Bank of the Republic of Haiti

CIRCULAR

No. 126

TO FINANCIAL INSTITUTIONS

This circular determines the computer security rules to which financial institutions are subject, in accordance with Articles 83 and 161 of the Law of May 14, 2012, on banks and other financial institutions.

1. Definitions

The following definitions apply to this circular:

a) Computer Security: The set of technical and non-technical (organizational, legal, human, etc.) measures put in place to establish, maintain, restore, and guarantee the security of computer systems.

b) Information System: An organized set of resources (hardware, human, organizational, etc.) enabling the acquisition, processing, storage, and dissemination of information (in the form of data, text, images, sound, etc.) within and between organizations.

c) Computer System: A set composed of hardware, software, networks, and usage procedures. These are intended to create, process, store, route, present, or destroy digital data.

2. General Provisions

The minimum security standards outlined below apply to the operation of the computer systems of financial institutions. These standards must ensure the availability, integrity, confidentiality, and traceability of all data and information managed through the computer system.

It is the responsibility of financial institutions to implement the most appropriate security measures given their specific situation and the importance of the operational assets to be protected.

The implementation of minimum security standards by third parties processing data on behalf of a financial institution must be controlled by the institution entrusting the work to these third parties, in accordance with the circular on internal control.

3. Standards and Requirements

Financial institutions are required to implement the following standards and requirements:

a) Computer Security Policy: Every financial institution must have a written computer security policy updated on an annual basis. It must be approved by the Board of Directors of said institution.

b) Computer Security Committee: Every bank must have a computer security committee to validate and approve the computer security measures adopted in the context of implementing the computer security policy. This function is assigned to the Board of Directors for other categories of financial institutions.

c) Computer Security Organization: Every financial institution must:

• Organize, within its structure, a computer security service or department, or entrust this task to a specialized computer security provider;
• Have a security plan approved by the computer security committee of the concerned institution or by the General Management;
• Have the necessary operational resources, approved by the computer security committee of the concerned institution and by the Board of Directors, for the execution of its security plan;
• Install a system and implement procedures allowing for the detection, monitoring, and remediation of security infractions, proportionate to the technical and operational risks incurred;
• Designate a computer security officer and ensure they have the necessary data and access to perform their mission. This officer must be independent of the IT service and report either to the Risk Management Officer or directly to General Management;
• Raise awareness among its staff regarding the importance of computer security.

d) Inventory: Every financial institution must maintain an inventory of computer hardware and software. This inventory must be kept regularly up to date based on established procedures.

e) Information Classification: Every financial institution must classify the information it holds according to their confidentiality level, determined by rules previously defined by the institution.

f) Protection of Systems and Data: Every financial institution must ensure that computer data is stored under conditions appropriate to their classification. It must also have updated systems to protect itself (prevention, detection, and recovery) against malicious code. The financial institution must implement a secure access management system for data necessary for the application and execution of its operations.

Every financial institution must take adequate measures to protect confidential data recorded on mobile devices, which may leave the institution's secure perimeter.

g) Internet and Email: Every financial institution must establish and apply a code of conduct for the use of the internet and email.

h) Use of Personal Data: Every financial institution must inform internal collaborators and external persons associated with the processing of personal data regarding confidentiality and security obligations concerning this data.

i) Physical Access Protection: Every financial institution must grant access to buildings and computer premises only to authorized persons and conduct control checks regarding this both during and outside working hours.

j) Fire, Intrusion, Damage Caused by Incident: Every financial institution must take measures for prevention, protection, detection, and intervention in case of fire, intrusion, and water damage.

k) Electricity Supply: Every financial institution must have an alternative electricity supply to guarantee the continuity of activities.

l) Access to Computer Systems by IT Managers: Access to spaces related to the management and development of the computer system (IT department, server room, etc.) of every financial institution must be reserved for identified, authenticated, and authorized IT managers and external providers, where applicable, in accordance with computer security policies.

m) External Connection: Every financial institution must use adequate security tools to protect its external connections.

n) Compliance with Security Requirements in the Conduct of IT Projects: Every financial institution must have procedures that take into account the security requirements of this circular in the context of the development or evolution of computer systems.

Furthermore, the financial institution must ensure in any IT project that the security requirements established at the beginning of the development phase, before any production deployment of new systems or significant evolutions in existing systems, are respected by the project manager.

o) Security at the Network Level and Remote Access: Every financial institution must implement the necessary, sufficient, and efficient technical measures for the adequate protection of its network. It must take adequate measures to secure remote access to its systems and data.

p) Documentation: Every financial institution must organize appropriate documentation for its computer systems and applications acquired or developed internally and ensure its regular update by recording evolutions or patches applied to them.

q) Structured Development Method: Every financial institution must adopt a structured approach for the secure development of computer systems.

r) Management of Information Security Incidents: Every financial institution must ensure that the Information Security Committee is not only systematically informed of incidents likely to compromise information security, but also of the measures taken to address them. A systematic listing of incidents must be organized and monitored by the Information Security Committee and General Management.

s) Continuity Management: Every financial institution must:

• Develop, test, and maintain a contingency plan based on a risk analysis, to ensure the continuity of its activities under all circumstances;
• Plan and organize an IT migration center in case of total or partial catastrophe. This backup site must be distant from the main site, secure, and subject to regular testing;
• Ensure the implementation of a backup system subject to regular control to avoid irreparable data loss in case of total or partial catastrophe.

t) Internal and External Audit: Every financial institution must undergo an audit of the security of its computer system at least every three (3) years. A copy of the audit report must be attached to the annual internal control report, in accordance with the circular on minimum internal control standards.

4. Sanctions

In the event that a financial institution fails to audit its computer system according to the prescribed minimum periodicity of three years, the BRH may, after giving notice to the concerned institution, have a computer audit conducted at the expense of the financial institution. Furthermore, the financial institution committing such a violation is subject to a penalty of two hundred thousand gourdes (HTG 200,000.00).

The BRH may require a financial institution to rectify any situation relating to violations of the provisions of this circular and those noted in the computer audit report. In the event of non-compliance with the remediation actions required by the BRH, a financial institution is subject to a penalty of one hundred thousand gourdes (HTG 100,000.00) per day of infraction from the date on which the infraction is notified to it by the BRH.

Any fine will be deducted from the balance of one of the accounts of the offending financial institution at the BRH. The payment of any fine by any financial institution not holding an account at the BRH will be made by a cashier's check payable to the Bank of the Republic of Haiti, no later than five (5) business days after receipt of the notice demanding payment. In case of non-payment within the deadline, additional late penalties of two thousand five hundred gourdes (HTG 2,500.00) will be applied per day of delay.

5. Entry into Force

The provisions of this circular enter into force on February 1, 2022.

Port-au-Prince, January 13, 2022

Jean Baden Dubois Governor