Effective August 1, 2018, all deposit money banks and payment service providers shall report all cyber incidents, whether the attempt was successful or not and immediately. A draft document on the Risk-Based Cybersecurity Framework and Guidelines for input from stakeholders by the Central Bank of Nigeria (CBN) has mandated banks to incorporate cyber risk management with their institution-wide risk management framework and governance requirements, to ensure consistent management of risks across the institution.
The mandate to report the incidents is coming on the heels of observed under-disclosure and outright non-disclosure of some fraudulent incidents by industry operators. The development is also an indication that the sector is inching closer to ending the era of unnecessary excuses for withholding important information about system failures, insider-related hacking and frauds that have caused customers and banks billions of naira. The document also noted that effective risk management reduces adverse impact on an organization by addressing threats, mitigating exposure, and reducing vulnerability.
As usual, the apex bank has said that once the rule takes off, non-compliance with the provisions shall attract appropriate sanctions to be determined by CBN, in accordance with the provisions of its enabling Act and that of the Banks and Other Financial Institutions Act. It shall also monitor and enforce compliance with the provisions. By the draft framework, banks are to begin the search for a qualified appointee, who will serve as Chief Information Security Officer (CISO) responsible for overseeing and implementing cyber security programmes.
The CISO shall possess adequate authority, experience, independence and status to enable him/her to function properly and shall have a combination of Masters in Cyber/Information Security, Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications with in-depth experience in information technology.
Banks shall fully take responsibility of cyber incidents as board and senior management are required to support and be involved in the cyber risk management process by ensuring that resources and capabilities are available and the roles of staff properly defined in management of risks. They shall endeavour to be acquainted with business environment and critical assets, devise mechanisms to maintain an up-to-date inventory of authorized software, hardware workstation, servers, network devices, other network devices, and internal and external network connections. All unauthorized software and hardware device on its network shall also be identified, documented, removed and reported appropriately, the document notes.
(Guardian)
No comments:
Post a Comment