Back Custom print Link Text Only Rich Text Print

  • Prevention Controls

    • RM-9.1.18 RM-9.1.18

      A Licensee must develop and implement preventive measures across all relevant technologies to minimise the licensee’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:

      (a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;
      (b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF) where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;
      (c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;
      (d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);
      (e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;
      (f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and
      (g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.
      Amended: January 2022
      Added: April 2019

      • RM-9.1.19

        Licensees should also implement the following prevention controls in the following areas:

        (a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;
        (b) Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM);
        (c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and
        (d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.
        Added: January 2022

      • RM-9.1.20

        Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

        • SPF “Sender Policy Framework”;
        • DKIM “Domain Keys Identified Mail”; and
        • DMARC “Domain-based Message Authentication, Reporting and Conformance”.

         

        Added: January 2022

      • RM-9.1.21

        Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

         

        Added: January 2022

      • RM-9.1.22

        Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers, licensees must comply with the following requirements:

        (a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;
        (b) Refrain from using shortened links in communication with customers;
        (c) Implement one or more of the following measures for links sent to customers:
        i. ensure customers receive clear instructions in communications sent with the links;
        ii. prior notification to the customer such as through a phone call informing the customer to expect a link from the licensee;
        iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;
        iv. use of other verification measures like password or biometric authentication; and
        (d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.
        Amended: October 2022
        Added: January 2022

      • RM-9.1.22A

        For the purpose of Paragraph RM-9.1.22, subject to CBB’s approval, licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:

        (a) Head/regional office of a licensee; and
        (b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).
        Added: October 2022