• RM RM Risk Management

    • RM-A RM-A Introduction

      • RM-A.1 RM-A.1 Purpose

        • Executive Summary

          • RM-A.1.1

            This Module provides detailed Rules and Guidance on risk management systems and controls requirements for insurance licensees. It expands on certain high-level requirements contained in various High-Level Standards Modules. In particular, Section AU-2.6 of Module AU (Authorisation) outlines the systems and controls required as part of the licensing conditions and Principle 10 of the Principles of Business (ref. PB-1.10) requires insurance licensees to have systems and controls sufficient to manage the level of risk inherent in their business.

            Amended: January 2007

          • RM-A.1.2

            This Module obliges insurance licensees to recognise the range of risks that they face and the need to manage these effectively. Their risk management systems should monitor and control all material risks. The adequacy of a licensee's risk management is subject to the scale and complexity of its operations, however. In demonstrating compliance with certain Rules, smaller licensees with very simple operational structures and business activities may require to implement less extensive or sophisticated risk management systems, compared to licensees with a complex and/or extensive customer base or operations.

        • Legal Basis

          • RM-A.1.3

            This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to risk management and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to insurance licensees (including their approved persons).

            Amended: January 2011
            Amended: October 2007
            Added: January 2007

          • RM-A.1.4

            For an explanation of the CBB’s rule-making powers and different regulatory instruments, see Section UG-1.1.

            Added: January 2007

      • RM-A.2 RM-A.2 Module History

        • RM-A.2.1

          This Module was first issued in April 2005 by the BMA together with the rest of Volume 3 (Insurance). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

          Amended: January 2007

        • RM-A.2.2

          When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.

          Added: January 2007
          Amended: October 2007

        • RM-A.2.3

          A list of recent changes made to this module is detailed in the table below:

          Module Ref. Change Date Description of Changes
          RM-1.1 01/07/05 Correction to cross-reference.
          RM-6.1 01/07/05 Clarified wording of factors to consider for operational risks.
          RM-2.1 01/10/05 Clarified that the 25% notification for reinsurance exposure is to be applied based on a premium basis.
          RM-8.1 01/10/05 Corrected cross reference in RM-8.1.6.
          RM-1.1 01/01/06 Clarified CBB's requirements for insurance firms to carry out their own assessment of their capital needs.
          RM-2.1 01/01/06 Corrected cross-reference.
          RM-6.1 01/07/06 Added requirements for physical security measures and third party insurance to be put in place by insurance firms.
          RM-A.1.3 01/2007 New Rule introduced, categorising this Module as a Directive.
          RM-7.5.3 04/2008 Clarified that CBB prior approval is required for intra-group outsourcing.
          RM-7.2.1, 7.2.2 and 7.3.6 07/2008 Clarified that CBB prior approval is required for outsourcing arrangements.
          RM-7.5.7 04/2010 Added a Paragraph dealing with restrictions on intra-group outsourcing.
          RM-A.1.3 01/2011 Clarified legal basis
          RM-7.6 04/2013 Section amended on outsourcing of internal audit.
          RM-1.1 04/2014 Enhanced the requirements for the risk management function.
          RM-7.1.3 10/2017 Amended Paragraph to allow the utilization of cloud services.
          RM-7.1.5A 10/2017 Added a new Paragraph on outsourcing requirements.
          RM-7.2.1 10/2017 Amended Paragraph.
          RM-7.2.3 10/2017 Amended Paragraph.
          RM-7.2.6 10/2017 Amended Paragraph.
          RM-7.2.8 10/2017 Added a new Paragraph on outsourcing.
          RM-7.3.1 10/2017 Amended Paragraph.
          RM-7.3.2 10/2017 Amended Paragraph.
          RM-7.3.3 10/2017 Amended Paragraph.
          RM-7.3.6 10/2017 Amended Paragraph.
          RM-7.4.6 10/2017 Amended Paragraph.
          RM-7.4.13 10/2017 Amended Paragraph.
          RM-7.4.14 10/2017 Amended Paragraph.
          RM-7.4.20 10/2017 Amended Paragraph.
          RM-7.4.21 10/2017 Added a new Paragraph on security measures related to cloud services.
          RM-7.5.3 10/2017 Amended Paragraph.
          RM-7.5.4 10/2017 Amended Paragraph.
          RM-9 10/2019 Added a new Section on Cyber Security.
          RM-9 01/2022 New revised Chapter on Cyber Security Risk Management.
          RM-9.1.58 04/2022 Amended Paragraph on cyber security reporting.
          RM-9.1.59 04/2022 Amended Paragraph on the submission of the cyber security report.
          RM-7 07/2022 Replaced Chapter RM-7 with new Outsourcing Requirements.
          RM-9.1.22 10/2022 Amended Paragraph on email domains requirements.
          RM-9.1.22A 10/2022 Added a new Paragraph on additional domains requirements.

        • RM-A.2.3 [Deleted]

          Deleted: January 2007

        • RM-A.2.4

          Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).

          Amended: January 2007

    • RM-B RM-B Scope of Application

      • RM-B.1 RM-B.1 Scope

        • RM-B.1.1

          Unless otherwise stated in a Rule, or exempted in writing by the CBB, the contents of this Module apply to Bahraini insurance firms and Bahraini insurance brokers on a consolidated basis, and to overseas insurance firms and overseas insurance brokers with respect to their operations either booked in or undertaken from Bahrain.

          Amended: January 2007

        • RM-B.1.2

          Because of the nature of their activities, insurance brokers are not subject to Sections RM-4.1 (Market Risk) and RM-5.1 (Insurance Technical Risk).

          Amended: January 2007

        • RM-B.1.3

          The CBB will only consider granting an exemption to a Rule in this Module, where the insurance firm concerned can demonstrate that it has equivalent systems and controls applied at the group or parent entity level, that achieve the same objective as the CBB requirement concerned. The purpose of such an exemption is to allow entity-wide or group-wide systems and requirements to be applied, where these achieve the same outcome: exemptions are therefore only likely to be given with respect to overseas insurance licensees, and possibly Bahraini licensees that are part of an overseas group. Because of their general nature, exemptions will not be considered with regards to the requirements contained in Chapter RM-1 (Risk Management Systems and Controls).

          Amended: January 2007

        • RM-B.1.4

          For the purposes of Paragraph RM-B.1.1, 'consolidated basis' means including the branches and subsidiaries of the Bahraini insurance firm or Bahraini insurance broker, whether these are located inside or outside the Kingdom of Bahrain.

          Amended: January 2007

        • RM-B.1.5

          Unless otherwise stated in a Rule, or exempted in writing by the CBB, the contents of this Module apply to operators of insurance exchanges authorised to carry out insurance business in Bahrain.

          Amended: January 2007

        • RM-B.1.6

          The contents of this Module do not apply to insurance consultants, insurance managers and to appointed representatives, because the nature of their activities only expose policyholders to limited financial risk.

          Amended: January 2007

        • RM-B.1.7

          While the business of insurance managers is not subject to this Module, clients of insurance managers that are insurance firms, such as captive insurers, are subject to the requirements of this Module. The insurance manager, in fulfilling its obligations to its clients, therefore needs to manage the affairs of its clients in accordance with the requirements of the Rulebook, including this Module.

          Amended: October 2007

        • RM-B.1.8

          An insurance licensee's failure to establish, in the opinion of the CBB, adequate systems and controls will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6 of Module AU (Authorisation). This failure may result in the CBB withdrawing or imposing restrictions on the license, or the licensee being required to inject more capital.

          Amended: January 2007

    • RM-1 RM-1 General Requirements

      • RM-1.1 RM-1.1 Risk Management Systems and Controls

        • RM-1.1.1

          A licensee must take reasonable care to establish and maintain effective systems and controls as are appropriate to its business to manage its risks. These policies must be documented and regularly reviewed.

        • RM-1.1.2

          The licensee's identification, assessment, management and reporting of risks must consider (but is not limited to) the management of credit, liquidity, market, technical, operational (including outsourcing) and group risks, as outlined in Chapters RM-2 to RM-8.

          Amended: January 2007

        • RM-1.1.3

          As noted in Paragraph CA-A.1.2, insurance firms must regularly carry out their own assessment of their capital needs, appropriate to their risk profile, and maintain a process for monitoring and maintaining their actual capital in line with their assessment.

        • RM-1.1.4

          For purposes of Paragraph RM-1.1.3, the CBB does not prescribe the detailed form of such assessment, in order to give insurance firms flexibility to develop their own approaches. Where a firm's assessment suggests that a level of capital that should be held is higher than the minimum required per Chapter CA-2, the CBB would expect firms to hold capital in line with their assessment.

          Amended: January 2007

        • RM-1.1.5

          The licensee must determine if any additional risk categories, other than those referred to in Paragraph RM-1.1.2 and RM-1.1.3, are relevant to its business and therefore need to be addressed.

          Amended: January 2007

        • Risk Management

          • RM-1.1.6

            In the case of incorporated insurance firms and insurance brokers, the Board of Directors must take responsibility for the establishment and oversight of effective risk management systems and controls.

          • RM-1.1.7

            In the case of Bahraini insurance brokers that are unincorporated entities or single person companies, the General Manager must take responsibility for the establishment and oversight of effective risk management systems and controls.

            Amended: October 2007

          • RM-1.1.8

            Additional requirements relating to Boards and senior management in terms of risk management and controls are specified in Module HC (High-Level Controls). The Board may delegate various functions and tasks, but retains ultimate responsibility. However, the CBB will also take into account the responsibility of the Chief Executive Officer or General Manager of a licensee, within the framework of delegated authorities laid down by the Board.

            Amended: January 2007
            Amended: October 2007

          • RM-1.1.9

            In assessing the systems and controls framework, the CBB would expect the Board to be able to demonstrate that it provides suitable prudential oversight and establish a risk management system that includes setting and monitoring policies so that all major risks are identified, measured, monitored and controlled on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board as outlined in Paragraph HC-1.1.5.

            Amended: January 2007

        • Risk Management Function

          • RM-1.1.10

            The CBB requires that all insurance firms establish an independent risk management function, staffed by a head of risk management, duly approved by the CBB in accordance with Paragraph AU-1.2.1.

            Added: April 2014

          • RM-1.1.10A

            Depending on the scale and complexity of their operations, insurance brokers must consider establishing an independent risk management function.

            Amended: April 2014

          • RM-1.1.10B

            The risk management function must be independent of risk-taking units and must not have any conflict of interest with any other function. The risk management function must have direct access to the Board and must report to the Board and senior management.

            Added: April 2014

          • RM-1.1.11

            Where there is a risk management function, the licensee must document the process by which it manages risks, and how it directly reports to the Board of directors on these risks.

            Amended: April 2014

          • RM-1.1.12

            [This Paragraph was deleted in April 2014.]

            Deleted: April 2014

    • RM-2 RM-2 Credit Risk

      • RM-2.1 RM-2.1 Credit Risk

        • RM-2.1.1

          Section RM-2.1 applies only to insurance firms and insurance brokers.

        • RM-2.1.2

          Insurance licensees must identify and manage their credit risk across all their operations, and document their policies and procedures for achieving this in a credit risk policy. This policy must be regularly reviewed.

          Amended: January 2007
          Amended: October 2007

        • RM-2.1.3

          Amongst other things, a licensee's credit risk policy must identify the limits it applies to both individual counterparties and categories of counterparty, how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.

          Amended: October 2007

        • RM-2.1.4

          Credit risk is the risk that a counterparty will not meet its obligations in accordance with agreed terms, causing a financial loss. In the case of an insurance firm, credit risk will normally occur with:

          (a) Reinsurance counterparties;
          (b) Assets (e.g. stock, loans);
          (c) Derivatives; and
          (d) Insurance debtors (premiums due from insured persons and intermediaries).
          Amended: January 2007
          Amended: October 2007

        • RM-2.1.5

          The licensee should consider these and other credit risk factors that may affect the licensee's solvency:

          (a) The credit-worthiness of its reinsurers;
          (b) The financial effect of non-performance of the reinsurance; and
          (c) The financial effect of non-payment of premiums, by debtors such as intermediaries and policyholders.
          Amended: January 2007

        • RM-2.1.6

          In addition to considering the failure of counterparties, the licensee should also consider scenarios such as increases in late payment and doubtful debt provisioning, and measures to mitigate credit risks, such as premium payment warranties (whereby policy coverage only becomes effective on payment of premiums).

          Amended: October 2007

        • RM-2.1.7

          An insurance firm must monitor its exposure, defined as sums insured, to an individual reinsurer and provide details of its reinsurance programme to the CBB. It must notify the CBB if its total aggregate exposure, on a premium basis, to one reinsurer (or group of related reinsurers) exceeds 25% of individual or aggregate risks and why it considers that this exposure does not pose a credit risk for which a provision should be made.

          Amended: January 2007

        • RM-2.1.8

          Paragraph RM-2.1.7 does not constitute a prohibition on exceeding this amount as the CBB recognises that there may be situations and types of reinsurance arrangements where reinsurance in excess of this limit might be necessary. The CBB should however be notified of these cases, and the licensee should include an explanation of the reason why it believes that the excess exposure is an acceptable credit risk.

          Amended: January 2007
          Amended: October 2007

        • RM-2.1.9

          In addition to the requirements noted in Paragraph RM-2.1.7, insurance firms must evaluate the credit worthiness of individual reinsurers at the time of ceding business and on an on-going basis.

        • RM-2.1.10

          The credit worthiness of reinsurers may be established by referring to ratings provided by international rating agencies, such as Standard & Poors or AM Best.

        • RM-2.1.11

          An insurance licensee must keep its exposure to individual assets or classes of assets within prudent levels, taking into account the relationship between counterparties, geographical and sectoral concentration, duration of exposures and the exposure to single loss events (e.g. regional economic downturns). Chapter CA-4 provides additional Rules in establishing limitations in the valuation of assets.

          Amended: January 2007

        • RM-2.1.12

          Specific counterparty limits are contained in Paragraph CA-4.2.33.

          Amended: January 2007
          Amended: October 2007

        • RM-2.1.13

          An insurance licensee must take into account the risk of default in the valuation of its assets.

    • RM-3 RM-3 Liquidity Risk

      • RM-3.1 RM-3.1 Liquidity Risk

        • RM-3.1.1

          Section RM-3.1 applies only to insurance firms and insurance brokers.

        • RM-3.1.2

          Insurance licensees must identify and manage their liquidity risk across all their operations, and document their policies and procedures for achieving this in a liquidity risk policy. This policy must be regularly reviewed.

          Amended: January 2007

        • RM-3.1.3

          Liquidity risk is the risk of not being able to meet liabilities when they fall due, even though a firm may still be solvent. Liquidity risk can result from claims falling due earlier than anticipated, higher than expected policy surrender or changes in mortality rates.

        • RM-3.1.4

          Liquidity risk in insurance licensees relates to the management of their cash flow and the risk to their meeting short-term liabilities due to liquidity problems. The risks of matching of assets and liabilities, currency risk etc. are considered as part of insurance risk and are the subject of specific limits in Section CA-6.1.

        • RM-3.1.5

          Insurance licensees must also carry out stress testing to assess the resilience of their financial resources to any identified areas of material liquidity risk. This stress testing may take into account the general characteristics, and licensee's experience, of the classes of business that it writes, any discounting of its claims provisions, and any mitigating factors that it considers relevant such as the ability to sell assets quickly and the options available to re-schedule the payments to policyholders and other counterparties.

        • RM-3.1.6

          Where the insurance licensee considers that the nature of its assets or liabilities and the matching of its liabilities result in no significant liquidity risk exposure, it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.

          Amended: January 2007

        • RM-3.1.7

          When assessing liquidity risk, the insurance licensee should consider the extent of mismatch between assets and liabilities and the amount of assets held in highly liquid, marketable forms should unexpected cash flows lead to a liquidity problem. The price concession of liquidating assets is a prime concern when assessing such liquidity risk and should be built into any assessment of capital adequacy.

          Amended: January 2007

        • RM-3.1.8

          Captive insurance firms are exempted from the specific requirement to undertake stress and scenario testing aimed at testing the resilience of their financial resources to specific areas of significant risk.

          Amended: January 2007

    • RM-4 RM-4 Market Risk

      • RM-4.1 RM-4.1 Market Risk

        • RM-4.1.1

          Section RM-4.1 applies only to insurance firms.

        • RM-4.1.2

          Insurance licensees must identify and manage their market risk across all their operations, and document their policies and procedures for achieving this in a market risk policy. This policy must be regularly reviewed.

          Amended: October 2007

        • RM-4.1.3

          Market risk relates to the exposure of the insurance licensee, to fluctuations in the market value, currency or yield of an asset.

        • RM-4.1.4

          A licensee's market risk policy must identify its appetite for market risk, systems for identifying, reporting and documenting market risk and mitigation factors in place.

        • RM-4.1.5

          Insurance firms (other than captives) must carry out stress testing to assess the resilience of their financial resources to any identified areas of material market risk under reasonably foreseeable circumstances. This stress testing may take into account the rating and geographical spread of its assets, the duration of their maturity relative to the licensee's liabilities and the fluctuation of interest and currency rates.

        • RM-4.1.6

          The insurance licensee should consider potential market risk events that may affect its solvency. These include the following:

          (a) Reduced values of equities due to stock market falls, etc;
          (b) Variation in interest rates and the effect on the market value of investments;
          (c) A lower level of investment income than planned;
          (d) Inadequate valuation of assets;
          (e) The direct impact on the portfolio of currency devaluation, as well as the effect on related markets and currencies; and
          (f) The extent of any mismatch of assets and liabilities.
          Amended: January 2007

        • RM-4.1.7

          Chapter CA-4 contains Rules and Guidance relating to the valuation of assets and counterparty limits. Chapter CA-6 contains Rules and Guidance relating to currency matching and localisation.

          Amended: January 2007

        • RM-4.1.8

          Where the insurance licensee considers that the nature of its assets and the matching of its liabilities result in no significant market risk exposure (e.g. its investments consist entirely of cash and bank deposits), it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.

          Amended: January 2007

    • RM-5 RM-5 Insurance Technical Risk

      • RM-5.1 RM-5.1 Insurance Technical Risk

        • RM-5.1.1

          Section RM-5.1 applies only to insurance firms.

        • RM-5.1.2

          An insurance firm licensee must identify and manage its insurance technical risk across all its operations, and document its underwriting and claims policies for achieving this in an underwriting policy.

          Amended: January 2007

        • RM-5.1.3

          Insurance technical risk is the normal trading risk, arising out of contracts of insurance, that the insurance licensee is exposed to in its day-to-day operations, and includes the technical and actuarial bases of calculation for premiums and technical provisions in both long-term and general insurance.

          Amended: January 2007
          Amended: October 2007

        • RM-5.1.4

          An insurance firm must document its underwriting and claims policies and review these at regular intervals.

        • RM-5.1.5

          The underwriting policy must be at a level of detail appropriate to the nature, magnitude and source of its business and must include (but is not limited to) a description of the following elements:

          (a) Classes and sources of business to be written (including limits on concentrations of class, location and counterparty);
          (b) Rating and pricing strategy and methodology;
          (c) The management of, and reserving for, claims;
          (d) Responsibilities and authority levels; and
          (e) Reinsurance protections, including any mismatch between the duration of the contracts and the underlying reinsurance protection.
          Amended: January 2007

        • RM-5.1.6

          The claims policy must be at a level of detail appropriate to the nature, magnitude and source of its business and must include (but is not limited to) a description of the following elements:

          (a) Reporting (e.g. evidence required, appointment of loss adjusters);
          (b) Scrutiny;
          (c) Authority levels;
          (d) Valuation;
          (e) Monitoring claims settlement, payments, reinsurance recoveries and subrogation; and
          (f) Provisioning of claims, including the bases and assumptions followed, authority levels, record-keeping and review.
          Amended: January 2007

        • RM-5.1.7

          Where necessary to demonstrate the adequacy of its financial resources under reasonably foreseeable deteriorations of its underwriting and claims positions, the insurance firm must conduct stress testing under a range of foreseeable adverse scenarios.

        • RM-5.1.8

          In assessing the outcome of adverse scenarios on the future solvency position, insurance firms must consider the impact of future further deterioration claims reserves (or, in the case of long- term business, the inadequacy of mathematical reserves) and future loss ratios being higher than past claims patterns would suggest.

          Amended: January 2007

        • RM-5.1.9

          Factors that licensees may consider appropriate in assessing the levels of underwriting risk include:

          (a) The adequacy of the licensee's pricing structure;
          (b) The volatility of sales volumes (e.g. the risk of poor underwriting from over-rapid expansion);
          (c) The uncertainty of claims experience (and the length of the claims 'tail');
          (d) The share of premium paid to intermediaries;
          (e) The adequacy of the coverage of the reinsurance programme;
          (f) The impact of the licensee's inability to secure renewal of part of its reinsurance at acceptable terms or at all;
          (g) The risk of unintended risks claims being covered (or not excluded) by policy wordings; and
          (h) The risk of mis-selling, for example, the number of complaints or disputed claims.
          Amended: January 2007
          Amended: October 2007

        • RM-5.1.10

          Factors that insurance licensees may consider appropriate in assessing the levels of claims risk include:

          (a) The frequency and size of large claims;
          (b) Possible outcomes relating to any disputed claims, particularly where the outcome is subject to legal proceedings;
          (c) The ability of the licensee to withstand catastrophic events, increases in unexpected exposures, latent claims or aggregation of claims;
          (d) The possible exhaustion of reinsurance arrangements, both on a per-risk and per-event basis;
          (e) The non-payment of outstanding claims due to the lack of coverage offered by the reinsurance purchased for underwritten risks (i.e. offsetting potential liabilities);
          (f) Social changes regarding an increase in the propensity to claim and to sue;
          (g) The impact of unanticipated legal judgements on claims and claims reserves;
          (h) Other social, economic and technological changes; and
          (i) The risk associated with dealing with a reinsurer, fronting 100% of the risks ceded.
          Amended: January 2007
          Amended: October 2007

        • RM-5.1.11

          The CBB believes that insurance firms need to consider carefully dealing with reinsurers fronting 100% of the risks that is ceded to them. The concern is that the reinsurer ceding 100% of the risk to a retrocessionaire has little incentive to adhere to proper standards of underwriting, due to it receiving a fee, based on maximizing volume of premium, at the expense of underwriting soundness. Fronting arrangements can result in abrupt cancellation by the assuming reinsurer and sometimes refusal to pay claims because of the lack of observation of the understandings with regard to business quality that were agreed upon when the arrangement was negotiated. Consequently, insurers may have to assume risks for which they believed to have covered through a proper reinsurance arrangement, should the reinsurer no longer honour the arrangement. The CBB will scrutinise carefully the management by firms of the risks associated with fronting, in the course of its supervision.

          Amended: January 2007

        • RM-5.1.12

          Additional factors that general insurers may consider appropriate in assessing the levels of claims risk include:

          (a) The adequacy and uncertainty of the technical claims provisions, such as outstanding claims, IBNR and claims handling expense reserves;
          (b) The adequacy of other underwriting provisions, such as the provisions for unearned premium and unexpired risk reserves;
          (c) The appropriateness of catastrophe models and underlying assumptions used, such as possible maximum loss (PML) factors used; and
          (d) The effects of inflation.
          Amended: January 2007

        • RM-5.1.13

          Additional factors that long-term insurers may consider appropriate in assessing the levels of claims risk include future variations in investment returns and in mortality and morbidity rates.

    • RM-6 RM-6 Operational Risk

      • RM-6.1 RM-6.1 Operational Risk

        • RM-6.1.1

          Section RM-6.1 applies only to insurance firms and insurance brokers

        • RM-6.1.2

          An insurance licensee must identify and manage its operational risk across all its operations, and document its policies and procedures for achieving this in an operational risk policy.

        • RM-6.1.3

          Operational risk is the risk to the insurance licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

        • RM-6.1.4

          Insurance licensees must consider the impact of operational risks on their financial resources and solvency. In so doing, insurance licensees must consider the factors listed under Paragraph RM-6.1.5, and any other factors relevant to their business.

          Amended: January 2007

        • RM-6.1.5

          In assessing potential operational risk, events that may affect the licensee's solvency include the following:

          (a) Risks to the licensee's resources and reputation from employees and agents (due to fraud, negligence etc);
          (b) Adequacy of management information;
          (c) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;
          (d) Failure of processes and procedures;
          (e) Internal and external fraud;
          (f) Outsourcing risk (for more detail, see RM-7);
          (g) Resourcing levels;
          (h) Business continuity and disaster recovery; and
          (i) Reputational risks and the risk to the licensee's business from an undermining of consumer confidence in particular market segments, e.g. savings products.
          Amended: January 2007

        • RM-6.1.6

          Human failure may arise either from the loss of one or more key individuals, lack of competence or failure of an individual to follow procedures or observe authority levels.

        • RM-6.1.7

          The insurance licensee must identify those processes, systems and premises that are critical to its survival and continuing operations and must develop contingency plans ('business continuity planning') covering these areas. These plans must be regularly updated and tested.

          Amended: January 2007

        • RM-6.1.8

          An insurance licensee should have the means to ensure that its statutory and regulatory responsibilities are effectively carried out, especially where the group is subject to matrix management. More specifically, clear reporting lines and responsibilities need to be defined to minimize the risk that statutory and regulatory responsibilities are overlooked.

        • RM-6.1.9

          Insurance licensees must ensure that there is adequate succession planning and that the risks arising from the loss of key individuals are thereby contained.

        • RM-6.1.10

          The licensee's Board is responsible for ensuring the suitability and competence of employees for the assigned tasks, and for the adequacy of staffing levels. Depending on their size and scale of their activities, insurance licensees should consider having in place a formal appraisal process and a training plan for professional members of staff. For employees that are members of professional bodies it may also be appropriate for this to be integrated with requirements of those bodies for Continuing Professional Education (CPE).

        • RM-6.1.11

          Insurance licensees must identify, manage and control the risks that arise from human failure, including employees and agents. These include inappropriate remuneration policies, health and safety and employment policies.

        • RM-6.1.12

          The licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the firm and its business portfolio.

        • Physical Security Measures

          • RM-6.1.13

            Insurance licensees that deal directly with the public and maintain cash on their premises must put in place security measures to minimise the risk of theft or fraud.

          • RM-6.1.14

            Insurance licensees subject to Paragraph RM-6.1.13 must ensure that the maximum cash maintained at their premises at the end of each day is limited to BD10,000.

          • RM-6.1.15

            Insurance licensees subject to Paragraph RM-6.1.13 are required to install an alarm system for those premises that maintain cash.

          • RM-6.1.16

            Where appropriate, insurance licensees may consider the need to maintain a trained security guard at their premises.

        • Third Party Insurance

          • RM-6.1.17

            Insurance licensees are required to have in place insurance coverage from an unrelated third party to cover potential losses arising from liability, theft, fire and other potential operational risk.

          • RM-6.1.18

            Insurance licensees are required to comply with Paragraph RM-6.1.13 to RM-6.1.17, by 31st December, 2006 (Refer to ES-2.6A.1).

            Amended: October 2007
            Amended: April 2008

    • RM-7 RM-7 Outsourcing Requirements

      • RM-7.1 RM-7.1 Outsourcing Arrangements

        • RM-7.1.1

          This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

          Amended: July 2022

        • RM-7.1.2

          In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

          Amended: July 2022

        • RM-7.1.3

          In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

          i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
          ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
          Amended: July 2022
          Amended: October 2017

        • RM-7.1.4

          The licensee must not outsource the following functions:

          (i) Compliance;
          (ii) AML/CFT;
          (iii) Financial control;
          (iv) Risk management; and
          (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
          Amended: July 2022
          Amended: January 2007

        • RM-7.1.5

          For the purposes of Paragraph RM-7.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-7.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

          Amended: July 2022
          Amended: January 2007

        • RM-7.1.6

          Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-7.1.4 (iv), subject to CBB’s prior approval.

          Amended: July 2022
          Added: October 2017

        • RM-7.1.7

          Licensees must comply with the following requirements:

          (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
          a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
          b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
          (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
          (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
          (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
          (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
          (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
          (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
          Amended: July 2022
          Amended: January 2007

        • RM-7.1.8

          For the purpose of Subparagraph RM-7.1.7 (iv), licensees as part of their assessments may use the following:

          a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
          b) Third-party or internal audit reports of the outsourcing service provider; and
          c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

          When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

          Amended: July 2022

        • RM-7.1.9

          For the purpose of Subparagraph RM-7.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

          Added: July 2022

      • RM-7.2 [This Section was deleted in July 2022]

      • RM-7.3 [This Section was deleted in July 2022]

      • RM-7.4 [This Section was deleted in July 2022]

      • RM-7.5 [This Section was deleted in July 2022]

      • RM-7.6 [This Section was deleted in July 2022]

    • RM-8 RM-8 Group Risk

      • RM-8.1 RM-8.1 Group Risk

        • RM-8.1.1

          Section RM-8.1 applies only to Bahraini insurance firms and Bahraini insurance brokers.

          Amended: October 2007

        • RM-8.1.2

          An insurance licensee must identify, manage and control risks to its activities arising from the activities and financial position of other members of its group.

        • RM-8.1.3

          The CBB may impose additional restrictions on the insurance licensee should it have reason to believe that other members of the group pose undue risk to the insurance licensee. These restrictions, for instance, may try to limit the risk of financial contagion, by restricting financial transactions between the licensee and group members.

          Amended: January 2007
          Amended: October 2007

        • RM-8.1.4

          For purposes of Section RM-8.1, the term group refers to a person or firm who is:

          (a) The parent of the licensee;
          (b) A subsidiary of the licensee (including subsidiaries of subsidiaries); or
          (c) A subsidiary of the licensee's parent.
          Amended: January 2007

        • RM-8.1.5

          The Board is expected to request sufficient information of its group members to allow it to address group risks.

        • RM-8.1.6

          Where the licensee's group or parent reports its own solvency position to its regulatory authority (on a group or 'solo' basis), a copy of this calculation must be provided to the CBB within 30 calendar days from the due date to the other regulatory authority, in accordance with Paragraph CA-7.1.8.

          Amended: January 2007
          Amended: October 2007

        • RM-8.1.7

          Where a licensee is part of a larger financial services group, it may rely on the systems and controls that the group (or its parent company) has put in place. The Board in these circumstances should establish what systems and controls are in place and should ensure that it is provided with sufficient and timely information on the solvency position of the group. This should be evidenced in the prudential records retained in Bahrain.

          Amended: January 2007
          Amended: October 2007

        • RM-8.1.8

          In assessing group systems and controls, an insurance licensee must give consideration to:

          (a) The likely impact of activities of the group on the compliance of the licensee with CBB requirements;
          (b) The effectiveness of linkages between group central functions and the licensee;
          (c) Potential conflicts of interest and methods of minimising them; and
          (d) The risk of adverse events of other group entities on the licensee, in particular due to financial weakness, crime or fraudulent behaviour.
          Amended: January 2007
          Amended: October 2007

        • RM-8.1.9

          An insurance licensee should not be subject to material influence by other entities of the group through informal or undocumented channels. The overall governance, high-level controls and reporting lines with the group should be clearly documented.

          Amended: October 2007

    • RM-9 RM-9 Cyber Security Risk Management

      • RM-9.1 RM-9.1 Cyber Security Risk Management

        • Role of the Board and Senior Management

          • RM-9.1.1 RM-9.1.1

            The Board of insurance licensees must ensure that the licensee has a robust cyber security risk management framework to comprehensively manage the licensee’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.

            Amended: January 2022
            Added: October 2019

            • RM-9.1.2 RM-9.1.2

              Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:

              a) Cyber security strategy;
              b) Cyber security policy; and
              c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.
              Amended: January 2022
              Added: October 2019

              • RM-9.1.3

                The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the licensee’s risk management framework.

                Amended: January 2022
                Added: October 2019

              • RM-9.1.4

                Senior management, and where appropriate, the boards, should receive comprehensive reports, covering cyber security issues such as the following:

                a. Key Risk Indicators/ Key Performance Indicators;
                b. Status reports on overall cyber security control maturity levels;
                c. Status of staff Information Security awareness;
                d. Updates on latest internal or relevant external cyber security incidents; and
                e. Results from penetration testing exercises.
                Amended: January 2022
                Added: October 2019

              • RM-9.1.5

                The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.

                Amended: January 2022
                Added: October 2019

              • RM-9.1.6

                Insurance firms must establish a cyber security risk function, independent of the information technology (IT) department, which must report to an independent risk management function or an equivalent function within the licensee. The cyber security risk management function must monitor and report on the status and maturity of relevant cyber security controls. Other insurance licensees may assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function. Overseas insurance licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.

                Amended: January 2022
                Added: October 2019

              • RM-9.1.7

                Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.

                Amended: January 2022
                Added: October 2019

              • RM-9.1.8

                Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.

                Amended: January 2022
                Added: October 2019

              • RM-9.1.9

                Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

                Amended: January 2022
                Added: October 2019

              • RM-9.1.10

                The senior management must be responsible for the following activities:

                (a) Create the overall cyber security risk management framework and adequately oversee its implementation;
                (b) Formulate an organisation-wide cyber security strategy and cyber security policy;
                (c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;
                (d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;
                (e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;
                (f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on the licensee; and
                (g) Ensure that processes for identifying the cyber security risk levels across the licensee are in place and annually evaluated.
                Amended: January 2022
                Added: October 2019

              • RM-9.1.11

                The senior management must ensure that:

                (a) The licensee has identified clear internal ownership and classification for all information assets and data;
                (b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;
                (c) The cyber security staff are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;
                (d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.
                Amended: January 2022
                Added: October 2019

              • RM-9.1.12

                With respect to Subparagraph RM-9.1.11(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:

                a) Who has access to the data;
                b) How the data is secured;
                c) How long the data is retained (this includes backups);
                d) What method should be used to dispose of the data;
                e) Whether the data needs to be encrypted; and
                f) What use of the data is appropriate.

                The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.

                Amended: January 2022
                Added: October 2019

        • Cyber Security Strategy

          • RM-9.1.13

            An organisation-wide cyber security strategy must be defined and documented to include:

            (a) The position and importance of cyber security at the licensee;
            (b) The primary cyber security threats and challenges facing the licensee;
            (c) The licensee’s approach to cyber security risk management;
            (d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;
            (e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;
            (f) Approach to planning response and recovery activities; and
            (g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.
            Amended: January 2022
            Added: October 2019

          • RM-9.1.14

            The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as reference to support the licensee’s cyber security strategy and cyber security policy.

            Amended: January 2022
            Added: October 2019

        • Cyber Security Policy

          • RM-9.1.15

            Licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by the licensee's senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:

            (a) Definition of the key cyber security activities within the licensee, the roles, responsibilities, delegated powers and accountability for these activities;
            (b) A statement of the licensee’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;
            (c) Definition of main cyber security processes and measures and the approach to control and assessment;
            (d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:
            (a) Asset management (Hardware and software);
            (b) Incident management (Detection and response);
            (c) Vulnerability management;
            (d) Configuration management;
            (e) Access management;
            (f) Third party management;
            (g) Secure application development;
            (h) Secure change management;
            (i) Cyber training and awareness;
            (j) Cyber resilience (business continuity and disaster planning); and
            (k) Secure network architecture.

             

            Amended: January 2022
            Added: October 2019

        • Approach, Tools and Methodology

          • RM-9.1.16 RM-9.1.16

            Licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of the licensee. The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.

            Amended: January 2022
            Added: October 2019

            • RM-9.1.17

              Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite the licensee’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met and are approved by senior management before broadly shared across the licensee. They should be reviewed and updated regularly to incorporate improvements and/or changes in the licensee. Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.

               

              Added: January 2022

        • Prevention Controls

          • RM-9.1.18

            A Licensee must develop and implement preventive measures across all relevant technologies to minimise the licensee’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:

            (a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;
            (b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF), where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;
            (c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;
            (d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);
            (e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;
            (f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and
            (g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.

             

            Added: January 2022

          • RM-9.1.19

            Licensees should also implement the following prevention controls in the following areas:

            (a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;
            (b) to Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM))
            (c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and
            (d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.

             

            Added: January 2022

          • RM-9.1.20

            Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

            • SPF “Sender Policy Framework”;
            • DKIM “Domain Keys Identified Mail”; and
            • DMARC “Domain-based Message Authentication, Reporting and Conformance”.

             

            Added: January 2022

          • RM-9.1.21

            Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

             

            Added: January 2022

          • RM-9.1.22

            Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers, licensees must comply with the following requirements:

            (a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;
            (b) Refrain from using shortened links in communication with customers;
            (c) Implement one or more of the following measures for links sent to customers:
            i. ensure customers receive clear instructions in communications sent with the links;
            ii. prior notification to the customer such as through a phone call informing the customer to expect a link from the licensee;
            iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;
            iv. use of other verification measures like password or biometric authentication; and
            (d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.
            Amended: October 2022
            Added: January 2022

          • RM-9.1.22A

            For the purpose of Paragraph RM-9.1.22, subject to CBB’s approval, licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:

            (a) Head/regional office of a licensee; and
            (b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).
            Added: October 2022

        • Cyber Risk Identification and Assessments

          • RM-9.1.23

            Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

            (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
            (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
            (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
            (d) Dark web surveillance to identify any plot for cyber attacks;
            (e) Examples of cyber threats from past cyber attacks on the licensee if available; and
            (f) Examples of cyber threats from recent cyber attacks on other organisations.

             

            Added: January 2022

          • RM-9.1.24

            Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

             

            Added: January 2022

          • RM-9.1.25

            Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

             

            Added: January 2022

          • RM-9.1.26

            Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. for external public facing services and systems must be more frequent.

             

            Added: January 2022

          • RM-9.1.27

            With respect to Paragraph RM-9.1.25, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

             

            Added: January 2022

          • RM-9.1.28

            Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

             

            Added: January 2022

          • RM-9.1.29

            All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least once a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

            (a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
            (b) Include both Grey Box and Black Box testing in its scope;
            (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
            (d) Be performed by internal and external independent third parties who are rotated out at least every two years; and
            (e) Be performed on either the production environment or on non-production exact replicas of the production environment.

             

            Added: January 2022

          • RM-9.1.30

            CBB may require additional third-party security reviews to be performed as needed.

             

            Added: January 2022

          • RM-9.1.31

            The tests referred to in Paragraph RM-9.1.29 must be conducted each year in June and the report on such testing must be submitted to the CBB before 30th September. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

             

            Added: January 2022

        • Cyber Incident Detection and Management

          • RM-9.1.32

            Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.

             

            Added: January 2022

          • RM-9.1.33

            Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.

             

            Added: January 2022

          • RM-9.1.34

            Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.

             

            Added: January 2022

          • RM-9.1.35

            Once a cyber incident is detected, licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.

             

            Added: January 2022

          • RM-9.1.36

            Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.

             

            Added: January 2022

          • RM-9.1.37

            Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.

             

            Added: January 2022

          • RM-9.1.38

            The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.

             

            Added: January 2022

          • RM-9.1.39

            Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph RM-9.1.58 for the requirement to report to CBB.

             

            Added: January 2022

          • RM-9.1.40

            Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:

            • Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.
            • Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the licensee’s management to update the internal and external stakeholders with consistent information.
            • Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.

             

            Added: January 2022

          • RM-9.1.41

            For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.

             

            Added: January 2022

          • RM-9.1.42

            Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, the licensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.

             

            Added: January 2022

          • RM-9.1.43

            Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:

            (a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action)
            (b) Describe whether the cyber incident due to a third-party service provider
            (c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink)
            (d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media)
            (e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation)
            (f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident)
            (g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic)
            (h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state)

            The cyber incident severity may be classified as:

            (a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the licensee.
            (b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.
            (c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in the licensee.

             

            Added: January 2022

          • RM-9.1.44

            Licensees should determine the effects of the cyber incident on customers and to the wider financial system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.

             

            Added: January 2022

          • RM-9.1.45

            Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:

            1. Metrics to measure impact of a cyber incident
            (a) Duration of unavailability of critical functions and services
            (b) Number of stolen records or affected accounts
            (c) Volume of customers impacted
            (d) Amount of lost revenue due to business downtime, including both existing and future business opportunities
            (e) Percentage of service level agreements breached
            2. Performance metrics for incident management
            (a) Volume of incidents detected and responded via automation
            (b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed)
            (c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied

             

            Added: January 2022

        • Recovery

          • RM-9.1.46

            Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time the licensee will require to return to full service and operations.

             

            Added: January 2022

          • RM-9.1.47

            Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:

            a) Financial situation;
            b) Reputation;
            c) Regulatory, legal and contractual obligations; and
            d) Operational aspects and delivery of key products and services.

             

            Added: January 2022

          • RM-9.1.48

            Licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident. Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”. Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.

             

            Added: January 2022

          • RM-9.1.49

            Licensees must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.

             

            Added: January 2022

          • RM-9.1.50

            Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases, licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.

             

            Added: January 2022

          • RM-9.1.51

            Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.

             

            Added: January 2022

          • RM-9.1.52

            Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.

             

            Added: January 2022

          • RM-9.1.53

            Licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.

             

            Added: January 2022

        • Cyber Security Insurance

          • RM-9.1.54

            Licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respective licensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:

            a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;
            b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; and
            c) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.

             

            Added: January 2022

        • Training and Awareness

          • RM-9.1.55

            Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.

             

            Added: January 2022

          • RM-9.1.56

            The licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.

             

            Added: January 2022

          • RM-9.1.57

            The licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:

            Executive board and senior management;
            Cyber security roles;
            IT staff; and
            Any high-risk staff as determined by the licensee.

             

            Added: January 2022

        • Reporting to CBB

          • RM-9.1.58

            Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations, licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix RM-1) to CBB’s cyber incident reporting email, incident.insurance@cbb.gov.bh, within two hours.

            Added: January 2022
            Amended: April 2022

          • RM-9.1.59

            Following the submission referred to in Paragraph RM-9.1.58, the licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix RM-1) within 10 calendar days of the occurrence of the cyber security incident. Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.

             

            Added: January 2022
            Amended: April 2022

          • RM-9.1.60

            With regards to the submission requirement mentioned in Paragraph RM-9.1.58, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.

             

            Added: January 2022

          • RM-9.1.61

            The penetration testing report as per Paragraph RM-9.1.29, along with the steps taken to mitigate the risks must be maintained by the licensee for a five-year period from the date of the report and must be provided to CBB

             

            Added: January 2022

        • Appendix A – Cyber Security Control Guidelines

          The Control Guidelines consists of five Core tasks which are defined below. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cyber security risk.

          Identify – Develop an organisation-wide understanding to manage cyber security risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Cyber Security Risk Management Framework. Understanding the business context, the resources that support critical functions, and the related cyber security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

          Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cyber security incident.

          Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security incident. The Detect Function enables timely discovery of cyber security events.

          Respond – Develop and implement appropriate activities to take action regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident.

          Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident.

          Below is a listing of the specific cyber security activities that are common across all critical infrastructure sectors:

          IDENTIFY

          Asset Management: The data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the licensee’s risk strategy.

          1. Physical devices and systems within the licensee are inventoried.
          2. Software platforms and applications within the licensee are inventoried.
          3. Communication and data flows are mapped.
          4. External information systems are catalogued.
          5. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
          6. Cyber security roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

          Business Environment: The licensee’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cyber security roles, responsibilities, and risk management decisions.

          1. Priorities for the licensee’s mission, objectives, and activities are established and communicated.
          2. Dependencies and critical functions for delivery of critical services are established.
          3. Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).

          Governance: The policies, procedures, and processes to manage and monitor the licensee’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber security risk.

          1. licensee’s cyber security policy is established and communicated.
          2. Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners.
          3. Legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations, are understood and managed.
          4. Governance and risk management processes address cyber security risks.

          Risk Assessment: The licensee understands the cyber security risk to licensee’s operations (including mission, functions, image, or reputation), licensee’s assets, and individuals.

          1. Asset vulnerabilities are identified and documented.
          2. Cyber threat intelligence is received from information sharing forums and sources.
          3. Threats, both internal and external, are identified and documented.
          4. Potential business impacts and likelihoods are identified.
          5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.
          6. Risk responses are identified and prioritized.

          Risk Management Strategy: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

          1. Risk management processes are established, managed, and agreed to by licensee’s stakeholders.
          2. The licensee’s risk tolerance is determined and clearly expressed.
          3. The licensee’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.

          Third Party Risk Management: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing third party risk. The licensee has established and implemented the processes to identify, assess and manage supply chain risks.

          1. Cyber third-party risk management processes are identified, established, assessed, managed, and agreed to by the licensee’s stakeholders.
          2. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber third-party risk assessment process.
          3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of a licensee’s cyber security program.
          4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
          5. Response and recovery planning and testing are conducted with suppliers and third-party providers.

          PROTECT

          Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

          1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
          2. Physical access to assets is managed and protected.
          3. Remote access is managed.
          4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
          5. Network integrity is protected (e.g., network segregation, network segmentation).
          6. Identities are proofed and bound to credentials and asserted in interactions
          7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

          Awareness and Training: The licensee’s personnel and partners are provided cyber security awareness education and are trained to perform their cyber security-related duties and responsibilities consistent with related policies, procedures, and agreements.

          1. All users are informed and trained on a regular basis.
          2. Licensee’s security awareness programs are updated at least annually to address new technologies, threats, standards, and business requirements.
          3. Privileged users understand their roles and responsibilities.
          4. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
          5. The Board and senior management understand their roles and responsibilities.
          6. Physical and cyber security personnel understand their roles and responsibilities.
          7. Software development personnel receive training in writing secure code for their specific development environment and responsibilities.

          Data Security: Information and records (data) are managed consistent with the licensee’s risk strategy to protect the confidentiality, integrity, and availability of information.

          1. Data-at-rest classified as critical or confidential is protected through strong encryption.
          2. Data-in-transit classified as critical or confidential is protected through strong encryption.
          3. Assets are formally managed throughout removal, transfers, and disposition
          4. Adequate capacity to ensure availability is maintained.
          5. Protections against data leaks are implemented.
          6. Integrity checking mechanisms are used to verify software, firmware, and information integrity.
          7. The development and testing environment(s) are separate from the production environment.
          8. Integrity checking mechanisms are used to verify hardware integrity.

          Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational units), processes, and procedures are maintained and used to manage protection of information systems and assets.

          1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
          2. A System Development Life Cycle to manage systems is implemented
          3. Configuration change control processes are in place.
          4. Backups of information are conducted, maintained, and tested.
          5. Policy and regulations regarding the physical operating environment for licensee’s assets are met.
          6. Data is destroyed according to policy.
          7. Protection processes are improved.
          8. Effectiveness of protection technologies is shared.
          9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
          10. Response and recovery plans are tested.
          11. Cyber security is included in human resources practices (e.g., deprovisioning, personnel screening).
          12. A vulnerability management plan is developed and implemented.

          Maintenance: Maintenance and repairs of information system components are performed consistent with policies and procedures.

          1. Maintenance and repair of licensee’s assets are performed and logged, with approved and controlled tools.
          2. Remote maintenance of licensee’s assets is approved, logged, and performed in a manner that prevents unauthorized access.

          Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

          1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
          2. Removable media is protected and its use restricted according to policy.
          3. The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
          4. Communications and control networks are protected.
          5. Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.

          DETECT

          Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.

          1. A baseline of network operations and expected data flows for users and systems is established and managed.
          2. Detected events are analyzed to understand attack targets and methods.
          3. Event data are collected and correlated from multiple sources and sensors
          4. Impact of events is determined.
          5. Incident alert thresholds are established.

          Security Continuous Monitoring: The information system and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.

          1. The network is monitored to detect potential cyber security events.
          2. The physical environment is monitored to detect potential cyber security events
          3. Personnel activity is monitored to detect potential cyber security events.
          4. Malicious code is detected.
          5. Unauthorized mobile code is detected.
          6. External service provider activity is monitored to detect potential cyber security events.
          7. Monitoring for unauthorized personnel, connections, devices, and software is performed.
          8. Vulnerability scans are performed at least quarterly.

          Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

          1. Roles and responsibilities for detection are well defined to ensure accountability.
          2. Detection activities comply with all applicable requirements.
          3. Detection processes are tested.
          4. Event detection information is communicated.
          5. Detection processes are continuously improved.

          RESPOND

          Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cyber security incidents. Response plan is executed during or after an incident.

          Communications: Response activities are coordinated with internal and external stakeholders.

          1. Personnel know their roles and order of operations when a response is needed.
          2. Incidents are reported consistent with established criteria.
          3. Information is shared consistent with response plans.
          4. Coordination with internal and external stakeholders occurs consistent with response plans.
          5. Voluntary information sharing occurs with external stakeholders to achieve broader cyber security situational awareness.
          6. Incident response exercises and scenarios across departments are conducted at least annually.

          Analysis: Analysis is conducted to ensure effective response and support recovery activities.

          1. Notifications from detection systems are investigated.
          2. The impact of the incident is understood.
          3. Forensics are performed.
          4. Incidents are categorized consistent with response plans.
          5. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the licensee from internal and external sources (e.g. internal testing, security bulletins, or security researchers).

          Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

          1. Incidents are contained.
          2. Incidents are mitigated.
          3. Newly identified vulnerabilities are mitigated or documented as accepted risks.

          Improvements: The response activities are improved by incorporating lessons learned from current and previous detection/response activities.

          1. Response plans incorporate lessons learned.
          2. Response strategies are updated.

          RECOVER

          Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cyber security incidents. Recovery plan is executed during or after a cyber security incident.

          Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.

          1. Recovery plans incorporate lessons learned.
          2. Recovery strategies are updated.

          Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

          1. Public relations are managed.
          2. Reputation is repaired after an incident.
          3. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.
          Added: January 2022