LogoRegulatory Alerts
2022-06-02

Directive No. 05/DSB/DRO/2022

The Banco Nacional de Angola, through its Banking Supervision and Financial System Regulation Departments, has issued Directive No. 05/DSB/DRO/2022 to mandate Banking Financial Institutions to implement comprehensive policies, processes, and controls for managing Information and Communication Technology (ICT) and cybersecurity risks. The directive establishes clear governance structures, risk appetite frameworks, proportional compliance requirements, and detailed operational guidelines for risk identification, assessment, mitigation, and reporting. Institutions must submit a detailed action plan within sixty days of publication and achieve full compliance within one hundred eighty days, with non-compliance subject to penalties under existing financial institution laws.

Banco Nacional de Angola logo

Angola

Banco Nacional de Angola

Click to view thumbnail

GOVERNOR DIRECTIVE NO. 05/DSB/DRO/2022 Given the need to adjust procedures for managing risks associated with information and communication technologies (ICT) as well as cybersecurity in Banking Financial Institutions, in accordance with the provisions established in Notice No. 08/2020 of April 2, regarding the Cybersecurity Policy and Cloud Computing Adoption; Under the combined provisions of Article 166 of Law No. 14/21 of May 19, the General Regime for Financial Institutions Law, and of sub-paragraphs d) and f) of paragraph 1 of Article 31, and paragraph 1 of Article 98, both of Law No. 24/21 of October 18, the National Bank of Angola Law. This Directive serves to establish the following:

  1. Banking Financial Institutions must implement policies, processes, and procedures for managing risks associated with Information and Communication Technologies (ICT) and Cybersecurity.
  2. The guidelines on managing risks associated with ICT and Cybersecurity in Banking Financial Institutions, as set out in the Annex which forms an integral part of this Directive, aim to contribute to strengthening the risk governance systems of the aforementioned Institutions, which must include a clear organizational structure with well-defined, transparent, and coherent lines of responsibility, effective processes to identify, manage, control, and communicate the risks they are or may become exposed to, as well as adequate control and monitoring mechanisms.
  3. The guidelines referred to in the preceding paragraph have an advisory character for effective risk assessment against expectations of ICT evolution.
  4. Non-compliance with the provisions of this Directive constitutes an offense provided for and punishable under Law No. 14/21 of May 19, the General Regime for Financial Institutions Law.
  5. Banking Financial Institutions must comply with the provisions of this Directive within one hundred eighty (180) days following its publication.
  6. Without prejudice to the preceding paragraph, Banking Financial Institutions must submit to the National Bank of Angola, within sixty (60) days following the publication of this Directive, a detailed action plan describing the measures they intend to implement.
  7. Doubts and omissions resulting from the interpretation and application of this Directive are resolved by the National Bank of Angola.
  8. This Directive enters into force immediately. Luanda, June 2, 2022. DEPARTMENT OF BANKING SUPERVISION

Elavoko do Rosário Chaves João -Director- DEPARTMENT OF REGULATION AND ORGANIZATION OF THE FINANCIAL SYSTEM

Carla Marisa Madeira Gomes -Director-

ORIGIN: Department of Banking Supervision (DSB) Department of Regulation and Organization of the Financial System (DRO) DATE: 02/06/2022 SUBJECT: FINANCIAL SYSTEM - Management of Risks Associated with Information and Communication Technologies and Cybersecurity

DIRECTIVE NO. 05/DSB/DRO/2022 2 of 5

ANNEX Guidelines on Managing Risks Associated with ICT and Cybersecurity

  1. Introduction The guidelines on managing risks associated with ICT and Cybersecurity aim to provide guidance to Banking Financial Institutions, in accordance with the provisions of Notice No. 08/2020 of April 2, regarding the Cybersecurity Policy and Cloud Computing Adoption.

  2. Definitions Without prejudice to the definitions established in current legislation, for the purposes of this Directive, it is understood that: a) Information Asset – a software or hardware asset located within the business environment; b) Risk Appetite – the types of risk and their aggregated level that payment service providers and banking financial institutions are willing to assume within the context of their risk capacity, according to their business model, to achieve their strategic objectives; c) Operational or Security Incident – a single event or a series of related events unforeseen by the Banking Financial Institution that has, or may have, a negative impact on the integrity, availability, confidentiality and/or authenticity of services; d) ICT Projects – any project, or part thereof, in which ICT services and systems are modified, replaced, rejected, or applied, which may be part of broader ICT plans or business transformation plans. e) Governing Body – as defined in sub-paragraph t) of Article 3 of Notice No. 01/2022, regarding the Corporate Governance Code; f) Risks Associated with ICT and Cybersecurity – the risk of losses due to breach of confidentiality, lack of system and data integrity, inadequacy or unavailability of systems and data, or inability to modify information technology (IT) within a reasonable time and cost when the business environment or requirements change, including security risks resulting from external events or inadequate internal processes, including cyberattacks or inadequate physical security; g) ICT Services – services provided by ICT systems to one or more internal or external users, including data input, storage, processing, and communication services, as well as monitoring and operational support and decision-making services; h) Physical Security – a set of mechanisms aimed at preventing unauthorized access to the institution's equipment, facilities, materials, or documents; i) Logical Security – a set of mechanisms aimed at controlling access to applications, data, operating systems, passwords, and log files, through hardware and software, encryption, and various counter-measures against cybercriminal attacks and possible intrusions to the institution's sources; j) ICT Systems – information and communication technologies implemented within a mechanism or interconnection network that supports the operations of a Banking Financial Institution; k) Third Parties – an organization that has established commercial relations or entered into contracts with an entity to provide a product or render a service.

  3. Principle of Proportionality Banking Financial Institutions must implement the provisions established in this Directive, taking into account their size, internal organizational structure, nature, scope, complexity, and degree of risk of the services and products provided by Banking Financial Institutions.

  4. Governance and Strategy 4.1. Governance

  5. The governing body must ensure that Banking Financial Institutions have an adequate framework for governance and internal control to manage risks associated with ICT and Cybersecurity.

  6. The governing body must define clear functions and responsibilities for ICT, information security, and business continuity, as well as those of the governing body and its respective committees.

  7. The governing body must ensure that the quantity and competencies of Banking Financial Institutions' personnel are adequate to support their operational needs, ICT and cybersecurity risk management processes on a continuous basis, as well as to guarantee the implementation of their ICT strategy.

  8. The governing body must ensure that the allocated budget is adequate to fulfill the obligations referred to in the preceding paragraph.

  9. Banking Financial Institutions must ensure that all personnel members, including those performing essential functions, receive adequate training on risks associated with ICT and cybersecurity, particularly regarding information security, annually, or more frequently if necessary.

  10. The governing body assumes overall responsibility for defining, approving, and supervising the implementation of Banking Financial Institutions' ICT strategy as part of their overall business strategy, as well as for establishing an effective framework for managing risks associated with ICT and cybersecurity.

4.2. Strategy

  1. The ICT strategy must be harmonized with the overall business strategy of Banking Financial Institutions, and must define: a) How ICT should evolve to effectively support and participate in their business strategy, including the evolution of the organizational structure, changes to the ICT system, and key dependencies on third parties; b) The planned strategy and evolution of ICT architecture, including dependencies on third parties; and, c) Clear objectives regarding information security, centered on ICT systems and services, cybersecurity, personnel, and processes.
  2. Banking Financial Institutions must develop an action plan encompassing measures to be taken to achieve the objectives of their ICT and cybersecurity strategy, which must be communicated to the entire organizational structure, including service providers, when applicable.
  3. Action plans must be reviewed periodically to ensure their relevance and adequacy.
  4. Banking Financial Institutions must also create processes to monitor and measure the effectiveness of implementing their ICT and cybersecurity strategy.

4.3. Use of Service Providers

  1. Whenever the operational functions of payment services and/or ICT services and systems of any activity are outsourced, including to entities within the same group, or when third parties are engaged, Banking Financial Institutions must ensure the effectiveness of risk reduction measures defined by their risk management framework, and the measures established in this Directive.
  2. For the purpose of continuity of ICT services and systems, Banking Financial Institutions must ensure, both under normal circumstances and in the event of service interruptions, the following: a) Appropriate and proportional objectives and measures related to information security, including minimum cybersecurity requirements; b) Specifications of the banking financial institution's data lifecycle; c) Requirements regarding data storage, network security, and cybersecurity monitoring processes, as well as data center locations; d) Procedures for handling operational and security incidents, including escalation and information communication; and, e) Development of procedures for semi-annual or annual risk assessment of suppliers/service providers to ensure compliance with cybersecurity requirements.
  3. Banking Financial Institutions must monitor and ensure the level of service providers' compliance with the objective of preventing cyberattacks and guaranteeing the implementation of effective security controls.

CONTINUATION OF DIRECTIVE NO. 05/DRO/DSB/2022 4 of 31 5. Framework for Managing Risks Associated with ICT and Cybersecurity 5.1. Organization and Objectives

  1. Banking Financial Institutions must identify and manage risks associated with ICT and cybersecurity.
  2. ICT must have adequate processes and controls to ensure that all risks are identified, analyzed, measured, monitored, managed, communicated, and maintained within the risk appetite limits of the Banking Financial Institution, and that projects and systems providing and developing respective activities are in compliance with external and internal requirements.
  3. Banking Financial Institutions must assign responsibility for managing and supervising risks associated with ICT and cybersecurity to a control function, as provided in Notice No. 01/2022 of January 28, regarding the Corporate Governance Code for Banking Financial Institutions.
  4. Banking Financial Institutions must ensure the independence and objectivity of the control function, properly separating it from ICT operational processes, as well as ensuring that this control function is not responsible for any internal audit.
  5. The control function must be directly accountable to the governing body and responsible for monitoring and controlling compliance with the framework for managing risks associated with ICT and cybersecurity, as well as ensuring that risks are identified, measured, evaluated, managed, monitored, and communicated.
  6. The internal audit function must, following a risk-based approach, have the capacity to independently review and objectively ensure the compliance of all units and activities related to ICT and cybersecurity of the Banking Financial Institution with internal policies and procedures.
  7. Banking Financial Institutions must define and assign fundamental functions and responsibilities, as well as relevant information communication lines, so that the framework for managing risks associated with ICT and cybersecurity is effective.
  8. The framework for managing risks associated with ICT and cybersecurity must be fully integrated into the overall risk management processes of Banking Financial Institutions.
  9. The framework for managing risks associated with ICT and cybersecurity must include the following processes in the exercise of its activities: a) Determining risk appetite regarding risks associated with ICT and cybersecurity; b) Identifying and evaluating risks associated with ICT and cybersecurity to which the Banking Financial Institution is or may be exposed; c) Defining risk reduction measures, including controls, to reduce risks associated with ICT and cybersecurity; d) Controlling the effectiveness of these measures, as well as the number of reported incidents affecting ICT-related activities, and acting to correct measures if necessary; e) Informing the governing body about controls and risks associated with ICT; and, f) Identifying and evaluating whether there are risks associated with ICT and cybersecurity resulting from any significant change to the ICT system, services, or procedures, after any operational or security incident with significant impact.
  10. Banking Financial Institutions must ensure that the framework for managing risks associated with ICT and cybersecurity is documented, and continuously improved based on acquired experience during its application and monitoring.
  11. The framework for managing risks associated with ICT and cybersecurity must be approved and reviewed by the governing body at least once a year.

5.1.1. Identification of Areas, Processes, and Assets

  1. Banking Financial Institutions must identify, create, and maintain an updated inventory of information assets that support their business areas and critical processes, such as ICT systems, organizational structure, third parties, and dependencies on other internal and external systems and processes, aiming for efficient management of information assets supporting their business areas and critical processes.

5.1.2. Classification and Risk Assessment

  1. Banking Financial Institutions must classify identified business areas, support processes, and information assets in terms of criticality.
  2. To define the criticality of identified business areas, support processes, and information assets, Banking Financial Institutions must, at minimum, consider confidentiality, integrity, and availability requirements.
  3. Banking Financial Institutions must review the adequacy of information asset classification and relevant documentation when conducting risk assessments.
  4. Banking Financial Institutions must identify risks associated with ICT and cybersecurity that impact identified and classified business areas, support processes, and information assets according to their criticality.
  5. Risk assessment must be performed and documented annually or, if necessary, at shorter intervals.
  6. Additionally, risk assessment must be performed on any significant changes to infrastructure, processes, or procedures affecting business areas, support functions, or information assets, consequently updating the current risk assessment of Banking Financial Institutions.
  7. Banking Financial Institutions must ensure they continuously monitor relevant threats and vulnerabilities for their business processes, support functions, and information assets, regularly reviewing risk scenarios affecting them.

5.1.3. Risk Reduction

  1. Banking Financial Institutions must determine the necessary measures to reduce identified risks, based on risk assessments associated with ICT and cybersecurity, to acceptable levels, and whether it is necessary to introduce changes in internal processes, control measures, systems, and existing ICT services to protect information assets according to their classification.
  2. For the purposes of the preceding paragraph, the Banking Financial Institution must consider the time required to implement changes and take adequate interim risk reduction measures associated with ICT and cybersecurity, in order to remain within risk appetite limits.

5.1.4. Information Communication

  1. Without prejudice to the provisions of sub-paragraph e) of paragraph 1 of Article 32 of Notice No. 01/2022 of January 28, regarding the Corporate Governance Code, Banking Financial Institutions must include the results of risk assessments associated with ICT and cybersecurity in periodic risk management reports.
  2. The National Bank of Angola may, whenever necessary, request the results of risk assessments associated with ICT and cybersecurity.

5.1.5. Audit

  1. The governing body, systems, and processes associated with ICT and cybersecurity must be periodically audited by independent auditors with sufficient knowledge, skills, and experience in risks associated with ICT and cybersecurity, enabling them to provide independent assurance of their effectiveness to the governing body.

  2. The frequency and purpose of audits must be proportional to relevant risks associated with ICT and cybersecurity.

  3. The governing body of a Banking Financial Institution must approve the audit plan, including all ICT audits and all significant changes thereto.

  4. The audit plan and its execution, as well as the frequency of audits, must reflect and be proportional to inherent risks associated with ICT and cybersecurity in the institution, and must be updated regularly.

  5. A formal follow-up process must be established that includes provisions for the verification and timely correction of crucial ICT audit results.

  6. Information Security 6.1. Information Security Policy

  7. Banking Financial Institutions must develop and document an information security policy, which defines high-level principles and rules to protect the confidentiality, integrity, and availability of their data and information, as well as those of their clients.

  8. The information security policy must be consistent with the information security objectives of Banking Financial Institutions and based on relevant results from the risk assessment process.

  9. Without prejudice to the preceding paragraphs, the information security policy must be approved by the governing body.

  10. The policy must include a description of the main functions and responsibilities of information security management, and must also establish applicable requirements and responsibilities for the organizational structure.

  11. The policy must ensure the confidentiality, integrity, and availability of critical assets and resources, whether physical or logical, and sensitive data of the institution, regardless of whether they are stored, in transit, or in use.

  12. The information security policy must be communicated to the entire organizational structure and all service providers of the institution.

  13. Based on the information security policy, Banking Financial Institutions must establish and apply security measures to reduce risks associated with ICT and cybersecurity to which they are or may be exposed.

  14. Without prejudice to the preceding paragraphs, measures must include: a) Risk organization and governance; b) Logical security; c) Physical security; d) ICT operational security; e) Security monitoring; f) Information security reviews, assessment, and testing; and g) Training and awareness regarding information security.

6.2. Logical Security

  1. Banking Financial Institutions must define, document, and apply logical access control procedures that must be applied, executed, monitored, and reviewed periodically.
  2. The procedures referred to in the preceding paragraph must also include controls to monitor anomalies and, at minimum, apply the following elements to the user: a) Need-to-Know, Least Privileges, and Segregation of Duties - Banking Financial Institutions must manage access rights to information assets and their supporting systems based on the need-to-know principle, including remote access; b) User Accountability - Banking Financial Institutions must limit the use of generic and shared user accounts, as well as ensure that users can be identified by actions performed in ICT systems; c) Privileged Access Rights - Banking Financial Institutions must apply strict controls over privileged system access, strictly limiting and closely supervising accounts with high system access rights; d) Access to Critical Systems -
Share