Regulatory Alerts2023-01-01
Bank of Zambia Cyber and Information Risk Management Guidelines
The Bank of Zambia has gazetted its Cyber and Information Risk Management Guidelines to establish minimum standards for governing, strategizing, and securing the digital operations of all regulated entities. Adopting an apply-or-explain framework, the circular mandates that larger institutions fully implement these controls while smaller entities must demonstrate equivalent risk mitigation, supported by annual security maturity assessments. Regulated entities must submit their first maturity assessment reports, including methodology and results, to the central bank by September 30, 2023, to ensure resilient and secure-by-design financial technology services.
Bank of Zambia OFFICE OF THE DEPUTY GOVERNOR - OPERATIONS
BOZ/EXEC/DGO/bsd/bp
June 27, 2023
CB Circular No. : 16/2023
To : All Heads of Bank of Zambia Regulated Entities
BANK OF ZAMBIA CYBER AND INFORMATION RISK MANAGEMENT GUIDELINES
Reference is made to the captioned subject.
Kindly note that the Bank of Zambia Cyber and Information Risk Management Guidelines have been gazetted and issued for use by all entities that are regulated by the Bank of Zambia.
The Bank of Zambia continues to promote growth in financial technology and digitalization which has brought about tremendous benefits and innovation to the financial sector, especially in the areas of financial inclusion and operational efficiency. The Bank, however, remains cognisant of cyber risk which is gradually emerging as a major threat to the financial sector. If not properly addressed, this has potential of eroding stakeholders’ confidence in the provision and use of digital financial services.
Regulated entities’ need to dedicate attention and resources to mitigate cyber risk cannot be over emphasized, as cyber-attacks are taking place with increased frequency, stealth, and sophistication. Regulated entities are, therefore, expected to minimise their cyber risk exposure by ensuring that their systems are secure-by-design and in operation, with emphasis on resilience.
The issued Cyber and Information Risk Management Guidelines provide minimum standards and controls for managing this risk. The guidelines provide guidance related to governance, strategies, policies, and procedures, including collaboration and information sharing on cyber risks within the sector.
The Bank is mindful of the differences in the nature, size, and complexity of regulated entities. In this regard, these Guidelines are issued on an apply or explain approach with the expectation that bigger and more complex entities will fully apply the Guidelines. Whereas entities that are not able to apply all the Guidelines in full are required to demonstrate how the cyber and information risk that they are exposed to, in the pursuit of their business objectives, is managed.
...2/-
Bank Square, Cairo Road, P.O. Box 30080, Lusaka, Zambia Tel:+260-211-399303, 399300, E-mail: dgo@boz.zm. Web: http://www.boz.zm
CB Circular No. 16/2023 - 2 - June 27, 2023
In addition, regulated entities are required to annually conduct cyber and information security maturity assessment to ascertain their level of maturity. The methodology and tools used to perform the self-assessment including the results should be submitted to the Bank of Zambia. In this regard, the first cyber and information security maturity assessment reports shall be submitted to the Bank of Zambia by September 30, 2023.
Kindly be informed accordingly.
[Signature]
Francis Chipimo (PhD) DEPUTY GOVERNOR – OPERATIONS
cc: Governor Director – Bank Supervision Director – Payment Systems Director – Non-Bank Financial Institutions Supervision
Bank Square, Cairo Road, P.O. Box 30080, Lusaka, Zambia Tel:+260-211-399303, 399300, E-mail: dgo@boz.zm. Web: http://www.boz.zm