Reporting to the CBB
SIO-9.6.61
Upon occurrence or detection of any cyber security incident or detection of any unplanned outages, whether internal or external, that compromises client information or disrupts critical services that affect operations, stablecoin issuers must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix-B) to the CBB’s cyber incident reporting email, incident.cra@cbb.gov.bh, as soon as possible, but not later than two hours, following occurrence or detection of any cyber incidents.
Added: July 2025SIO-9.6.62
Following the submission referred to in Paragraph SIO-9.6.61, the stablecoin issuer must submit to the CBB Section B of the Cyber Security Incident Report (Appendix B) within 10 calendar days of the occurrence of the cyber security incident. The stablecoin issuer must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and clients, and all measures taken by the stablecoin issuer to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved
Added: July 2025SIO-9.6.63
With regards to the submission requirement mentioned in Paragraph SIO-9.6.62, the stablecoin issuer should submit the report with as much information as possible even if all the details have not been obtained yet.
Added: July 2025SIO-9.6.64
The vulnerability assessment and penetration testing report (refer to Paragraph SIO-9.6.32), along with the steps taken to mitigate the risks must be maintained by the licensee for a five-year period from the date of the report.
Added: July 2025
