News
Barbados urges banks to bolster cyber resilience with new guideline
The Central Bank of Barbados recently published its Technology and Cyber Risk Management Guideline. Not only does the Guideline require banks to implement a cyber risk framework, it holds them responsible for ensuring the framework’s resilience and robustness in protecting customer data. The Guideline serves to bolster the existing privacy and data governance regime in Barbados for banks.
Barbados urges banks to bolster cyber resilience with new guideline
- Bartlett D. Morgan, CIPP/E
The Central Bank of Barbados (“CBB”) recently published its Technology and Cyber Risk Management Guideline (“Guideline”). The CBB, which regulates more than 30 banking institutions in the Caribbean country, says the Guideline is in response to the demonstrated importance of information technology as a business function, and, concurrently, the increasing number of people banking online. Not only does the Guideline require banks to implement a cyber risk framework, it holds them responsible for ensuring the framework’s resilience and robustness in protecting customer data. The aim of the Guideline, therefore, is to standardize cyber risk management procedures.
Guideline Structure
Perhaps in recognition of the still emerging nature of cyber risk as a business consideration, the Guideline starts with a ten-page cyber lexicon. This glossary, which precedes the purpose, sets out the meanings of terms from the straightforward ‘asset’ to the harder to pin down ‘cyber resilience.’ Many of the definitions directly mirror those found in globally accepted privacy, cyber and risk standards from bodies like NIST and the ISO.
The ‘Application and Scope’ section of the Guideline requires organizations to build a cyber risk management framework based on individual attributes, such as scale of data processing. The Guideline, however, cautions that “where material deviations from this Guideline are contemplated, licensees must demonstrate to the Bank that the alternative measures have at least an equivalent effect of ensuring strong and effective cyber resilience.”
After Oversight, the main areas of focus in the Guideline are Operational IT Risk Guidelines, IT Service Management, Operational Infrastructure Security Management, and Online Financial Services.
Emphasis on Cyber Resilience
The Guideline, in tandem with the current thinking around cybersecurity, places heavy emphasis on cyber resilience. References to resilience appear 27 times in the 58-page document.
Cyber resilience is defined in the Guideline as “the ability of an organization to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.”
This need for the incorporation of cyber resilience in the operations of a bank governed by the Guideline is extraterritorial. Banks governed by the CBB must implement the Guideline in overseas branches and majority-owned subsidiaries.
The responsibility for the ongoing shoring up of cyber resilience, as a key component of cyber risk management, lies squarely with the board and senior management of banks. The Guideline points out that this is because of the importance of IT to business, and the possible fallout from systems failures.
Mandatory vs Non-mandatory Provisions
The Guideline deploys a mixture of mandatory and non-mandatory provisions as signaled by the use of ‘should’ and ‘may’. For example, in speaking to System Availability, Reliability and Recovery, the Guideline states that “licensees should ensure that their business continuity plans are updated, and that the recovery site can adequately support all key systems in the production environment.” However, it suggests that “licensees may employ a number of complex interdependent systems and network components for their IT processing.”
In addressing incidents under IT Service Management, the Guideline states that licensees should establish the roles of staff members involved in incident management. However, “licensees may delegate the function of determining incident severity levels to a centralized technical help desk function.”
Similar distinctions are made in the succeeding sections on Management of IT Outsourcing Risks, Internet of Things, and Information and Intelligence Sharing.
Incident Reporting
The Guideline requires incidents to be classified by banks within 24 hours of detection, based on the perceived severity of the incident. When an incident is deemed major, an initial report must be made to the CBB within four hours of the classification. However, the CBB should be contacted immediately if an incident is classified as major, or if news of that incident reaches the media.
Compliance with Data Protection Act
The Barbados Data Protection Act (“DPA”) places a higher compliance burden on entities processing sensitive personal data. Financial records of data subjects constitute sensitive data under the DPA. Banks, as processors of financial records, therefore, already have a higher compliance burden under the DPA.
The Guideline is expected to dovetail with and supplement the existing DPA obligations of banks governed by the CBB. Various provisions of this Guideline imply compliance with the DPA. For example, in discussing outsourcing of IT functions, the Guideline says the licensee is fully responsible for compliance with ‘regulatory requirements.’ Additionally, the Guideline requires banks to have an Information security policy that includes ‘reporting security incidents to the regulator’.
Similar guidelines are now being drafted by the Financial Services Commission (“FSC”). The FSC regulates non-banking financial institutions. The draft regulations being developed by the FSC are expected to have similar scope to the Guidelines.
Article provided by INPLP member: Bartlett Morgan (Chancery Advocates, Barbados)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010