LogoRegulatory Alerts
2024-11-06

Mandatory Phishing Simulation Exercises and Reporting Requirements

The Maldives Monetary Authority mandates all commercial banks to conduct annual phishing simulation exercises and submit a summary of findings by the end of June each year. This report must detail click, conversion, and reporting metrics alongside an action plan to address identified vulnerabilities. Additionally, banks are required to report specific types of phishing attacks, such as spear phishing and business email compromise, via the Cyber Security Event reporting system regardless of system exploitation.

Maldives Monetary Authority logo

Maldives

Maldives Monetary Authority

Click to view thumbnail

بسم الله الرحمن الرحيم

MALDIVES MONETARY AUTHORITY

Circular no: CN/2024/9289

06th November 2024

To: All Commercial banks

Dear Sir/Madam,

Mandatory Phishing Simulation Exercises and Reporting Requirements

Phishing is one of the most common ways attackers can gain unauthorized access to an organization. Phishing attacks can lead to identity theft, financial loss, unauthorized transactions, credit card fraud, disruption of operations, data breaches, and significant financial costs. To combat these threats, banks must remain vigilant and proactive.

Phishing simulation exercises are essential for enhancing cybersecurity awareness and readiness within banks. These exercises educate employees on recognizing and responding to phishing attempts, testing cybersecurity defenses, and identifying vulnerabilities. Simulations help cultivate a security-conscious culture, improve cyber hygiene, and safeguard sensitive financial information.

Banks are required to conduct phishing simulation tests annually at a minimum and submit the summary of findings to MMA by the end of June each year. The summary of findings should include:

  • Results and Metrics:
    • Click rates: Percentage of recipients who clicked on phishing links.
    • Conversion rates: Percentage of recipients who entered sensitive information.
    • Reporting rates: Percentage of recipients who reported suspicious emails.
  • Action Plan:
    • Steps to address vulnerabilities: Outline measures taken or planned to mitigate identified risks.
    • Future plans for ongoing efforts for regular simulations and continuous training

Additionally in reference to Circular no: CN-BSD/2019/18 (Dated; 31st December 2019), banks must report the following types of phishing attacks to MMA via Cyber Security Event reporting, regardless of whether the system was exploited or not:

  • Spear Phishing: Targeted attacks using personalized information.
  • Whaling: Attacks on high-profile executives.
  • Clone Phishing: Replicating legitimate emails with malicious links.
  • Pharming: Redirecting traffic to fraudulent websites.
  • Business Email Compromise (BEC): Impersonating executives or partners.
  • Credential Harvesting: Stealing login credentials through fake pages.
  • CEO Fraud: Impersonating high-ranking officials for financial gain.
  • Man-in-the-Middle (MitM) Phishing: Intercepting communications to steal information.

Regular reporting of these attacks helps monitor trends, identify threats, and develop effective countermeasures to protect the banking sector.

Please upload the summary of findings to the MMA extranet under "Phishing Simulation Test Results: Summary of Findings" (PSTR).

Yours sincerely,

[Signature]

Ahmed Imad Deputy Governor

Phone: +960 3314940 / +960 3339880 SWIFT: MMAUMVMV
Email: mail@mma.gov.mv
Maldives Monetary Authority
mma.gov.mv

Share