Role of the Board
OM-5.5.1 OM-5.5.1
The Board of
conventional bank licensees must ensure that thelicensee has a robust cyber security risk management policy to comprehensively manage thelicensee ’s cyber security risk and vulnerabilities. The Board must approve the policy and establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes. Cyber security must be an item for discussion at Board or Board sub-committee meetings.Amended: July 2021
Added: January 2020OM-5.5.4
Boards should receive comprehensive reports, in every Board meeting, covering cyber security issues such as the following:
a. Key Risk Indicators/ Key Performance Indicators;b. Status reports on overall cyber security control maturity levels;c. Status of staff Information Security awareness;d. Updates on latest internal or relevant external cyber security incidents; ande. Results from penetration testing exercises.Amended: July 2021
Added: January 2020OM-5.5.2 OM-5.5.2
The Board of
conventional bank licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:a) Cyber security strategy;b) Cyber security policy; andc) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.Amended: July 2021
Added: January 2020OM-5.5.5
The Board must evaluate and approve the cyber security risk management framework for scope coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.
Amended: July 2021
Added: January 2020OM-5.5.3 OM-5.5.3
The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix C – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the
licensee ’s risk management framework.Amended: July 2021
Added: January 2020OM-5.5.6
Conventional bank licensees must establish a cyber security risk function, independent of the information technology (IT) department, which must report to an independent risk management function or an equivalent function within thelicensee . The cyber security risk management function must monitor and report on the status and maturity of relevant cyber security controls.Branches of foreign bank licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.Amended: July 2021
Added: January 2020OM-5.5.7
The Board should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.
Added: July 2021OM-5.5.8
The Board must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.
Added: July 2021OM-5.5.9
The Board should establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.
Added: July 2021
