Back Custom print Link Text Only Rich Text Print

  • Cyber Risk Identification and Assessments

    • CRA-5.8.13A

      Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

      (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
      (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
      (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
      (d) Dark web surveillance to identify any plot for cyber attacks;
      (e) Examples of cyber threats from past cyber-attacks on the licensee where applicable; and
      (f) Examples of cyber threats from recent cyber-attacks on other organisations.
      Added: April 2023

    • CRA-5.8.13B

      Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

      Added: April 2023

    • CRA-5.8.13C

      Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

      Added: April 2023

    • CRA-5.8.13D

      Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Preferably, monthly assessments should be conducted for internal technology and weekly or more frequent assessments for external public facing services and systems.

      Added: April 2023

    • CRA-5.8.13E

      With respect to Paragraph CRA-5.8.13D, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

      Added: April 2023

    • CRA-5.8.13F

      Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

      Added: April 2023

    • CRA-5.8.13G

      All licensees must perform vulnerability assessment and penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

      (a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
      (b) Include both Grey Box and Black Box testing in its scope;
      (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
      (d) Be performed internally at periodic intervals by employees having adequate expertise and competency in such testing;
      (e) Be performed, twice a year, by external independent third parties who are rotated out at least every two years; and
      (f) Be performed on either the production environment or on non-production exact replicas of the production environment.
      Added: April 2023

    • CRA-5.8.13H

      The CBB may require additional third-party security reviews to be performed as needed.

      Added: April 2023

    • CRA-5.8.13I

      The time period between two consecutive penetration test and the vulnerability assessment by an independent third party, referred to in Paragraph CRA-5.8.13G(e) must be 6 months and the report on such testing must be provided to CBB within two months following the end of the month where the testing took place. The vulnerability assessment and penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

      Added: April 2023