific procedures to allocate privileged access on a need-to-use or an event-by-event basis. Administrators must have two types of accounts: one for general purposes and one for administrative tasks. The use of privileged accounts must be closely monitored and controlled. The use of generic accounts for administration purposes must be strictly limited and traceable. Whenever possible, user and administrator accounts must be nominative and clearly identifiable (e.g. using dedicated taxonomy for usernames, which ensures that the positions and roles are not apparent). 6.3.4 Employees of vendors or service providers, who are given authorized access to Regulated entities’ critical systems and other computer resources, pose similar risks as internal staff. Regulated entities must subject these external employees to close supervision, monitoring and access restrictions similar to those expected of its own staff. 6.3.5 For accountability and identification of unauthorized access, regulated entities must ensure that records of user access are uniquely identified and logged for audit andreview purposes. 6.3.6 Regulated entities must perform regular reviews of user access privileges to verify that privileges are granted appropriately and according to the ‘least privilege’ principle. The process may facilitate the identification of dormant and redundant accounts as well as detection of wrongly provisioned access. 6.3.7 Passwords represent the first line of defence, and if not implemented appropriately, they can be the weakest link in the organization. Thus, regulated entities must enforce strong password controls over users’ access to applications and systems. Password controls must include a change of password upon first logon, minimum password length and history, password complexity as well as maximum validity period. 6.3.8 Regulated entities must ensure that no one has concurrent access to both production systems and backup systems, particularly data files and computer facilities. Regulated entities must also ensure that any person who needs to access backup files or system recovery resources is duly authorized for a specific reason and a specified time only. 6.3.9 Regulated entities must also implement controls to prevent unauthorized privileged escalation via the use of technical and other control mechanisms that trigger automated notification to appropriate staff in the case of changes to user access profiles.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 42 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 6.4 Privileged Access Management 6.4.1 Information security ultimately relies on trusting a small group of skilled staff, who must be subject to proper checks and balances. Their duties and access to systems resources must be placed under close scrutiny. Regulated entities must apply stringent selection criteria and thorough screening when appointing staff to critical operations and security functions, considering insider threat. 6.4.2 Regulated entities must adopt the following controls and security practices: a) Implement strong authentication mechanisms such as two-factor authentication where possible for privileged users. b) Institute strong controls over remote access by privileged users. c) Restrict the number of privileged users. d) Grant privileged access on a “need-to-have” basis. e) Maintain audit logging of system activities performed by privileged users. f) Disallow privileged users from accessing systems logs in which their activities are being captured. g) Review privileged users’ activities on a timely basis. h) Prohibit sharing of privileged accounts. i) Disallow vendors and contractors from gaining privileged access to systems without close supervision and monitoring. j) Protect backup data from unauthorized access. 6.5 Remote Access Management 6.5.1 Remote access allows users to connect to the regulated entity’s internal network via an external network to access the regulated entity’s data and systems, such as emails and business applications. Remote connections must be encrypted to prevent data leakage through network sniffing and eavesdropping. Strongauthentication, suchasmulti-factor authentication, must be implemented for users that have remote access. This must safeguard against unauthorized access to the regulated entity’s IT environment. 6.5.2 Regulated entities must only allow remote access to its information assets from devices that have been secured, hardened and are fully patched according to their endpoint security standards. 6.5.3 Remote access infrastructure must be thoroughly tested for vulnerabilities.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 43 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE If cloud infrastructure is used, review of existing controls, security assessment and security testing must also be conducted to make sure the controls work effectively. 6.5.4 User IT Security awareness training remains crucial for users that are new to the technology usage, to minimize exposure to phishing and social engineering. 6.5.5 Functions dealing with critical system processes and data are normally not allowed through remote access. If the situation so requires, existing controls will need to be re-evaluated or activated when required. 6.6 Incident Management 6.6.1 The occurrence of an IT incident may result in the disruption, malfunction or error on a regulated entity’s server, network or end point which can impact its operations and service delivery. It can also lead to other external systems becoming affected. Regulated entities must appropriately manage such incidents to understand the root cause and appropriate preventative measures to reduce prolonged disruption of IT services or further aggravation. 6.6.2 Regulated entities must establish an incident management plan with the objective of restoring normal IT service as quickly as possible following the incident, and with minimal impact to the regulated entity’s business operations. The plan must define and document the roles and responsibilities of all relevant internal and external parties involved in incident detection, analysis, response, recovery, communication, and escalation. 6.6.3 It is important that incidents are accorded with the appropriate severity level. As part of incident analysis, regulated entities may delegate the function of determining and assigning incident severity levels to a centralized technical helpdesk function. Regulated entities must train helpdesk staff to discern incidents of high severity level. 6.6.4 Severity assessment must be supported by early‑warning indicators or system‑disruption triggers, informed by ongoing threat assessments and risk surveillance activities. Regulated entities must maintain early‑detection mechanisms, including documented early‑warning indicators to support timely escalation and resolution in accordance with defined timeframes. 6.6.5 Regulated entities must establish corresponding escalation and resolution

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 44 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE procedures proportionate to incident severity. Incident response procedures must include internal and external communication actions with clearly defined escalation and notification triggers that support mitigation, containment, and timely restoration of services. The predetermined escalation and response plan for IT security incidents, must be tested on a regular basis. 6.6.6 A regulated entity’s internal communication plans must also address security-related customer complaints to ensure that: a. Incidents with a potentially high unfavourable impact on critical IT systems and services are reported to the relevant senior officer. b. In the event of a major incident, senior management is informed periodically in order to effectively implement additional controls as required. 6.6.7 Regulated entities must form a computer emergency response team (CERT), comprising staff with the necessary technical and operational skills to handle major incidents. 6.6.8 In some situations, major incidents (in terms of cost, image, number of clients affected) may develop into a crisis. Senior Management must be kept apprised of the development of these incidents in real time so that the decision to activate the disaster recovery plan can be made on a timely basis. An incident must be classified within the first twenty-four (24) hours of its detection. An incident is classified as major if it satisfies the requisite criteria in the Classification Matrix found in the Appendix in the M￾CIRT instructions. Regulated entities must complete the stage 1 section of the template referred to as the Initial report and submit it to the Bank within four (4) hours after an incident is classified as major. 6.6.9 Notwithstanding the above, the Bank must be contacted promptly pending the submission of the report template, as applicable: a) Where a matter is classified as major within twenty-four (24) hours b) Where a matter reaches the media or social platforms. 6.6.10 The maintenance of customer confidence throughout a crisis or an emergency situation is of great importance to the reputation, operation and soundness of regulated entities. Therefore, regulated entities must include in their incident response procedures a predetermined action plan to keep customers informed of any major incidents where their data has potentially been compromised and/or funds withdrawn without their permission. They must also assess the effectiveness of the mode of communication to the general public, customers staff and other relevant

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 45 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE stakeholders. 6.6.11 Included in the incident response plan, regulated entities must establish an external communication action plan for critical business functions and processes to facilitate: a) Effective collaboration with relevant stakeholders (supervisory authorities, law enforcement and other industry participants) in order to respond to and recover from an incident. b) Information sharing with external parties (i.e. other financial sector participants, supervisory authorities and law enforcement authorities) as appropriate, enabling continuous learning as a collective, resulting in actionable and strategic intelligence. 6.6.12 Regulated entities must also periodically test incident‑management processes with third‑party service providers and external stakeholders to ensure coordinated and effective joint response. 6.6.13 As incidents may stem from numerous factors, regulated entities must perform a root cause and impact analysis for major incidents which result in disruption of critical IT services. Regulated entities must take remediation actions to prevent the recurrence of similar incidents and security breaches. 6.6.14 Regulated entities must include in their internal operational incident report an executive summary of the major incident, an analysis of root cause which triggered the event, its impact as well as measures taken to address the root cause and consequences of the event. 6.6.15 Regulated entities must adequately address all incidents within corresponding resolution timeframes and monitor all incidents to their resolution. 6.6.16 Cybersecurity events that have a reasonable likelihood of materially harming any part of the normal operation(s) of the regulated entity5 , must also be reported via the Major Cyber Incident Reporting Template (M-CIRT)6 to the Bank. A major incident is one classified as either high or critical. Annually each regulated entities must revise their Cybersecurity program where it has identified areas, systems or processes that require material improvement, updating or redesign. Regulated entities must document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the Bank. 5 Refer to the classification matrix in the M-CIRT Instructions. 6 Refer to the Cyber Incident Reporting Template and accompanying Instructions.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 46 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 6.6.17 Regulated entities must define standards and implement processes for incident and problem management that include the means to effectively prioritize incidents. Such prioritization may use an Impact vs. Urgency matrix, enabling timely identification and escalation of incidents, as well as the restoration and/or recovery of an affected payment system or associated system. These standards must further support the investigation and resolution of incident root causes, ensuring that incidents with higher business impact or urgency receive accelerated attention and response. 6.6.18 Impact is the effect an incident has on a business, and Urgency basically defines time business (or customer) is ready to wait for resolution. 6.6.19 According to Information Technology Infrastructure Library (ITIL), Priority must be a product of the Impact/Urgency matrix. It is customary that Priority has four levels, and is marked with the numbers 1-4, where “1” is the highest and “4” is the lowest priority. It can also be marked by letters ABCD, with A being the highest priority. Impact can be defined as the severity of the incident, for example, how much downtime or how many end users are affected, while urgency is how quickly the incident needs to be resolved. The most commonly used priority matrix is reflected in Figure 2: Impact Urgency Priority High High (1) Critical High Medium (2) High High Low (3) Moderate Medium High (2) High Medium Medium (3) Moderate Medium Low (4) Low Low High (3) Moderate Low Medium (4) Low (4) Low Figure 2: Incident Management Prioritization Matrix 6.6.20 In theory for example, a major incident is a highest-impact, highest-urgency incident. It affects a large number of users, depriving the business of one or more crucial services. Regulated entities can define what “High”, “Medium” and “Low” Impact is from the Incident Classification Matrix and inform the Bank of any additional incidents added urgency can be defined as the four (4) levels of downtime also depicted in the Classification Matrix. 6.6.21 Regulated entities must continuously identify and address any gaps in their cyber incident response capabilities.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 47 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 6.6.22 The cyber incident response plan must include plausible scenarios including extreme but realistic scenarios. In addition, perform periodic scenario‑based testing (including tabletop exercises) to validate incident‑response readiness and identify gaps in response capabilities. Scenario exercises must reflect plausible and relevant incident scenarios informed by the entity’s threat environment. Testing must include validation of incident response playbooks, communication protocols, coordination mechanisms, and operational response tools to ensure their continued effectiveness. 6.6.23 The regulated entities must implement and maintain management information systems, appropriate to the scale, nature and complexity of its operations, to enable efficient cyber incident analysis and reporting. 6.7 Incident Reporting Criteria specific for Payment service providers 6.7.1 Reportable incidents may have one or more than one of the following characteristics: a) Potential consequences to other regulated entities, or the Barbadian financial system. b) Impact on the payment service provider’s systems affecting financial market settlement, confirmations or payments, or impact to payment services. c) Impact on the payment service provider’s operations, infrastructure, data and/or systems, including but not limited to the confidentiality, integrity or availability of customer information. i. Disruptions to business systems and/or operation, including but not limited to utility or data centre outages or loss or degradation of connectivity. d) Operational impact on key/critical systems, infrastructure or data. i. Disaster recovery teams or plans have been activated, or a disaster declaration has been made by a third-party vendor that impacts the payment service provider. ii. Operational impact on internal users, and that poses an impact to external customers or business operations. e) The amount of impacted external customers is increasing; negative reputational impact is imminent (e.g., public and/or media disclosure). f) Impact on a third party affecting the payment service provider. g) The payment service provider’s technology or cyber incident management team or protocols have been activated. h) An incident has been reported to: i. A local government department

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 48 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE ii. Other local or foreign supervisory or regulatory organisations or agencies iii. Any law enforcement agencies i) An incident has invoked internal or external counsel. j) An incident for which a cyber insurance claim has been initiated. k) An incident assessed by a payment service provider to be of a high or critical severity. l) Technology or cyber security incidents that breach internal risk appetite or thresholds. 6.8 Problem Management 6.8.1 The regulated entities must establish problem management processes and procedures to determine and resolve the root cause of incidents to prevent the recurrence of similar incidents. 6.8.2 The regulated entities must record incidents including the lessons learnt to facilitate the diagnosis and resolution of future incidents with similar characteristics. 6.8.3 A trend analysis of past incidents must be performed by the regulated entities to identify commonalities and patterns in the incidents and verify if the root causes to the problems had been properly identified and resolved. The regulated entities must also use the analysis to determine if further measures are necessary. 7. Operational Infrastructure Security Management 7.0.1 The IT landscape is vulnerable to various forms of cyber-attacks7 and the frequency and malignancy of attacks are increasing. It is imperative that Regulated entities implement security solutions at the data, application, database, operating systems and network layers to adequately address and contain these threats. 7.0.2 Appropriate technological measures must be implemented to protect sensitive or confidential information such as customer’s personal, account and transaction data which are stored and processed in systems. Customers must be properly authenticated before access to online transaction functions and sensitive personal or account information is permitted. Sensitive customer information including login credentials, 7 Cyber-attacks include phishing, denial of service attacks, spamming, sniffing, spoofing, hacking, keylogging, phishing, middleman interception, and other malware attacks from mutating virus and worms.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 49 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE passwords and personal identification numbers (PINs), multi-factor authentication (MFA) mechanisms must be secured against exploits such as ATM skimming, hacking, phishing and malware. 7.0.3 Special care must be taken to manage and monitor the use of system and service accounts for suspicious or unauthorized activities, to protect all components if a virtualization solution is used, including the hypervisor, virtual images and snapshots, and to vet and strongly secure any Application Programming Interfaces (APIs)8 and Keys from introduction till retirement. 7.1 Data Loss Prevention 7.1.1 Internal sabotage, clandestine espionage or furtive attacks by trusted staff, contractors and vendors are potentially among the most serious risks that Regulated entities could face in an increasingly complex and dynamic IT environment. Current and past staff, contractors, vendors and those who have knowledge of the inner workings of the institution’s systems, operations and internal controls, have a significant advantage over external attackers. A successful attack not only jeopardizes customer confidence in the regulated entity’s internal control systems and processes but also causes real financial loss when proprietary information is divulged. Regulated entities must identify important data and adopt adequate measures to detect and prevent unauthorized access, copying or transmission of confidential information. 7.1.2 Regulated entities must develop a comprehensive data loss prevention strategy to protect sensitive or confidential information, taking into consideration the following: a) Data at endpoint- Data which resides in notebooks, personal computers, portable storage devices and mobile devices. b) Data in motion - Data that traverses a network or that is transported between sites. c) Data at rest - Data in computer storage which includes files stored on servers, databases, backup media and storage platforms. 7.1.3 To achieve security of data at endpoints, Regulated entities must implement appropriate measures to address risks of data theft, data loss and data leakage from endpoint devices, customer service locations, and call centres. Regulated entities must protect confidential information stored in all types 8 APIs are access points that allow user and program interaction with an application.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 50 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE of endpoint devices with strong encryption and access controls. 7.1.4 Regulated entities must not divulge confidential information through social media sites. 7.1.5 For the purpose of exchanging confidential information with external parties, regulated entities must take utmost care to preserve the confidentiality and integrity of information. For this purpose, regulated entities must at all times take appropriate measures including sending information through encrypted channels (e.g. via encrypted mail protocol) or encrypting the email and the contents using strong encryption with adequate key length that meets its security objectives and requirements. Regulated entities must send the encryption key via a separate transmission channel to the intended recipients. Alternatively, Regulated entities may choose other secure means to exchange confidential information with its intended recipients. 7.1.6 Regulated entities must encrypt data as a result of data classification and risk assessment processes. Regulated entities must also use encryption and general cryptographic controls in line with recognized standards and processes, which cover aspects such as algorithm, key length and key generation, etc. 7.1.7 Confidential information stored on IT systems, servers, and databases must be encrypted and protected through strong access controls, bearing in mind the principle of “least privilege”9 . 7.1.8 Regulated entities must assess various methods in which data could be securely removed from the storage media and implement measures to prevent the loss of confidential information through the disposal of IT systems. In determining the appropriate media sanitization method to use, regulated entities must take into consideration security requirements of the data residing on the media. 7.2 Technology Refresh Management 7.2.1 To facilitate the tracking of IT resources, Regulated entities must maintain an up-to-date inventory of software and hardware components used in the production and disaster recovery environments which includes all relevant associated warranty and other support contracts related to the software and hardware components. 9 Least privilege is defined as assigned privileges on a “need-to-have” basis.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 51 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 7.2.2 Regulated entities must actively manage their IT systems and software so that outdated and unsupported systems which significantly increase its exposure to technology risks are replaced on a timely basis. Regulated entities must pay close attention to the product’s end-of-support (“EOS”) date as it is common for vendors to cease the provision of patches, including those relating to security vulnerabilities that are uncovered after the product’s EOS date. 7.2.3 Regulated entities must establish a technology refresh plan to ensure that systems and software are replaced in a timely manner. Regulated entities must conduct a risk assessment for systems approaching EOS dates to assess the risks of continued usage and establish effective risk mitigation controls where necessary. 7.3 Networks and Security Configuration Management 7.3.1 Regulated entities must configure and maintain IT systems, devices, and network infrastructure with security settings consistent with the expected level of protection to minimize exposure to cyber threats. The configuration must also be commensurate with the regulated entity’s risk profile and specific network environments. 7.3.2 Regulated entities must establish, document, and maintain baseline system and security configuration standards for information systems and system components to facilitate consistent application across operating systems, databases, network devices, enterprise mobile devices, and remote access environments. This includes appropriate security policies that define proper access criteria to systems and applications. 7.3.3 Regulated entities must conduct regular enforcement checks and reviews to ensure baseline configurations are applied uniformly, non‑compliance is identified and investigated, and configuration standards remain effective against evolving threats. 7.3.4 Regulated entities must deploy appropriate network security mechanisms, including firewalls, intrusion detection and prevention systems, and internal network controls, at critical points within the IT infrastructure to protect network perimeters and minimize lateral movement, insider threat risks and security exposures from third-parties or overseas systems. These mechanisms must include the following: a) The deployment of anti-malware software to servers, if applicable, and workstations. The anti-malware software updates must be configured to update its definition files daily and configured to Endpoint Detection

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 52 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE and Response (EDR) on servers and workstations. b) The implementation of a defense-in-depth security architecture, based on the network and data flow diagrams that identify hardware, software and network components, internal and external connections, and type of information exchanged between systems. Regulated entities must maintain current and complete network and data flow diagrams. 7.3.5 Regulated entities must segment network infrastructure into trusted and untrusted zones, enforce least‑privilege access policies, and segregate sensitive traffic using appropriate network management controls. 7.3.6 Regulated entities must reinforce network infrastructure and systems using recognized industry security standards and must strictly control and monitor configuration changes, including restricting programs capable of altering or overriding system settings. This is also applicable to devices and environments used for accessing the regulated entity’s network remotely. 7.3.7 Regulated entities must use secure network and communication protocols (e.g. Secure Shell and protocols relying on transport layer security (TLS) or equivalent) where appropriate, to ensure the confidentiality and integrity of information transmitted within internal networks and across external and remote connections. This is especially important where Wireless Local Area Networks (WLANS) are deployed within the organization. 7.3.8 Regulated entities must conduct periodic reviews of network architecture, security design, system interconnections, and network security device rules to identify vulnerabilities and confirm the ongoing appropriateness and effectiveness of controls. 7.4 Vulnerability Assessment and Penetration Testing (VAPT) 7.4.1 Vulnerability Assessment (VA) is the process of identifying, assessing and discovering security vulnerabilities in a system. Regulated entities must conduct VAs at least annually to detect security vulnerabilities in the IT environment and must be commensurate with the criticality of the IT system and the technology risk to which it is exposed. 7.4.2 Regulated entities must deploy a combination of automated tools and manual techniques to perform a comprehensive VA of both operating systems and software applications. For web-based external facing systems, the scope of VA must include common web vulnerabilities such as SQL injection and cross-site scripting.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 53 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 7.4.3 Regulated entities must establish a process to remedy issues identified in VAs and perform subsequent validation of the remediation to validate that gaps are fully addressed. 7.4.4 Regulated entities must carry out penetration tests in order to conduct an in￾depth evaluation of the cybersecurity posture of the system through simulations of actual attacks on the system. Regulated entities must conduct penetration tests on internet-facing systems at least annually, or whenever these systems undergo major changes or updates. Full scope penetration tests must be conducted at least once every two years as deemed applicable. 7.4.5 Regulated entities must have VAPT conducted by independent testers with sufficient knowledge, skills and expertise in testing information security measures and who are not involved in the development of the information security measures. 7.4.6 Another type of penetration testing known as Threat-Led Penetration Testing (TLPT), must also be conducted by regulated entities. The purpose of TLPT is to assess and provide insights on entities resilience capabilities against a real world simulated cyber incident. The scope and risk management of the simulation would be proportionate to the type size, complexity, structure and risk profile of the regulated entity. 7.4.7 Regulated entities must also conduct scenario-based testing which is designed to benchmark the performance of cyber security controls against specific adversarial tactics and behaviours. These exercises can be market￾driven or regulator driven and can result in a more resilient financial sector. 7.5 Patch Management 7.5.1 Regulated entities must establish and ensure that the patch management procedures include the identification, categorization, and prioritization of security patches. To implement security patches in a timely manner, regulated entities must establish the implementation timeframe for each category of security patches. 7.5.2 The application of patches, if not carried out appropriately, could potentially impact other peripheral systems. As such, regulated entities must perform adequate testing of security patches before deployment into the production environment. 7.5.3 Regulated entities must have a comprehensive patch management policy and processes that include:

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 54 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE (a) maintaining current knowledge of available patches (b) identifying appropriate patches for particular systems and analysing impacts if installed (c) assuring that patches are installed properly (e.g. by applying the four￾eyes principle) and tested prior to and monitored after installation (d) and documenting all associated procedures, such as specific configurations required. 7.5.4 Regulated entities must consider using standardized configuration of IT resources to facilitate its patch management process. 7.5.5 Regulated entities must ensure that the installations of new patches have prior approval from the appropriate level of management. 7.5.6 Regulated entities must have in place necessary procedures for recovering quickly when changes or patches fail. Any changes to the production environment must have an associated fall-back plan, when applicable. 7.5.7 Regulated entities must have controls to prohibit changes and patch installation to the information system that have not been pre-approved. 7.6 Security Monitoring and Detection 7.6.1 Security monitoring is a critical function within the IT environment to detect and respond to malicious, unauthorized, or anomalous activities affecting systems, applications, data, and networks. To facilitate prompt detection, regulated entities must establish, implement, and maintain appropriate people, processes, and technology for continuous security monitoring and detection. 7.6.2 Regulated entities must implement network surveillance and security monitoring controls, including intrusion detection and prevention mechanisms as well as centralized security information and event management (SIEM) capabilities. This will allow regulated entities to correlate alerts across systems and business units and to also detect complex or multi‑pronged attacks such as distributed denial of service or coordinated account compromise. Monitoring and detection capabilities must be informed by relevant threat and vulnerability intelligence from reliable sources.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 55 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 7.6.3 Regulated entities must perform real‑time monitoring of security events for critical systems, applications, and network infrastructure, and must define baseline profiles of normal system and user activities based on risk assessments in order to detect deviations, anomalous behaviour, or indicators of compromise. This can be facilitated by the use of behaviour analytics, making use of machine learning algorithms. Alert thresholds, criteria, parameters, and triggers must be defined, periodically reviewed and tested to ensure effectiveness and support timely escalation and incident response. 7.6.4 Security monitoring must include tools and automated mechanisms to detect changes to critical IT resources, including databases, system files, data files, and programs, to facilitate prompt identification of unauthorized or inappropriate changes. Capacity, performance, and utilization indicators must be monitored and reviewed to support business operations and detect abnormal conditions. 7.6.5 Regulated entities must review security logs from critical systems, applications, and network devices in near real-time. They must also ensure that activities performed by staff with elevated access privileges are fully logged, closely supervised, and reviewed at least monthly, accompanied with daily human review for high-risk alerts. Relevant staff must be trained to recognize and report suspicious or anomalous activities and events. 7.6.6 Detection capabilities, baseline profiles, alert thresholds, and monitoring tools must be periodically tested, reviewed, and updated in a controlled and authorized manner. Regulated entities must implement multi-layered detection controls across people, processes, and technology to support attack detection, containment, and isolation of affected assets. 7.6.7 System logs must be adequately protected, retained, and backed up at secure locations to support future investigations and forensic analysis. Log retention periods must align with statutory, regulatory, and business requirements, and controls must be in place to prevent unauthorized alteration or deletion of log data. 7.6.8 Detection capabilities, baseline profiles, alert thresholds, and monitoring tools must be periodically tested, reviewed, and updated in a controlled and authorized manner. Regulated entities must implement multi-layered detection controls across people, processes, and technology to support attack detection, containment, and isolation of affected assets.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 56 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 8. Online Financial Services10 8.1.1 Whilst the internet presents opportunities for regulated entities to reach new markets and expand its range of products and services, being an open network, it also exposes the institution to cyber-attacks that are more sophisticated and dynamic compared to those attacking closed networks and proprietary delivery channels. Regulated entities must be cognizant of these risks that are facilitated as a result of offering financial services via the internet platform. 8.1.2 Regulated entities must clearly identify risks associated with the types of services being offered in the risk management process. Regulated entities are expected to also formulate security controls, system availability and recovery capabilities, which are commensurate with the level of risk exposure, for all internet operations. 8.2 Online Systems Security 8.2.1 Regulated entities must devise a security strategy and put in place measures to ensure the confidentiality, integrity and availability of its data and systems. 8.2.2 Regulated entities must provide their customers and users of their internet services the assurance that online login access and transactions performed over the internet on their websites are adequately protected and authenticated. 8.2.3 The Bank expects regulated entities to properly evaluate the security requirements associated with their internet systems and adopt encryption algorithms, with due regard of the international standards in this area (e.g. ISO 18033-3 encryption algorithms). 8.2.4 Regulated entities must ensure that information processed, stored or transmitted between itself and its customers is accurate, reliable and complete. With internet connection to internal networks, financial systems and devices may now be potentially accessed by anyone from anywhere at any time. Regulated entities must implement physical and logical access security to allow only authorized personnel to access its systems. Regulated entities must also implement appropriate processing and transmission 10 Online financial services refer to the provision of banking, trading, insurance or other financial services and products via electronic delivery channels based on computer networks or internet technologies, including fixed line, cellular or wireless networks, web-based applications and mobile devices.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 57 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE controls to protect the integrity of systems and data. 8.2.5 Regulated entities must implement monitoring or surveillance systems so that it is alerted to any abnormal system activities11, transmission errors or unusual online transactions. Regulated entities must establish a follow-up process to verify that these issues or errors are adequately addressed. 8.2.6 Regulated entities must maintain high resiliency and availability of online systems and supporting systems (such as interface systems, backend host systems and network equipment). Regulated entities must put in place measures to plan and track capacity utilization as well as guard against online attacks. These online attacks may include denial-of-service attacks (DoS attack) and distributed denial-of-service attack (DDoS attack). 8.2.7 Regulated entities must implement multi-factor authentication12 (MFA) at login for all types of online financial systems13 and transaction-signing for authorizing transactions. The primary objectives of multi-factor authentication and transaction-signing are to secure the customer authentication process and to protect the integrity of customer account data and transaction details as well as to enhance confidence in online systems by combating cyber-attacks targeted at regulated entities and their customers. 8.2.8 Regulated entities must also take appropriate measures to minimize exposure to other forms of cyber-attacks such as the middleman attack which is more commonly known as a man-in-the-middle attack14 (MITMA), man-in-the- browser attack or man-in-the-application attack. 8.2.9 As more customers log onto regulated entities’ websites to access their accounts and conduct a wide range of financial transactions and services for personal and business purposes, regulated entities must put in place measures to protect customers who use online payment systems. In addition,regulated entities must educate its customerson securitymeasures that areputin place to protect their customers in an online environment. 11 An example of the abnormal system activities includes multiple sessions using an identical customer account originating from different geographical locations within a short time span. 12 Multifactor-factor authentication for system login can be based on any two of the factors, i.e. What you know (e.g. PIN), what you have (e.g. OTP token) and who you are (e.g. Biometrics). 13 Online financial services refer to the provision of banking, trading, insurance or other financial services and products via electronic delivery channels based on computer networks or internet technologies, including fixed line, cellular or wireless networks, web-based applications and mobile devices. 14 In a man-in-the-middle attack, an interloper is able to read, insert and modify messages between two communicating partieswithout either one knowing thatthe link between them has been compromised. Possible attack points for MITMA could be customer computers, internal networks, information service providers, web servers or anywhere on the internet along the path between the customer and the FI’s server.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 58 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 8.3 Mobile Online Services and Payments Security 8.3.1 Mobile Online Services refers to the provision of financial services via mobile devices such as mobile phones or tablets. Customers may choose to access these financial services via web browsers on mobile phones or self￾developed applications on mobile platforms. Mobile payment refers to the use of mobile devices to make payments. These payments may be made using various technologies such as near-field communication (NFC). 8.3.2 Mobile online services and payments are extensions of the online financial services and payments services which are offered by regulated entities and accessible from the internet via computers or laptops. Regulated entities must implement security measures which are similar to those of online financial and payment systems on the mobile online services and payment systems. Regulated entities must conduct a risk assessment to identify possible fraud scenarios and put in place appropriate measures to counteract payment fraud via mobile devices. 8.3.3 As mobile devices are susceptible to theft and loss, regulated entities must ensure that there is adequate protection of sensitive or confidential information used for mobile online services and payments. Regulated entities must have sensitive or confidential information encrypted to ensure the confidentiality and integrity of this information in storage and transmission. Regulated entities must perform the processing of sensitive or confidential information in a secure environment. 8.3.4 Regulated entities must educate their customers on security measures to protect their own mobile devices from viruses and other errant software which cause malicious damage and have harmful consequences. This can be facilitated via a combination of workshops and various social media notices. 8.4 Payment Card Security (ATMs, Credit and Debit Cards) 8.4.1 Payment cards15 allow cardholders the flexibility to makepurchases from any location. Cardholders may choose to make purchases by physically presenting these cards for payments at the merchant or they could choose to purchase their items over the internet, or over the telephone. Payment cards also provide cardholders with the convenience of withdrawing cash at automated teller machines (ATMs) or conducting payments at point of sales 15 For the purpose of this document, “payment cards” refer to ATM, credit, charge and debit cards.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 59 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE (POS) located at merchants. 8.4.2 Payment cards exist in many forms; with magnetic stripe cards posing the highest risk exposure. Regulated entities that issue cards must follow international standards of migrating away from magnetic stripe card types to other, safer, methods (e.g. EMV chip supported card transactions). 8.4.3 Types of payment card fraud include counterfeit, lost/stolen, card-not received16 (“CNR”) and card-not-present17 (“CNP”) fraud. Regulated entities must therefore monitor payments patterns for insider threat. 8.5 Payment Card Fraud 8.5.1 Regulated entities that provide payment card services must implement adequate safeguards to protect sensitive payment card data. Regulated entities must ensure that sensitive payment card data is PCI compliant, ensuring alignment with secure standards and algorithms that have not been compromised. 8.5.2 Payment card data must also be encrypted to ensure confidentiality and integrity while in storage and transmission. Regulated entities must ensure that the processing of such sensitive or confidential information, is performed in a secure environment. 8.5.3 Regulated entities must deploy secure methods to store sensitive payment card data. Regulated entities must also implement strong card authentication methods such as dynamic data authentication (“DDA”) or combined data authentication (“CDA”) methods for online and offline card transactions. For interoperability reasons, where transactions could only be affected by using information from the magnetic stripe on a card, Regulated entities must ensure that robust controls are implemented to manage these transactions. 8.5.4 The regulated entity’s card issuer, and not a third-party payment processing service provider, must perform the authentication of customers' sensitive static information, such as PINs or passwords. Regulated entities must perform regular security reviews of the infrastructure and processes being used by their service providers and merchants. 16 Card-not-received fraud refers to fraud cases where cardholders do not receive cards dispatched by the issuing banks and subsequently, these cards are used to make fraudulent transactions. 17 Card-not-present fraud involves the use of stolen or compromised card details to make purchases over the internet, phone or mail order.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 60 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 8.5.5 Regulated entities must ensure that security controls are implemented at payment card systems and networks. 8.5.6 To enhance card payment security, regulated entities must promptly notify cardholders via transaction alerts when withdrawals/charges exceeding customer-defined thresholds are made on the customers’ payment cards. Regulated entities must implement robust fraud detection systems with behavioural scoringor equivalent; andcorrelation capabilities to identify and curb fraudulent activities. Regulated entities must set out risk management parameters according to risks posed by cardholders, the nature of transactions or otherrisk factors to enhance fraud detection capabilities. 8.5.7 Regulated entities must follow up on transactions exhibiting behaviour which deviates significantly from a cardholder’s usual card usage patterns. Regulated entities must investigate these transactions and obtain the cardholder’s authorization prior to completing the transaction. 8.6 ATMs and Payment Kiosks Security 8.6.1 The presence of ATMs and payment kiosks have provided cardholders with the convenience of withdrawing cash as well as making payments to billing organizations. However, these systems are targets where card skimming attacks are perpetrated. a) To secure consumer confidence in using these systems, regulated entities must put in place the following measures to counteract fraudsters’ attacks on ATMs and payment kiosks: Install anti-skimming solutions on these machines and kiosks to detect the presence of foreign devices placed over or near a card entry slot. b) Install detection mechanisms and send alerts to appropriate staff at regulated entity for follow- up response and action. c) Implement tamper-resistant keypads to ensure that customers’ PINs are encrypted during transmission. d) Implement appropriate measures to prevent shoulder surfing of customers’ PINs. e) Conduct videosurveillanceof activities atthesemachines andkiosks; and maintain the quality of CCTV footage. 8.6.2 Regulated entities must verify that adequate physical security measures are implemented at third party payment kiosks, which accept and process regulated entity’s payment cards.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 61 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 9. Systems Reliability, Availability and Recoverability 9.0.1 The reliability, availability, and recoverability of IT systems, networks and infrastructures are crucial in maintaining confidence and trust in the operational and functional capabilities of a regulated entity. Failures of critical systems can severely disrupt operations, adversely affect customers and result in significant reputational consequences. Regulated entities must therefore maintain the capability to restore information system components within established recovery time objectives, using predefined and standardised configurations of IT resources, the integrity of which is protected. 9.0.2 As all systems are vulnerable, regulated entities must define their recovery and business resumption priorities. At least annually a regulated entity must also test its contingency procedures in order to minimize disruptions of its business arising from a serious incident. 9.1 Systems Availability 9.1.1 Important factors associated with maintaining high system availability are adequate capacity, reliable performance, fast response time, scalability, and swift recovery capability. Regulated entities must ensure that their business continuity plans are updated, and that the recovery site can adequately support all key systems in the production environment. Additional guidance on business continuity activities is outlined in section 4.3, Business Continuity Management, of the Operational Risk Management Guideline. 9.1.2 Regulated entities may employ a number of complex interdependent systems and network components for their IT processing. An entire system can become inoperable when a single critical hardware component or software module malfunctions or is damaged. Regulated entities must: a. Develop built-in redundancies to reduce single points of failure which can bring down the entire network; and b. Include a strategy to have standby hardware, software and network components that are necessary for their recovery that ensures minimum downtime and limited disruption.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 62 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 9.1.3 Regulated entities must achieve high availability18 for critical systems19. 9.2 Data Backup Management 9.2.1 Regulated entities must develop a data backup strategy for the storage of critical information.
9.2.2 As part of the data backup and recovery strategy, regulated entities may implement specific data storage architectures such as Direct-Attached Storage (DAS), Network-Attached Storage (NAS) or Storage Area Network (SAN) sub-systems connected to production servers. In this regard, processes must be in place to review the architecture and connectivity of sub disk storage systems for single points of failure and fragility in functional design and specifications, as well as the technical support by service providers. 9.2.3 Regulated entities must carry out regular testing and validation of the recovery capability of backup media and assess if the backup media is adequate and sufficiently effective to support the recovery process. 9.2.4 Regulated entities must encrypt backup tapes and disks, including USB disks, containing sensitive or confidential information before they are transported offsite for storage. 9.3 Data Backup Management Specific for Payment Service Providers 9.3.1 Payment service providers must regularly back up all data necessary to replay participants' transactions. 9.3.2 Payment service providers must conduct frequent periodic reconciliation of participants’ positions, with the assistance of participants where needed. 9.4 Disaster Recovery Plan 9.4.1 In formulating and constructing a rapid recovery plan, regulated entities must include a scenario analysis to identify and address various types of 18 Other than during periods of planned maintenance, regulated entities must enhance their systems and infrastructure resiliency by deploying suitable solutions. E.g. active – setup, for these systems to minimize downtime. 19 Critical system means a system whereby the failure would cause significant disruption to the operations of a regulated entity or materiality impact to the regulated entity’s service to its customers. “System” means any hardware, software, network or IT component.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 63 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE contingency scenarios. Regulated entities must plan for the recovery from at minimum, the following disruptive events: a) Natural events such as hurricanes, floods, other severe weather conditions. b) Technical events such as power outage and fluctuations, communication failure, equipment and software failure, Regulated entities must consider scenarios such as major system outage, which may be caused by system faults, hardware malfunction, operating errors or security incidents, as well as a total incapacitation of the primary data centre. c) Malicious activities including network security attacks, assaults, and public riots. d) Fires. 9.4.2 Regulated entities must define system recovery and business resumption priorities and establish specific recovery objectives, including Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), commensurate with business criticality, third-party services provided, and its systemic role in the ecosystem. 9.4.3 Based on identified extreme but plausible scenarios and business impact analyses, regulated entities must develop and maintain comprehensive contingency, incident response, resumption, and disaster recovery plans that define roles and responsibilities, restoration priorities, escalation procedures, and options to reroute or substitute critical functions. 9.4.4 Regulated entities must ensure that the cyber incident response plans are supported by policies and procedures which outline roles, responsibilities for escalating, responding to and recovering from cybersecurity incidents. All relevant business units must be integrated into the plans. 9.4.5 Regulated entities must implement adequate backup, redundancy, and recovery capabilities at system and application levels, taking into account interdependencies between critical systems, offshore or outsourced services, and cross-border network resilience. 9.4.6 The resiliency and robustness of critical systems which are outsourced to offshore service providers is highly dependent on the stability and availability of cross-border network links. To minimize impact on business operations in the event of a disruption, regulated entities should ensure cross-border network redundancy, insofar as possible. 9.4.7 Where practical, regulated entities must establish geographically separate recovery sites and appropriate recovery technologies, such as redundancy and data replication, to enable timely restoration of critical systems and

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 64 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE continuity of operations. 9.4.8 Regulated entities must ensure that recovery, response, and disaster recovery arrangements are integrated with crisis management and business continuity frameworks, and that relevant staff possess the skills and training necessary to execute such plans effectively. 9.4.9 Regulated entities must annually test, review, and update disaster recovery, incident response, and resumption plans. They must also conduct post￾incident reviews, root cause analyses, and incorporate lessons learnt to continuously strengthen recovery capabilities. 9.5 Disaster Recovery Testing 9.5.1 During a system outage, regulated entities must refrain from adopting impromptu and untested recovery measures over pre-determined recovery actions that have been rehearsed and approved by management. Untested recovery measures carry high operational risks as their effectiveness has not been verified through rigorous testing and validation. 9.5.2 Regulated entities musttest and validate atleast annually the effectiveness of recovery requirements and the ability of staff to execute the necessary emergency and recovery procedures. 9.5.3 Regulated entities must test the recovery dependencies between systems. Bilateral or multilateral recovery testing must be conducted where networks and systems are linked to specific service providers and vendors. 9.5.4 Regulated entities must involve its business users in the design and execution of comprehensive test cases to verify that recovered systems function properly. Regulated entities must also participate in disaster recovery tests that are conducted by its service provider(s), including those systems which are located offshore. 9.6 Data Centre Protection 9.6.1 As Regulated entities’ critical systems and data are concentrated and maintained in the Data Centre (DC), it is important that the DC is resilient and physically secured from internal and external threats. 9.6.2 The purpose of a physical Threat and Vulnerability Risk Assessment (TVRA) is to identify security threats to and operational weaknesses in a DC in order to determine the level and type of protection that must be established to

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 65 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE safeguard it. Each regulated entity must base its TVRA on various possible scenariosofthreatswhichincludetheft,explosives, arson, unauthorized entry, external attacks and insider sabotage. 9.6.3 Regulated entities must include in the scope of the TVRA, a review of the DC’s perimeter and surrounding environment, as well as the building and DC facility. Regulated entities must also review daily security procedures, critical mechanical and engineering systems, building and structural elements as well as physical, operational and logical access controls. 9.6.4 When selecting a DC provider, Regulated entities must obtain and assess the TVRA report on the DC facility. Regulated entities must verify that TVRA reports are current and that the DC provider is committed to address all material vulnerabilities identified. For Regulated entities that choose to build their own DC, an assessment ofthreats and vulnerabilities must be performed at the feasibility study stage. 9.6.5 Regulated entities must limit access to DC to authorized staff only. Access must only be granted to the DC on a need to have basis. Physical access of staff to the DC must be revoked immediately if it is no longer required. Regulated entities must deploy security systems and surveillance tools, where appropriate, to monitor and record activities that take place within the DC. Regulated entities must establish physical security measures to prevent unauthorized access to systems, equipment racks and tapes. 9.6.6 For non-DC personnel such as vendors, system administrators or engineers, who may require temporary access to the DCto performmaintenanceorrepair work, regulated entities must ensure that there is proper notification of and approval for such personnel for such visits. Regulated entities must ensure that visitors are accompanied at all times by an authorized employee while in the DC. 9.6.7 Regulated entities must ensure that the perimeter of the DC, DC building, facility, and equipment room are physically secured and monitored. Regulated entities must employ physical, human and procedural controls (e.g. security guards, card access systems, mantraps and bollards) where appropriate. 9.7 Data Centre Resiliency 9.7.1 To achieve DC resiliency, regulated entities must assess the redundancy and fault tolerance in areas such as electrical power, air conditioning, fire suppression and data communications.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 66 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 9.7.2 Regulated entities must rigorously control and regulate the environment within a DC. Monitoring of environmental conditions, such as temperature and humidity, within a DC is critical in ensuring uptime and system reliability. Regulated entities must promptly escalate any abnormality detected to management and resolve the abnormality in a timely manner. 9.7.3 Regulated entities must implement appropriate fire protection and suppression systems in the DC to control a full-scale fire if it occurs. Regulated entities must install smoke detectors and hand-held fire extinguishers in the DC and implement passive fire protection elements, such as fire walls around the DC, to restrict the spread of a fire to a portion of the facility. 9.7.4 Toensurethereis sufficientbackuppower,regulated entities mustinstall backup power consisting of uninterruptible power supplies, battery arrays, and/or diesel generators. 9.8 Cyber-Attack Exercises 9.8.1 Regulated entities must carry out regular scenario-based cyber exercises to validate its response and recovery, as well as communication plans in case of a cyber-attack. These exercises could include social engineering, table-top20, cyber range21 or adversarial attack simulation22 exercises. 9.8.2 Based on the type and objectives of the exercise, the regulated entities must involve all relevant stakeholders, inter alia Senior Management, business functions, corporate communications, crisis management team, service providers, and technical staff responsible for cyber threat detection, response and recovery. 9.8.3 The objectives, scope and rules of engagement must be defined before the commencement of the exercise. To ensure that the activities executed don’t disrupt the regulated entity’s production systems, the exercise must be closely supervised and performed in a controlled environment. 20 Table-top exercise is a discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario. 21 Cyber ranges are interactive, simulated representations of an organization’s local network, IT system, tools, and applications that are connected to a simulated Internetlevel environment. Theyprovide a safe, legal environmentto gain hands-on cyber skills and secure environment for product development and security posture testing. 22 An adversarial attack simulation exercise provides a more realistic picture of a regulated entity’s capability to prevent, detect and respond to real adversaries by simulating the tactics, techniques and procedures of real-world attackers to target people, processes and technology underpinning the regulated entity’s critical business functions or services.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 67 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 9.8.4 Regulated entities must bear in mind that the simulation of realistic adversarial simulation attacks ought to be designed based on plausible cyber-attacks and therefore must design the exercises by using threat intelligence that is relevant to their IT environment. This technique facilitates the identification of threat actors who are highly probable to pose a threat to the regulated entity; as well as to assist in the identification of the tactics, techniques and procedures most likely to be used in such attacks. 9.9 Crisis Communication and Responsible Disclosure 9.9.1 Regulated entities should identify and determine staff who are essential for mitigating the risk of a cyber incident and make them aware of their roles and responsibilities regarding incident escalation. 9.9.2 The regulated entity’s incident response plan should identify the internal and external stakeholders that must be notified, as well as the information that has to be shared and reported, and when this should take place. 9.9.3 Regulated entities should establish criteria and procedures for escalating cyber incidents or vulnerabilities to the Board and Senior Management based on the potential impact and criticality of the risk. 9.9.4 Regulated entities should have a communication plan and procedures in place to notify, as required or necessary, all relevant internal and external stakeholders (including oversight, regulatory authorities, media and customers) in a timely manner, when the institution becomes aware of a cyber incident. Regulated entities should notify the appropriate internal and external stakeholders when a cyber incident occurs. 9.9.5 Regulated entities should have a policy and accompanying procedures to enable potential vulnerabilities to be disclosed responsibly. In particular, the regulated entity should prioritize disclosures that could help stakeholders to respond promptly and mitigate risk, which could benefit the ecosystem and broader financial stability. 9.9.6 Regulated entities should establish and regularly review information-sharing rules, agreements and methods in order to control the publication and distribution of such information, and to prevent sensitive information that may have adverse consequences if disclosed improperly from being disseminated.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 68 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 10. Management of IT Outsourcing Risks23 10.0.1 IT outsourcing comes in many forms. Some of the most common types of IT outsourcing are in systems development and maintenance, support to DC operations, network administration, disaster recovery services, application hosting, and cloud computing. Outsourcing can involve the provision of IT capabilities and facilities by a single third party or multiple vendors located in Barbados or abroad. 10.0.2 Regulated entities must validate the security practices of Third-party organisations/ vendors by obtaining attestation reports or certifications of comprehensive security management systems. E.g. SOC 2/ISO 27001 10.0.3 The Board and Senior Management must fully understand the risks associated with IT outsourcing. 10.0.4 Regulated entities must require the service provider to implement security policies, procedures and controls that are at least as stringent as they would expect for their own operations. To this end regulated entities must ensure: a) The effectiveness of the risk-mitigating measures as defined by their risk management framework. b) The continuity of technology services and information systems. c) That contracts and service level agreements (both for normal circumstances as well as in the event of service disruption), include minimum cyber resilience requirements as well as security incident handling procedures for escalation and reporting. d) Third parties submit reports that provide assurance of the level of compliance with the cyber resilience objectives, measures and performance targets as defined by the regulated entity. These reports must be submitted at least annually or when major changes have been implemented by the service provider; and e) The appropriate due diligence is conducted by service providers on the third parties as applicable. 10.0.5 All parties concerned, including those from the service provider, must receive regular training in activating the contingency plan and executing recovery procedures. 10.0.6 Regulated entities must have contingency plans in place based on credible worst-case scenarios for service disruptions to prepare for the possibility that their current service provider may not be able to continue operations or render the services required. The plan must incorporate identification of 23 This section must be read in conjunction with the Bank issued Outsourcing Guideline.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 69 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE viable alternatives for resuming the IT operations elsewhere. 10.0.7 Regulated entities must maintain and regularly update an inventory of their participants and third-party service providers and ensure that their cyber risk management framework addresses interconnections with the aforementioned entities from a cyber risk perspective. 10.0.8 Regulated entities third-party risk assessment must be carried out regularly, taking into account the evolution of the existing and foreseeable threat landscape. The regulated entity must, using a risk-based approach, ensure that the provision of outsourced services is accorded the appropriate level of cyber resilience. 10.0.9 Regulated entities must assess the third-party service provider’s security capabilities at least through third-party self-assessment. Provision of settlement services to ancillary systems by overseen entities is not considered to be third-party service provision. 10.0.10Regulated entities must design security controls that detect and prevent intrusions from third-party connections. 10.0.11Remote access infrastructure must be thoroughly tested for vulnerabilities. When utilizing cloud infrastructure, regulated entities must review existing controls and conduct security assessment and testing. 10.0.12Regulated entities must ensure that there are appropriate procedures in place to isolate or block its third-party connections in a timely manner if there is a cyber-attack and/or a risk of contagion. 10.0.13An independent audit function must validate the regulated entity’s third￾party relationship management and outsourcing including for cloud-based services. 10.1 Sub-Outsourcing of Critical or Important Functions 10.1.1 Sub-outsourcing, also known as chain-outsourcing, refers to a situation where the service provider under an outsourcing arrangement further transfers an outsourced function or part of an outsourced function to another service provider or sub-contractor. 10.1.2 It is important for regulated entities to note that they remain fully responsible for the outsourced function and that compliance with regulatory requirements in the case of out sub-outsourcing is necessary as it is with outsourcing.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 70 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 10.1.3 Regulated entities are advised that they must only agree to sub-outsourcing of critical or important functions, if the sub-contractor undertakes to: a) Comply with all applicable laws, regulatory requirements and contractual obligations; and b) Grant the regulated entities and Bank the same contractual rights of access and audit as those granted by the service provider. 10.1.4 Regulated entities must ensure that the service provider specify ex ante notification in the event that critical or important functions plan to be outsourced. Regulated entities must always have the right to terminate the contract if planned changes to services, including such changes caused by sub-outsourcing, would have an adverse effect on the risk assessment of the outsourced services. 10.1.5 The outsourcing agreement for critical or important functions must set out whether the sub-sourcing of a critical or important function, or material parts thereof, is permitted. If so, the conditions as specified in section 10.2.6 must be adhered to. 10.1.6 If sub-outsourcing of critical or important functions is permitted, the written agreement must: a) Specify any types of activities that are excluded from sub-outsourcing. b) Specify the conditions to be compiled with in the case of sub￾outsourcing. c) Specify that the service provider is obliged to oversee those services that it has sub-contracted to ensure that all contractual obligations between the service provider and the regulated entity are continuously met. d) Require the service provider to obtain prior specific or general written authorization from the regulated entity before sub-outsourcing data. e) Include an obligation of the service provider to inform the regulated entity of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This would allow the regulated entity to carry out a risk assessment of the proposed changes and to object to changes before they come into effect. f) Ensure that the regulated entity maintains the right to object to intended sub-outsourcing, or material changes or that explicit approval is required. g) Ensure that the regulated entity has the contractual right to terminate the agreement with the service provider in the event sub-outsourcing materially increases the risks for the regulated entity or where the service provider sub-outsources without notifying the regulated entity.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 71 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 10.1.7 Regulated entities must ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined and agreed by both counterparts. 10.2 Cloud Computing 10.2.1 Cloud services (“CS”) operated by service providers are considered a form of outsourcing that institutions apply to enhance their operations, while reaping the benefits of CS’ scalable, standardized and secured infrastructure. 10.2.2 The types of risks in CS that confront institutions are not distinct from that of other forms of outsourcing arrangements. Institutions must perform the necessary due diligence and apply sound governance and risk management practices articulated in this guideline when subscribing to CS. 10.2.3 Regulated entities must be aware of CS’ typical characteristics such as multi￾tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations. Hence, regulated entities must take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty,recoverability,regulatory compliance and auditing. In particular, institutions must ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls. The service provider must have robust access controls in place to protect customer information. 10.2.4 Regulated entities are ultimately responsible and accountable for maintaining oversight of CS and managing the attendant risks of adopting CS, as in any other form of outsourcing arrangements. Arisk-basedapproach must be taken by institutions to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by the CS. 11. Internet of Things 11.0.1 Internet of Things (IoT) includes any electronic devices, such as smart phones, multi-function printers, security cameras and smart televisions, which can be connected to the regulated entity’s network or the Internet. Privacy of IoT device end-users can no longer be seen as an add-on to existing products or services. As with all information assets, the regulated entities must maintain an inventory of all its IoT devices, including information such as the networks which they are connected to and their physical locations.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 72 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE 11.0.2 Many IoT devices are designed without or with minimal security controls. If compromised, these devices can be commandeered and used to gain unauthorised access to the regulated entity’s network and systems or as a launch pad for cyber-attacks on the regulated entity. Compromised IoT devices may additionally exfiltrate data and cause disruption of the network during such orchestrated attacks. The regulated entities must assess and implement processes and controls to mitigate risks arising from IoT. The network that hosts IoT devices must be secured. For instance, network access controls can be implemented to restrict network traffic to and from an IoT device to prevent a cyber threat actor from accessing the regulated entity’s network and launching malware or DoS attacks. To further reduce IoT risks, the regulated entities must host IoT devices on a separate network segment from the network that provides access to the regulated entity’s systems and confidential data. 11.0.3 The regulated entities must implement controls to prevent unauthorised access to IoT devices. In light of privacy risks that the use of IoT technology brings regulated entities must take additional measure to safeguard Personally Identifiable Information (PII). 11.0.4 Similar to other systems, the regulated entity must monitor IoT devices for suspicious or anomalous system activities so that prompt actions can be taken to isolate compromised devices. Security monitoring must include but is not limited to: a) Endpoint identity monitoring b) Endpoint identity impersonation c) Trust anchor attacks d) Software and firmware tampering e) Secure remote management f) Detecting compromised endpoints g) Service impersonation 11.0.5 Concluding, with all new and emerging technology, a proper risk assessment, due diligence and due care need to be taken into consideration. Technologies that may be used to further monitor technology and cyber risk developments are the application and use of artificial intelligence, machine learning and quantum computing. 12. Artificial Intelligence (AI) and Machine Learning (ML) 12.0.1 AI can improve the detection and prevention of cyber risk-related events. AI is based on Machine Learning (ML) algorithms that can be incorporated

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 73 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE into the regulated entity's risk management processes to allow prompt detection and prevention of existing and emerging cyber threats. 12.0.2 ML algorithms designed for detecting anomalous events may be implemented by regulated entities. Both traditional ML algorithms as well as more advanced networks and deep learning algorithms may be used for the detection and prevention of cyber risk-related events. 12.0.3 Advantages associated with AI also include behavioral analysis, pattern recognition in large datasets, and reduction in false positives. ML, which is a subset of AI, can be deployed for malware detection and classification, network traffic analysis, and even vulnerability management. 12.0.4 Adversarial models associated with ML may be used to generate authentic￾looking fraud events and other cyber threats to try to evade detection, which can be used by the regulated entity to train its systems and improve the accuracy rate of detection and prevention. 12.0.5 The use of AI and ML, however, may lead to a number of risks, including but not limited to: a. security risks (e.g., data poisoning) b. privacy risks (e.g., arising from the leakage of confidential or customer data, or from the use of customer data without proper consent) c. third-party risks (use of AI and ML without appropriate security controls d. human-related risks (e.g., poor oversight over AI and ML applications) 12.0.6 To address such risks, regulated entities using AI and ML applications must develop and implement robust, comprehensive, governance frameworks and risk management practices to adequately identify, assess, and mitigate against possible risks to the entity and customers. The risk management framework must address the following inherent challenges: a) Fairness and Ethics i. Decisions from data and AI and ML models used should be unbiased, non-discriminatory, and justified. ii. Decisions outcomes from AI and ML applications should be reflective of the regulated entity’s standards, values and codes of conduct. iii. Regulated entities should define what it is considered a “fair” outcome and have appropriate controls to identify and mitigate harmful biases and discriminatory outcomes across the AI life cycle, proportionate to risks.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 74 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE b) Reliability and Soundness i. Adherence to relevant protocols on data quality, model validation, data privacy and cybersecurity must be determined through continual assessment. ii. Regulated entities should test and monitor the algorithms used to validate the results of each AI and ML application in stressed and unstressed conditions. iii. Evaluation and testing should be proportionate to the assessed risk materiality of the AI and ML use case, system, or model. iv. The implementation and use of AI and ML by regulated entities must be carried out in compliance with applicable laws and regulations. v. Decisions made by AI and ML applications must be explainable and auditable. c) Accountability and Governance i. Regulated entities must accept responsibility for both internally developed and externally sourced models. ii. The Board and senior management should ensure sufficient understanding, consistent standards, clear accountability, and robust coordination to manage AI and ML risks. iii. Regulated entities should put in place and regularly review controls to ensure appropriate human oversight over an AI use case, system or model across its life cycle. iv. The Board and senior management must maintain effective oversight of AI and ML-related risks, foster the appropriate risk culture for the use of AI and ML, and ensure that the use of AI and ML would not conflict with its ability to meet other supervisory expectations. v. Documented processes for the approval and sign-off of each AI and ML application should be in place. vi. Clear service level agreements and contracts must be in place with third-party providers of AI and ML services. d) Data Management Regulated entities must put in place data management controls to ensure data used across the AI and ML life cycle is fit for purpose and representative, of high quality, and subject to robust data governance. e) Transparency and Disclosure i. Regulated entities must have in place policies and procedures to ensure the consistent identification of AI and ML usage across all relevant areas. ii. Key considerations on the degree of transparency and

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 75 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE explainability required may include reliance on AI for the final decision, level of impact on customer or risk management outcomes. iii. Accurate and up-to-date inventory of AI and ML use cases, systems or models to support governance and oversight, as well as risk management, throughout the AI lifecycle should be in place. iv. Disclosure to customers about the use of AI and ML applications, including on the data used to drive decisions and impact customer outcomes. 13. Forensic Analysis 13.0.1 Regulated entities must identify the threat scenarios that might have a potential impact on its business and determine which pieces of digital evidence (e.g. types of logs) must be collected to facilitate forensic investigation. 13.0.2 Regulated entities must identify and document the digital evidence available on their systems and its location and understand how the evidence must be handled throughout its life cycle. 13.0.3 Regulated entities must develop and implement a forensic readiness policy and the capability to support forensic investigation, which also outlines the relevant system logging policies that include the types of logs to be maintained and their retention periods. The regulated entity may outsource the conduct of forensic investigations to external specialists. 13.0.4 Regulated entities must establish procedures for securely collecting digital evidence in a forensically acceptable manner and in accordance with the requirements defined in the forensic readiness policy, taking into account the requirements of the Data Protection Act, 2019-29 and the Electronic Transaction Act, Cap. 308b. These procedures must describe how investigative staff must produce step-by-step documentation of all activities performed on digital evidence and their impact. 13.0.5 Regulated entities must establish policies for securely handling and storing the collected digital evidence, ensuring its authenticity and integrity. Regulated entities must develop procedures to demonstrate that the evidence’s integrity is preserved whenever it is accessed, used or moved (i.e. chain of custody). 13.0.6 Regulated entities must train its staff so that all those involved in an incident understand their responsibilities related to handling the digital evidence, ensuring it is not compromised and remains valid as per the requirements of

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 76 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE the local jurisdiction. 13.0.7 Regulated entities must make sure that staff specifically involved in the forensic investigation have the appropriate degree of competence in handling the digital evidence, ensuring its authenticity and integrity is not compromised and remains valid as required by law. 14. Information and Intelligence Sharing 14.0.1 Information and intelligence sharing is one of the high-level building blocks in facilitating cyber resilience across the sector by raising awareness of cyber risk, minimising its spread and supporting a regulated entity’s defensive capabilities and threat detection techniques. 14.0.2 Regulated entities may adopt a systematic unified approach to sharing information and intelligence with trusted stakeholders, which would better enable them to identify, assess, monitor and respond to cyber threats. 14.0.3 In order to achieve efficient and effective use of information and intelligence sharing opportunities, regulated entities may consider the below best practice approach: a) Establish information and intelligence sharing goals and objectives that support business processes and security policies. b) Identify existing internal sources of cyber threat information. c) Specify the scope of information sharing activities and identify the types of information to be shared for example: i. Attackers’ modus operandi ii. Indicators of compromise iii. Threats and vulnerabilities iv. The circumstances under which sharing information can be shared. v. How information provided to the regulated entity and other sector participants will be acted upon. d) Establish and regularly review information sharing rules. e) Join and participate in information and intelligence sharing efforts. f) Actively seek to enrich indicators by providing additional context, corrections, or suggested improvements. g) Use secure, automated workflows to publish, consume, analyse and act upon cyber threat information. h) Establish a mechanism in place to access and share information with external stakeholders in a timely manner such as regulators, and law enforcement. i) Proactively establish cyber threat sharing agreements.

TECHNOLOGY AND CYBER RISK MANAGEMENT GUIDELINE MARCH 2026 BANK SUPERVISION DEPARTMENT CENTRAL BANK OF BARBADOS 77 TECHNOLOGYAND CYBER RISKMANAGEMENTGUIDELINE j) Protect the security and privacy of sensitive information. k) Provide ongoing support for information and intelligence sharing activities.