Back Custom print Link Text Only Rich Text Print

  • Cyber Risk Identification and Assessments

    • OM-5.5.22

      Conventional bank licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

      (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
      (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
      (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
      (d) Dark web surveillance to identify any plot for cyber attacks;
      (e) Examples of cyber threats from past cyber attacks on the licensee if available; and
      (f) Examples of cyber threats from recent cyber attacks on other organisations.
      Added: July 2021

    • OM-5.5.23

      Conventional bank licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

      Added: July 2021

    • OM-5.5.24

      Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

      Added: July 2021

    • OM-5.5.25

      Conventional bank licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Preferably monthly assessments are conducted for internal technology and weekly or more frequent assessments for external public facing services and systems.

      Added: July 2021

    • OM-5.5.26

      With respect to Paragraph OM-5.5.25, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

      Added: July 2021

    • OM-5.5.27

      Conventional bank licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

      Added: July 2021

    • OM-5.5.28

      All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

      (a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
      (b) Include both Grey Box and Black Box testing in its scope;
      (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
      (d) Be performed by internal and external independent third parties which should be changed at least every two years; and
      (e) Be performed on either the production environment or on non-production exact replicas of the production environment.
      Added: July 2021

    • OM-5.5.29

      CBB may require additional red teaming exercises to be performed as needed. A red team is a group of ethical hackers with varying backgrounds, that would test the organization's blue team's threat response activity. The red team may attack 3 fronts: cyber, social (attack on people's behavior) and physical (attack on an organization's physical facility and or 3rd party premises). A red teaming exercise is like a penetration test in many ways but more targeted. The goal is not to find as many vulnerabilities as possible. The goal is to test the organization's detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible.

      Added: July 2021

    • OM-5.5.30

      Where licensees have been required to conduct a red teaming exercise the results of such an exercise must be provided to CBB within one month of the completion of the exercise together with a comprehensive plan to address any observed weaknesses.

      Added: July 2021