Notice No. 2/GBM/2024, of 15 March – Approves Cyber Risk Management and Resilience Guidelines

SUMÁRIO A V I S O The matter to be published in the «Boletim da República» must be submitted as a duly authenticated copy, one for each subject matter, containing the necessary indications for this purpose, along with the following endorsement, signed and authenticated: For publication in the «Boletim da República». IMPRENSA NACIONAL DE MOÇAMBIQUE, E. P. Bank of Mozambique: Notice No. 1/GBM/2024: Establishes rules on Own Funds and Prudential Limits of Payment Service Providers. Notice No. 2/GBM/2024: Approves Cyber Risk Management and Resilience Guidelines. Friday, 15 March 2024 | FIRST SERIES — Number 54 BANK OF MOZAMBIQUE Notice No. 1/GBM/2024 of 15 March Given the need to establish rules on own funds and prudential limits for payment service providers, the Bank of Mozambique, exercising the powers conferred by paragraph 1 of Article 80, paragraph 1 of Article 85, and paragraph 2 of Article 90, all of Law No. 20/2020, of 31 December, the Law on Credit Institutions and Financial Companies, determines: CHAPTER I General Provisions ARTICLE 1 Subject Matter This Notice establishes the rules on own funds and prudential limits of payment service providers. ARTICLE 2 Scope of Application This Notice applies to payment service providers. CHAPTER II Prudential Rules SECTION I Own Funds ARTICLE 3 Composition of own funds The own funds of payment service providers consist of positive and negative elements, as defined in Articles 4 and 5 of this Notice. ARTICLE 4 Positive elements of own funds The following are considered positive elements of own funds: a) paid-up capital, including the portion represented by non-convertible preference shares; b) share and other securities issue premiums; c) legal, statutory, and other reserves formed by undistributed profits; d) carried-forward positive results from previous financial years; e) current year positive results, under the conditions referred to in Article 11; f) provisional current year positive results, under the conditions referred to in Article 11; g) portion of reserves and results corresponding to deferred tax assets; h) elements characterized in Article 12, subject to approval by the Bank of Mozambique; i) elements characterized in Article 13; j) reserves arising from the revaluation of tangible fixed assets, carried out under the Legal Instrument authorizing it; k) subordinated loans, under the conditions referred to in Article 14; and l) released portion of convertible preference shares. ARTICLE 5 Negative elements of own funds The following are considered negative elements of own funds: a) treasury shares, at their book value; b) other own elements falling under the preceding article, at their book value; c) intangible assets; d) carried-forward negative results from previous financial years; e) current year negative results. 2. As part of the framework referred to in the preceding paragraph, payment service providers must establish: a) procedures for identifying, assessing, and monitoring the operational risk inherent in their significant products, services, and systems; b) the risk tolerance level; c) procedures for controlling and mitigating risk; d) effective incident management procedures, including for detecting and classifying severe operational and security incidents; and e) disaster recovery and business continuity plans. 3. Payment service providers must provide the Bank of Mozambique, annually and upon request, a comprehensive and updated assessment of operational and security risks, as well as the adequacy of risk mitigation measures and control mechanisms applied in response to these risks. ARTICLE 26 Incident Reporting In the event of a severe operational or security incident, payment service providers must: a) immediately notify the Bank of Mozambique; and b) if the incident has or is likely to have repercussions on the financial interests of their payment service users, immediately inform them of the incident and all measures they may take to mitigate its adverse effects. CHAPTER IV Final and Supplementary Provisions ARTICLE 27 Submission of Information Payment service providers must submit to the Bank of Mozambique: a) the own funds statement, referencing the last day of each month and within 15 days thereafter; b) the statement of ratios and prudential limits, quarterly; and c) by the 15th day of each month: i. the balance of fiduciary accounts and their respective deposit concentration ratio; ii. the interest balances of fiduciary accounts; and iii. the total balance of electronic currency held by them and their respective ratio to fiduciary account balances. ARTICLE 28 Sanctions Regime Breach of the provisions of this Notice constitutes an offense provided for and punishable under Law No. 20/2020, of 31 December. ARTICLE 29 Clarification of Doubts Doubts regarding the interpretation and application of this Notice must be submitted to the Prudential Supervision Department of the Bank of Mozambique. ARTICLE 30 Compliance Period Institutions must align their acts and procedures with the provisions of this Notice within 180 days from the date of its entry into force. ARTICLE 31 Entry into Force This Notice enters into force 90 days after its publication date. Bank of Mozambique, in Maputo, on 25 January 2024. — Governor, Rogério Lucas Zandamela. Notice No. 2/GBM/2024 of 15 March Given the need to establish guidelines for mitigating cyber risk, with the objective of, on one hand, promoting governance and management of this risk in the financial sector, and on the other, providing requirements for institutions to refine their posture regarding cyber resilience, the Bank of Mozambique, exercising the powers conferred under paragraph 2(d) of Article 37 of Law No. 1/92, of 3 January, the Organic Law of the Bank of Mozambique, determines:

1. The Cyber Risk Management and Resilience Guidelines are hereby approved and form an integral part of this Notice.
2. This Notice enters into force 180 days after its publication date. Doubts regarding the interpretation and application of this Notice must be submitted to the Prudential Supervision Department. Bank of Mozambique, in Maputo, on 31 January 2024. — Governor, Rogério Lucas Zandamela. Cyber Risk Management and Resilience Guidelines CHAPTER I General Provisions ARTICLE 1 Subject Matter These Guidelines establish the general framework for governance, cyber risk management, and resilience. ARTICLE 2 Scope These Guidelines apply to credit institutions and financial companies, hereinafter referred to as institutions. ARTICLE 3 Proportionality In applying these Guidelines, institutions must adopt a risk-based approach and direct mitigation efforts so that implemented measures are proportional to their level of exposure to cyber risk. ARTICLE 4 Definitions The terms and expressions used in this Notice are defined in the Glossary, attached, which forms an integral part hereof. ARTICLE 5 Cyber Risk Self-Assessment
3. Institutions must conduct a self-assessment of their cyber risk management and resilience processes, taking into account the components set out in Article 7 of these Guidelines, and submit the respective results to the Bank of Mozambique, along with the Remediation Plan.
4. The documents referred to in the preceding paragraph must be prepared as of 31 December of the previous year and submitted to the Bank of Mozambique by 31 March of the following year. ARTICLE 6 Incident Reporting Institutions must report cyber incidents within a maximum of 24 hours from the time of their occurrence, via the channel and in the model determined by the Bank of Mozambique. CHAPTER II Cyber Risk Management and Resilience SECTION I Components ARTICLE 7 Cyber risk management components
5. Cyber Risk Management encompasses 9 domains, namely: a) governance; b) identification; c) protection; d) detection; e) response and recovery; f) situational awareness; g) testing; h) outsourcing; and i) learning and evolution.
6. Within the cyber risk management components, it is understood that: a) Governance: mechanisms implemented by institutions to enable the establishment, implementation, and review of the cyber risk management approach; b) Identification: process by which institutions must identify, classify, record, and update all their critical functions and respective interconnections, including information assets, key personnel functions, and processes supporting these functions. This action aims to enable the institution to prioritize protection, detection, response, and recovery processes for each of these functions; c) Protection: set of security controls, systems, and processes implemented by institutions to safeguard the confidentiality, integrity, and availability of information; d) Detection: set of measures enabling institutions to recognize signs of potential cyber incidents or detect intrusions that have occurred; e) Response and recovery: mechanisms enabling institutions to resume critical functions quickly, safely, and with accurate data, in order to mitigate potentially systemic failure risks; f) Situational awareness: practices enabling institutions to understand the cyber threat environment in which they operate, its implications for their business, and the adequacy of their cyber risk mitigation measures. These practices enable building a strong level of awareness and commitment to ensure overall cyber resilience; g) Testing: set of measures implemented by institutions to identify gaps in resilience objectives and provide significant entry points for the cyber risk management process; h) Outsourcing: measures through which institutions are expected to incorporate cyber resilience when developing and updating their outsourcing structure, considering the associated cyber risk and risk arising from financial ecosystem interconnections; and i) Learning and evolution: practices through which institutions ensure their cybersecurity programs achieve continuous cyber resilience within a dynamic threat scenario, becoming effective in monitoring the rapid evolution of threats. SECTION II Governance ARTICLE 8 Strategy and framework
7. Institutions must establish a cybersecurity strategy and framework adapted to their nature, size, cyber risk profile, and culture.
8. The cybersecurity strategy and framework must specify how to identify, manage, and effectively reduce cyber risks in an integrated and comprehensive manner.
9. The cybersecurity strategy and framework must be established, maintained, and adapted to specific cyber risks and properly guided by national sector standards and international best practices. ARTICLE 9 Cyber risk management
10. Cyber risk management must be established as an integral part of the organizational risk management program, in which institutions assess the inherent cyber risk to people, processes, technology, activities, products, and services identified.
11. Institutions must identify risks and evaluate the existence and effectiveness of protection controls against identified risk, to determine residual risk.
12. Cyber risk must be properly identified, classified, and mapped through a scenario considering both internal and external agents, so that controls are implemented as treatment and mitigation measures for this risk.
13. Institutions must consider that cyber risk may vary according to the institution's business model, partners, service providers, and suppliers, and not necessarily according to their degree of relevance. ARTICLE 10 Roles and responsibilities Institutions must define the responsibilities of different functions involved in risk management, namely: a) clearly define the responsibilities of all management and oversight functions, including lines of defense, as well as necessary committees for cyber risk oversight; b) ensure that cyber risk management is incorporated into their governance and risk management structures, processes, and procedures, including provisions regarding direct reporting lines to the governing body; and c) ensure that a cybersecurity function is established with adequate resources, appropriate authority, and access to the governing body, where applicable. ARTICLE 11 Cybersecurity strategy
14. Institutions must establish and maintain a cybersecurity strategy approved by the governing body and aligned with their global strategies.
15. The cybersecurity strategy must comprise: a) the importance of cyber resilience to the institution; b) high-level stakeholder requirements; c) The institution's vision and mission regarding cyber resilience; d) cyber resilience objectives; e) cyber risk appetite; f) cyber resilience targets and the respective implementation plan; g) high-level scope of technology and assets used to manage cyber resilience; h) how cyber resilience initiatives are delivered, managed, and funded; i) integration of cyber resilience into people, processes, technology, and new or existing institutional initiatives; j) data management; and k) cybersecurity awareness.
16. To incorporate possible changes at the level of the cyber threat landscape, allocate resources, identify and correct gaps, and incorporate lessons learned, institutions must review the cybersecurity strategy at least annually. ARTICLE 12 Cybersecurity policies and procedures
17. At a minimum annual frequency, institutions must define and quantify business tolerance regarding cyber risk and ensure consistency with organizational strategy and risk appetite.
18. Institutions must establish metrics to collect information enabling the preparation of reports, both at the technical and executive levels, across all aspects of their cyber risk management implementation program. ARTICLE 13 Governing body responsibilities
19. The governing body is ultimately responsible for: a) ensuring the institution complies with the requirements established in these Guidelines; and b) overseeing cyber risk management, which may be primarily delegated to an existing or newly created committee.
20. The governing body must also: a) ensure, in coordination with top management bodies, the establishment of solid and robust cybersecurity strategy and framework, and its implementation; b) guarantee that top management collaborates with other stakeholders, as relevant and appropriate, to ensure system cyber resilience; c) ensure that functions and responsibilities regarding security are clearly defined in the contract or Service Level Agreement (SLA) with outsourced service providers; d) ensure the conduct of cyber risk self-assessment; and e) ensure the effectiveness and efficiency of internal audit within the assessment of risk-bearing processes or monitoring of external audits and certifications. ARTICLE 14 Top management responsibilities
21. Top management must ensure that a senior executive is responsible for implementing the institutional risk and resilience management strategy and structure.
22. Top management must present, at least annually, a written report to the governing body on the overall state of cyber risk and resilience.
23. For the purposes of paragraph 1 of this article, top management must ensure that the senior executive: a) acts independently; b) has direct access to the governing body; and c) possesses adequate skills, knowledge, and experience in the relevant specialty. ARTICLE 15 Cybersecurity framework The cybersecurity framework must: a) incorporate, at minimum, the following areas: i. identification, including asset classification and risk; ii. protection, including logical and physical controls; iii. human resource security; iv. change and patch management; v. third-party management; vi. detection; vii. cybersecurity incident management mechanisms; viii. response and recovery; ix. testing; x. situational awareness; b) define how institutions establish their risk tolerance and cyber objectives, and how they identify, mitigate, and manage their cyber risk; c) incorporate the guidelines of this Notice related to governance, empowerment, and third-party risk management; d) be prepared considering the components referred to in Article 7 of this Notice, and aligned with sector-oriented international standards and best practices; e) be consistent with the organizational risk management framework; f) be reviewed at least annually to verify the adequacy and effectiveness of controls, through independent compliance programs and audits conducted by qualified individuals; and g) determine the necessary controls to keep risk within the established appetite. SECTION III Identification ARTICLE 16 Institutions' duties
24. Institutions must: a) identify business processes, critical functions, and information assets supporting the business and service delivery, including those managed by outsourced service providers; b) classify business processes and information assets in terms of criticality and sensitivity, which in turn must guide the prioritization of their protection, detection, and response; c) conduct annual risk assessments on critical functions and supporting information assets, to ensure they are not compromised and protected against external dependencies, in order to determine priorities among them; d) maintain an updated inventory at least annually of all critical functions, key roles, processes, information assets, outsourced service providers, and interconnections; e) integrate efforts in identifying other relevant processes, such as acquisition and change management, to facilitate regular review of their inventory; f) create and maintain an updated inventory, reviewed at least annually, of all individual and system accounts, to include accounts with remote access or privileged access rights, ensuring that access to sensitive information and supporting systems is maintained only when necessary; g) identify and document all processes dependent on relationships with outsourced service providers and identify their interconnections, updating the information whenever applicable; h) conduct cyber risk assessments prior to the introduction or update of technologies, products, services, or processes, to identify associated threats or vulnerabilities in a timely manner; i) create and maintain the internal and external network topology and connectivity, including resources supporting critical functions; and j) safeguard that governance and oversight of the cybersecurity function is independent in its reporting from operations, ensuring adequate segregation of duties and avoiding any potential conflicts of interest.
25. The network topology referred to in the preceding paragraph (i) must be updated whenever necessary. ARTICLE 17 Asset Management
26. Systemically important domestic institutions must ensure the implementation of automated asset management solutions enabling traceability and correlation between services, provided products, and supporting assets, both hardware and software, to enable identification of the failure point in case of disruption or unavailability of these services.
27. The Bank of Mozambique evaluates on a case-by-case basis and whenever circumstances dictate, the need for other institutions to implement automated asset management solutions, as provided in this provision. SECTION IV Protection ARTICLE 18 Cyber resilience capabilities Institutions must create cyber resilience capacity and implement cybersecurity practices that are adequate and effective to prevent, limit, or contain the impact of a potential cyber event. ARTICLE 19 Cybersecurity objectives
28. Institutions must implement a comprehensive and appropriate set of security controls to achieve cybersecurity objectives, in response to their business requirements, based on the identification of critical functions, key roles, processes, information assets, third-party service providers, and interconnections, according to the risk assessment in the identification phase.
29. Cybersecurity objectives must ensure: a) continuity and availability of information systems and protection of the integrity of information stored in their systems, both in use and in transit; b) protection, integrity, confidentiality, and availability of data in storage, use, and transit; and c) compliance with applicable laws, regulations, and other standards.
30. Institutions must update their security controls at least annually,