Back Custom print Link Text Only Rich Text Print

  • Cyber Risk Identification and Assessments

    • GR-12.2.27

      Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

      (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
      (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
      (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
      (d) Dark web surveillance to identify any plot for cyber attacks;
      (e) Examples of cyber threats from past cyber attacks on the licensee if available; and
      (f) Examples of cyber threats from recent cyber attacks on other organisations.
      Added: January 2022

    • GR-12.2.28

      Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

      Added: January 2022

    • GR-12.2.29

      Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

      Added: January 2022

    • GR-12.2.30

      Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Assessments for external public facing services and systems must be more frequent.

      Added: January 2022

    • GR-12.2.31

      With respect to Paragraph GR-12.2.30, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

      Added: January 2022

    • GR-12.2.32

      CBB may require additional third-party security reviews to be performed as needed.

      Added: January 2022