Cyber Risk Identification and Assessments
RM-9.1.23
Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to thelicensee , it should take into account the factors detailed below:(a) Cyber threat entities including cyber criminals, cyber activists, insider threats;(b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;(c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;(d) Dark web surveillance to identify any plot for cyber attacks;(e) Examples of cyber threats from past cyber attacks on thelicensee if available; and(f) Examples of cyber threats from recent cyber attacks on other organisations.Added: January 2022RM-9.1.24
Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.Added: January 2022RM-9.1.25
Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above thelicensee ’s risk tolerance levels.Added: January 2022RM-9.1.26
Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Assessments for external public facing services and systems must be more frequent.Added: January 2022RM-9.1.27
With respect to Paragraph RM-9.1.26, external technology refers to the
licensee ’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.Added: January 2022RM-9.1.28
Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.Added: January 2022RM-9.1.29
All
licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least once a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;(b) Include both Grey Box and Black Box testing in its scope;(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;(d) Be performed by internal and external independent third parties which should be changed at least every two years; and(e) Be performed on either the production environment or on non-production exact replicas of the production environment.Added: January 2022RM-9.1.30
CBB may require additional third-party security reviews to be performed as needed.
Added: January 2022RM-9.1.31
The tests referred to in Paragraph RM-9.1.29 must be conducted each year in June and the report on such testing must be submitted to the CBB before 30th September. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.
Added: January 2022
