Central Bank of Solomon Islands Prudential Guideline No.20 on Cybersecurity

CENTRAL BANK OF SOLOMON ISLANDS Financial Systems Regulation Department

Prudential Guideline No.20 On Cybersecurity

Background

1. This Prudential Standard is issued under Section 28(1) of the Central Bank of Solomon Islands Act 2012 and forms part of the Central Banks prudential standards governing the conduct of Financial Institutions (FI) in Solomon Islands.

2. In preparing the requirements of this Prudential Standard, reference has been made to the recommendations of international financial sector supervisory standard setters and international sound practices and standards on cybersecurity.

Applicability

3. The Prudential Standard is applicable to Financial Institutions (FIs) licensed and deemed licensed by the Central Bank of Solomon Islands under the Financial Institutions Act 1998 (as amended) or any other relevant laws.

Objectives and key requirements

4. This Prudential Standard aims to ensure that FIs have in place a cybersecurity governance and risk management framework commensurate with the FI’s inherent cybersecurity risk, so as to ensure the business impact from the occurrence of cybersecurity vulnerabilities or cybersecurity incidents are kept to a minimum and are within the FI’s risk tolerance levels.

5. Key requirements of this Prudential Standard are that the Board of an FI is ultimately responsible for ensuring prudent and comprehensive cybersecurity risk management of the institution, and that the FI must: a. establish and maintain a comprehensive and effective cybersecurity risk management framework; b. clearly define the cybersecurity-related roles and responsibilities of the Board, senior management, governing bodies and individuals; c. maintain a cybersecurity capability commensurate with the size and extent of threats to its information assets;

---

2

d. implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
e. minimise the likelihood and impact of cybersecurity incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third-parties.

Definitions

6. As used in this Prudential Standard the following terms, unless otherwise clearly indicated by the content, have the meanings specified below.

"Availability" means timely and reliable access to and use of information;

"Confidentiality" means access being restricted only to those individuals, entities or processes authorized;

"Criticality" means the degree of importance to potential loss of availability;

"Cybersecurity" means controls and processes to preserve the confidentiality, integrity and availability of information assets;

"Cybersecurity Capability" means the totality of resources, skills and controls which provide the ability and capacity to maintain information security;

"Cybersecurity Control" means a prevention, detection or response measure to reduce the likelihood or impact of an information security incident;

"Cybersecurity Incident" means an actual or potential compromise of the confidentiality, integrity or availability of an institution’s system or data;

"Cybersecurity Policy Framework" means the totality of policies, standards, guidelines and procedures pertaining to information security;

"Cybersecurity Threat" means a circumstance or event that has the potential to expose an information security vulnerability;

"Cybersecurity Vulnerability" means weakness in an information asset or information security control that could be exploited to compromise information security;

"Data at Rest" means data held or stored on some form of storage system;

"Data in Transit or Motion" means data being transferred over some form of communication link;

---

3

"Data in Use" means data that is being accessed or used by a system at a point in time;

"Firewall" means system or combination of systems that enforces a boundary between two or more networks typically forming a barrier between a secure and an open environment such as the Internet;

"Information Asset" means information and information technology, including software, hardware and data (both soft and hard copy);

"Integrity" means completeness, accuracy and freedom from unauthorised change or usage;

"Sensitivity" means the potential impact of a loss of confidentiality or integrity;

"Malware" means a collective term used to describe a variety of malicious programs (including viruses, worms, Trojan horses, ransomware, spyware, adware, shareware etc.) designed to spread and replicate from computer to computer through communications links or through sharing of electronic files to interfere with or damage computer operation;

"Material Activities" means activities of such importance that have a significant impact on the banking institution’s business operations or its ability to manage risks effectively should such activities be disrupted;

"Need to Know Basis" means the restriction of sensitive data using a tight security method in which information is only given to those who need it, to do a particular task;

"Penetration Testing" means the practice of testing a computer system, network or web application for security weaknesses or vulnerabilities that might potentially be exploited;

"Software System End of Life" means with respect to a software product, indicating that the product is in the end of its useful life;

"Vulnerability Assessment" means the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system;

---

4

GOVERNANCE

Cybersecurity risk management

7. FIs must have in place a framework for cybersecurity risk management (CSRMF) and this should be an integral part of the FI’s enterprise risk management framework. A comprehensive and effective CSRMF must at a minimum include: a) clear definition of the elements of cybersecurity governance such as organisation structures, roles and responsibilities and reporting lines; b) a formally documented statement of the Board’s cybersecurity risk tolerance; c) cybersecurity risk assessment methodology and tools; d) cybersecurity processes which considers identification, protection, detection, response and recovery functions; e) process for reviewing the effectiveness of the framework, and continuous improvement and learning process; and f) three lines of defense risk management for cybersecurity.

8. An FI’s CSRMF must be documented and approved by the Board. The CSRMF must be reviewed regularly.

9. FIs must have a designated cybersecurity risk management function, that, at a minimum: a) is responsible for assisting the Board, board committees and senior management of the institution to maintain CSRMF; b) is appropriate to the size, business mix and complexity of the FI; c) has independent reporting lines to the Board, board committees and senior management of the institution, so to conduct its risk management activities in an effective and independent manner; d) is resourced with staff who possess appropriate experience and qualifications to exercise their responsibilities; e) is headed by a person designated as the Chief Information Security Officer (CISO) or an equivalent senior officer of the FI; f) includes a formally documented statement of the Board’s cybersecurity risk tolerance; g) includes risk assessment methodology and tools; h) includes cybersecurity processes which considers identification, protection, detection, response and recovery functions; i) includes process for reviewing the effectiveness of the framework, and continuous improvement and learning process; and j) includes three lines of defense risk management for cybersecurity.

10. FIs which are subsidiaries or branches may adopt the CSRMF of their parent, but the minimum requirements of this standard must be complied with on a standalone entity basis.

---

5

Cybersecurity strategy

11. FIs must develop and document an enterprise wide cybersecurity risk strategy, approved by the Board.

12. The strategy must: a) outline the cybersecurity risk concept and the cybersecurity challenges facing the FI; b) explain the FI’s overall approach to cybersecurity risk management and how this aligns to the FI’s business strategy; c) include key elements of the FI’s cybersecurity risk management objectives, principles and implementation; d) be aligned with the Board’s established and documented cybersecurity risk tolerance; e) establish a plan for cybersecurity risk management to identify, assess and control cybersecurity threats covering people, process, technologies and policies.

13. FIs must conduct regular reviews of its cybersecurity strategy to ensure the strategy remains relevant and current to the FI’s overall business strategy and risk tolerances.

Policy framework

14. FIs must have in place a cybersecurity policy framework commensurate with its exposures to vulnerabilities and threats, covering policies and procedures for cybersecurity risk identification, measurement, monitoring and control.

15. Cybersecurity policies and procedures must cover requirements arising from the FI’s business strategy, regulatory framework and the current and projected cybersecurity threat environment.

16. The cybersecurity policy framework should cover, inter alia: a) information asset management; b) access control; c) physical and environmental security; d) end user management; e) cryptography; f) operations security; g) communication; h) system development; i) third-party relationships; j) incident management; k) business continuity; and l) regulatory compliance.

---

6

17. FIs should review and update cybersecurity policies and procedures at least annually or when major changes occur in its security environment.

Roles and Responsibilities

18. The Board and senior management of an FI must ensure that a sound and robust CSRMF is established and maintained.

19. The Board of an FI is ultimately responsible for the institution’s CSRMF and is responsible for the oversight of its operation by management, and must, inter alia: a) approve the CSRMF; b) approve the institution’s cybersecurity strategy (CSS); c) set and formally document the cyber security risk tolerance; d) approve cyber security policies and procedures; e) ensure receipt of information on the cyber security risk profile of the institution, including significant cyber security incidents; and f) ensure the CSRMF is subject to effective and comprehensive audits and testing.

20. Senior management of an FI is responsible for implementing and maintaining the CSRMF consistent with the Board’s cybersecurity risk tolerance, and must, inter alia: a) ensure sufficient resources are available for effective operation of the cyber security risk management framework; b) develop and maintain a comprehensive cyber security policy framework, and ensure that policies and procedures are clearly communicated throughout the institution; c) maintain a process of continuous assessment of the institution’s cyber security risk profile and associated periodic reporting; d) periodically review, assess and enhance the effectives of the CSRMF; and e) establish the institution’s cybersecurity strategy (CSS).

21. The Chief Information Security Officer (CISO) (or equivalent) of an FI is responsible for: a) managing the CSRMF; b) developing and enhancing the CSRMF; c) ensuring the consistent application of policies and standards across all technology projects, systems and services; d) providing leadership to the FI’s cybersecurity organization; e) partnering with business stakeholders across the company to raise awareness of cybersecurity risk management concerns; f) assisting with the overall FI’s technology planning, providing a current knowledge and future vision of technology and systems.

---

7

22. The internal auditor of an FI is responsible for conducting periodic cybersecurity risk assurance audit of the FI and this should include testing of the cybersecurity environment of the FI.

23. The compliance manager of an FI is responsible for conducting compliance assessment on the cybersecurity risk policy framework of the FI.

HUMAN RESOURCES

Screening and background checks

24. FIs must have a comprehensive screening and background checking process for prospective employees and contractors, that covers relevant laws, regulations and ethics.

25. FIs must have in place documented policy and controls regarding recruitment and hiring of personnel (including employees and suppliers), identity and access management, and segregation of duties, employee mobility, transfer and leave.

26. The screening and background checking process of the FI should be proportional to the business requirements, sensitivity of the information to be handled and the perceived risks.

Necessary competence

27. FIs must have employment guidelines to ensure that all employees hired for cybersecurity related roles have the necessary skills and experience to perform the role in a trusted, competent manner.

Security awareness program

28. FIs must have a cybersecurity awareness and training program to ensure that all employees and contractors are aware of their responsibilities for cybersecurity and how those responsibilities are to be discharged.

29. The cybersecurity awareness and training program must encompass the entire range of target audiences, including employees, managers, developers, system and infrastructure administrators, external entities, suppliers and customers.

30. Cybersecurity awareness training should be conducted at least annually.

31. The cybersecurity awareness and training should be conducted when employees are transferred to a new position or roles with substantially different cybersecurity requirements and during the onboarding of employees.

---

8

Contractors

32. FIs must have a policy and associated written guidelines on engaging contractors to critical information technology operations and cybersecurity functions. The guidelines at a minimum include: a) screening and background checks; b) communication protocols; c) terms and conditions of the engagement; d) compliance to FI’s code of conduct; e) confidentiality and non-disclosure agreements; and f) fit and proper criteria.

ASSET MANAGEMENT

Asset inventory and ownership

33. FIs must ensure that all information, information processing and communication assets are identified and inventoried. The inventory of these assets should be drawn up, maintained accurately and kept up to date.

34. Ownership of information assets maintained in the inventory must be appropriately assigned. The asset owners should: a) define protection requirements for the assets owned, be accountable for these protection requirements and ensure regular review¹; and b) identify assets critical to the continued operation of the institution to ensure commensurate protection.

Information classification

35. FIs must define and have in place a Board approved information asset classification scheme. The classification scheme, at a minimum, must: a) include confidentiality, integrity, and availability requirements for each category; and b) have institution wide applicability.

36. Information assets that are in the highest protection category, at a minimum, should be labelled regardless of their format (physical or electronic).

¹ For information assets, at a minimum, protection must be defined in terms of confidentiality, integrity, and availability requirements.

---

9

Media handling

37. FIs must have appropriate policies and procedures in place to prevent unauthorised access, modification, removal or destruction of media used for the storage of information assets.

ACCESS CONTROL

Principles of access control

38. FIs must establish, document and implement relevant policies and procedures to control access to information assets and information processing and transmitting facilities.

39. The policies must align to international best practice standards and at a minimum include: a) information dissemination and authorisation (for example the “need to know” and “default deny” principles, information security levels and classification of information); b) application of segregation of duties principles commensurate with the size and complexity of the institution and the risk level of the operations and functionalities involved; and c) clearly defined roles and responsibilities.

User access management

40. FIs must establish, document and implement relevant policies, and procedures to address the following: a) user identification (ID) (account) lifecycle management including creation, modification, suspension and deletion of user identities; b) access rights lifecycle management, including requesting, approving, granting, changing and revoking access rights; c) appropriate recording of audit trails for all access rights related activities; d) user IDs and access rights activities must be regularly (at least annually) reviewed and any discrepancy with policies promptly followed up, resolved and appropriately reported; e) requirements for secret authentication information for all user IDs compliant with defined and enforced complexity requirements and expiration times, that effectively mitigate the risk of uncovering them; f) requirements for privileged access rights assigned to user IDs different from those used for regular business or ICT related activities must include: i. the number of user IDs with privileged access rights must be kept at the minimum possible; ii. to the extent possible privileged user ID must be set up with strong (i.e. two-factor or three-factor) authentication; and iii. activities performed using privileged access rights should be subject to close monitoring. g) requirements for the use of generic administration user IDs limiting usage to the extent possible.

---

10

CRYPTOGRAPHY

Use of cryptography to protect sensitive data

41. FIs must have a comprehensive policy on the use of cryptography for protection of confidentiality, authenticity and integrity of information. The policy at a minimum must include: a) senior management’s approach towards the use of cryptographic controls across the institution; b) use of encryption (e.g. end-to-end encryption) and authentication measures on a risk-based basis to safeguard data during transmission across open and public networks as per the institution’s classification scheme on criticality and sensitivity of information; c) the use of encryption for protection of information transported through devices and equipment; d) methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised and damaged keys; and e) vetting functions involving cryptographic algorithms and crypto-key configurations for deficiencies and loopholes.

Key management

42. FIs must have a key management policy to ensure that cryptographic Keys are secure through their whole life cycle. The policy at a minimum to include: a) methods for generating keys for different cryptographic systems and different applications and disposal of materials used in the generation of Keys; b) hardware security modules and keying materials are physically and logically protected; c) procedures for issuing and obtaining public Key certificates; d) storing Keys, including how authorised users obtain access to Keys; e) procedures on exchanging or updating Keys upon expiry, including rules when Keys should be changed and how this will be done; f) dealings with compromised Keys, revoking Keys, lost Keys and backing up or archiving Keys; and g) when cryptographic Keys are being used or transmitted, the FI should ensure that these keys are not exposed during usage and transmission.

43. Cryptographic Keys should be used for a single purpose to reduce the impact of an exposure of a Key.

---

11

44. FIs should consider and decide the appropriate lifetime (validity period) of each cryptographic Key².

PHYSICAL AND ENVIRONMENTAL CONTROLS

Physical security of information processing facilities

45. FIs must define security perimeters to protect areas that contain sensitive or critical information and information processing facilities.

46. Physical and logical access to data centre and systems should be permitted only for individuals who are identified and authorised, and authorisation should be limited only to those with a legitimate business need for such access according to job responsibilities.

47. Physical access of staff to the data centre should be revoked immediately if it is no longer required.

48. FIs must ensure that there is proper notification of and approval for third-parties who requires temporary access to the data centre to perform maintenance or other approved work.

49. FIs must ensure that visitors or third-parties are accompanied at all times by an authorised employee while in the data center.

50. FIs must ensure that the data centre building, facility, and equipment room are physically secured and monitored at all times and deploy security systems and surveillance tools, as appropriate.

Physical entry controls

51. FIs must ensure secure areas are protected by effective entry controls that only allow access to authorised personnel at all times.

52. FIs must maintain a physical log book for recording physical movements in the data centre for all personnel access, including information technology personnel, visitors and third-parties.

53. The log book should be reviewed regularly for suspicious access.

54. The access rights to data centre should be regularly reviewed and updated and revoked when necessary.

² The sensitivity of data and operational criticality should determine the frequency of Key changes.

---

12

55. FIs should conduct spot checks on the physical security of the information processing facilities of the institution.

56. FIs must verify that adequate physical security measures are implemented at third-party payment kiosks, which accept and process the FI’s payment cards.

Equipment protection

57. FIs must have adequate controls in place for equipment and devices issued to employees to prevent loss, damage, theft or compromise of equipment and devices and interruption to the institution’s operations.

58. FIs should also have adequate controls in place for: a. maintenance of the equipment and devices; b. removal of equipment and devices; c. security of equipment and devices off-premises; d. secure disposal or re-use of equipment and devices; and e. unattended user equipment and devices.

Clear desk policy

59. FIs must have and implement a clear desk policy for all personnel, that includes papers and removable storage media.

60. FIs must have a clear screen policy for at least the information processing facilities.

OPERATIONS SECURITY

Operational procedures and responsibilities

61. FIs must have formal documented procedures for operational activities relating to information processing and communication facilities; including: a. computer start-up and close-down procedures; b. equipment maintenance; c. operation and management of media; and d. mail management.

62. Operational procedures should clearly identify management responsibilities and controls over all changes relating to information processing and communication facilities³.

³ In this regard, LFIs should maintain a register of these changes.

---

13

63. FIs must implement appropriate monitoring systems for the use of all information technology resources, to ensure effective operational control of information processing and communication facilities.

64. To ensure sufficient operational capacity, FIs must monitor the volume of use of information processing and communication facilities and project and manage future capacity requirements.

65. Commensurate to the level of risks inherent in an information system, FIs must ensure that there is an adequate segregation and separation of duties for systems development, testing and operational environments.

Malware protection

66. FIs must ensure that all information processing and communication facilities have up-to-date malware protection mechanisms.

Backup

67. FIs must maintain information backup facilities ensuring that significant information and software can be recovered following an operational failure, disruption or disaster.

68. FIs must ensure backup duplicates of data, applications, and system images are taken and tested regularly in accordance with documented and approved backup policy and procedures.

69. FIs must ensure that the backup policy and procedures are based on defined data loss tolerances and recovery requirements and address retention and protection requirements.

70. FIs’ backups must be accessible at a remote location that is unlikely to be affected by the same operational failure, disruption or disaster event as the main processing site.

71. In cases of critical assets, backups must cover all information necessary for a comprehensive recovery in the event of an operational failure, disruption or disaster.

Logging and monitoring

72. FIs must keep and regularly review event logs that record user activities (including system administrators), exceptions, faults and information security events.

73. Event logs must: a. be protected against unauthorised access, tampering, and data loss (including by system administrators); and

---

14

b. be subject to privacy controls.

74. FIs must ensure all clocks of data processing and communication services are automatically synchronized to a single reference time source.

Software installation

75. FIs must have in place documented policies and procedures to control changes to software on operational systems.

76. All installation and systems upgrades and updates must be assessed, approved, implemented and reviewed in a controlled manner, in accordance with documented policies and procedures.

77. FIs must have stated strategies and plans for Software System End of Life in the institution.

78. FIs must adopt and enforce policies to control types of software and updates users may install.

Vulnerability management

79. Information about technical vulnerabilities of information systems must be obtained in a timely fashion.

80. FIs’ exposure to such security vulnerabilities are to be evaluated and appropriate measures are to be implemented to address the associated security risks.

81. FIs must establish the roles and responsibilities associated with vulnerability management, including vulnerability monitoring, vulnerability risk assessment and the installation of security updates.

82. FIs should install all relevant security updates to software on operational systems without undue delay and prioritizing high risk systems.

83. FIs must test and evaluate security updates before installation on critical systems for effectiveness and undesired side effects.

84. If installing a security patch would result in side effects that cannot be tolerated, or a security update is not available, then compensating controls must be implemented to mitigate the resulting exposure.

---

15

COMMUNICATIONS SECURITY

85. FIs must have in place controls to ensure the security of information in networks and the protection of connected services from unauthorised access, including: a. documented and approved responsibilities and procedures for the management of networks; b. controls to ensure confidentiality and integrity of data transmitted over networks not controlled by the institution, or wireless networks; c. restrictions on system connections to the networks; and d. authentication of systems on the network.

86. Network services’ security mechanisms, service level requirements and required management services, must be identified and be subject to documented service level agreements, whether services are provided internally or outsourced.

87. FIs deploying Wireless Local Area Networks (WLAN) within the institution must take measures to mitigate the risks associated in this environment, such as having secure communication protocols for transmissions between access points and wireless clients.

88. Groups of users and information systems must be segregated based on an assessment of the security requirements of each group.

89. Access between such segregated groups and between the institution’s network and any third-party network must be controlled and restricted on a business need basis.

90. Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities, in particular electronic messaging.

SYSTEMS ACQUISITION AND DEVELOPMENT LIFECYCLE

91. FIs must ensure that information security related requirements are considered when acquiring new information systems or enhancing existing information systems.

92. FIs must have in place effective controls to ensure that information (such as payments, internet banking or mobile banking apps) are protected from fraudulent activities, contract dispute and unauthorised disclosure and modification.

93. Rules for the development of software and systems, including mandatory security requirements, must be established by the FIs and applied to developments within the institution.

---

16

94. Secure system engineering principles, coding standards and programming techniques must be adopted by the FIs and used in the system development process.

95. FIs must ensure that changes to systems within the development lifecycle are controlled by the use of formal change control procedures and the modifications to software packages are limited to necessary changes under a strict control environment.

96. FIs should establish and appropriately protect secure development environments that cover the entire system development lifecycle. In addition, FIs should supervise and monitor outsourced system development activities.

97. During the systems development phase, testing of security functionality should be carried out.

THIRD-PARTY RELATIONSHIPS

98. The use of third-party services must not in any way result in any weakening of the cybersecurity control environment of the institution or the assurance over its effectiveness.

99. FIs must develop and implement a third-party relationship policy that mandates cybersecurity controls to address the risk posed by third-party access to its information assets.

100. FIs must review the security policies, procedures and controls of third-parties that have access to its information assets, on a regular basis, including commissioning or obtaining periodic expert reports on the adequacy of the cybersecurity control environment and compliance to applicable regulation.

101. The third-party relationship policy must, at the minimum include: a. appropriate due diligence processes for the appointment of a third-party service provider to determine its viability, reliability, credential and financial position; b. limited third-party access with time limitations⁴; and c. management of changes to the provision of services by third-parties taking it into account the criticality of business information, systems and processes involved and reassessment of risks.

102. FIs must establish an effective service level agreement for any services provided by third-parties that in any way requires or provides access to the FI’s information assets.

⁴ Such access must be monitored and periodically reviewed.

---

17

103. The service level agreement must include provisions in relation to cybersecurity that ensures the effectiveness of the FI’s cybersecurity controls are maintained.

104. Third-party agreements must include clauses that reserves the right of the FI and the Central Bank to conduct audits, including on-site inspections of the activities, systems, sites, and facilities that are relevant to the provision of the contracted services.

INCIDENT MANAGEMENT

105. FIs must have a cybersecurity incident management process governed by documented policy and procedures with the objective of restoring normal service as quickly as possible following an incident, and with minimal impact to the its business operations.

106. The cybersecurity incident management policy and procedures must at a minimum: a. define what constitutes a cybersecurity incident and the criteria for incident categorization, including criteria for categorizing an incident as a crisis; b. prioritize resolution based on defined severity levels; c. address clear accountability and communication strategies to limit the impact of information security incidents⁵; d. address evidence collection and preservation; e. address the testing of the incident management process; f. address employees’ requirements to notify on incidents or indicators of possible incidents; and g. clear and effective coordination with supervisory body, police and national cybersecurity organizations.

SECURITY AUDIT AND TESTING

107. FIs are required to ensure that its approach to managing information security and its implementation, including the objectives, controls, policy, processes and procedure for information security, are reviewed independently at planned intervals or when significant changes occur.

108. FIs must ensure that an operationally independent and adequately resourced internal audit function covers review of the CSRMF.

109. To ensure that cybersecurity is implemented and operated in accordance with the FIs policies and procedures, the following minimum-security audit and testing requirements are to be observed:

⁵ This to include escalation and reporting requirements to senior management, the board, external stakeholders and dealing with the mass media where appropriate.

---

18

a. conduct security audits and tests, including vulnerability scans and penetration tests at regular intervals at a minimum for high risk systems and processes, and before such systems are introduced (put in production);
b. internal audit function to perform or commission security audits and tests at regular intervals (at least annually) according to their independent risk assessment; and
c. ensure that the internal audit function is sufficiently resourced, at a minimum to effectively assess the audits’ and tests’ planning, execution and reporting.

CYBERSECURITY CONSIDERATIONS OF BUSINESS CONTINUITY MANAGEMENT

110. Information security continuity must be embedded in the FIs business continuity management system and at a minimum should include the following requirements: a. determine their requirements for cybersecurity and the continuity of cybersecurity risk management in adverse situations, e.g. during a crisis or disaster; and b. establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for cybersecurity during an adverse situation.

REGULATORY REPORTING

111. FIs are required to provide the following reports on cybersecurity: a. Quarterly reporting on all cybersecurity incidents in the format prescribed attached as Appendix I

112. FIs must notify the Central Bank as soon as possible but not later than sixty minutes after becoming aware of an information security incident that materially affects or has the potential to materially affect financially or non-financially the institution or the interests of depositors.

Implementation

113. FIs have a transition period of ninety (90) calendar days from the effective date to complete the following: a. Report on their compliance with this Prudential Standard. b. Submit to CBSI a plan and timeframe for rectifying areas of non-compliance with this Prudential Standard.

Enforcement and Corrective Measures

114. A FI, which fails to comply with the requirements contained in this Prudential Standard or to submit certain reports to the CBSI, which are materially inaccurate, will be considered in breach guideline and therefore, may be subject to a monetary penalty.

---

19

115. The CBSI may pursue any or all corrective measures as provided in section 16 of the Financial Institutions Act 1998 (as amended) to enforce the provisions of this Prudential Standard including: c. Issuance of an order to cease and desist from the unsound and unsafe practices and d. Action to replace or strengthen the management of the financial institution.

Effective Date

116. The effective date of this Prudential Standard is October 1, 2020.

Issued this 1st day of October 2020.

[Signature] Governor, Luke Forau Central Bank of Solomon Islands

---

20

Appendix I Form QCR Quarterly Report on Cybersecurity Risk Incidents

Reporting Institution Name	Event Number	Value of Loss	Reporting Quarter Incident Number	Value of Loss	No. Unresolved from prior period	No. Resolved this Qtr.
Cyber security root cause Areas
Asset Management
Access Controls
Operations Security
Communication Security
System Acquisition, Development & Maintenance
Third Party relationships
Information Sec. BCM
Human Resource
Cryptography
Physical & Environmental
Total