Barbados urges banks to bolster cyber resilience with new guideline
- Bartlett D. Morgan, CIPP/E
The Central Bank of Barbados (“CBB”) recently published its Technology and Cyber Risk Management Guideline (“Guideline”). The CBB, which regulates more than 30 banking institutions in the Caribbean country, says the Guideline is in response to the demonstrated importance of information technology as a business function, and, concurrently, the increasing number of people banking online. Not only does the Guideline require banks to implement a cyber risk framework, it holds them responsible for ensuring the framework’s resilience and robustness in protecting customer data. The aim of the Guideline, therefore, is to standardize cyber risk management procedures.
Perhaps in recognition of the still emerging nature of cyber risk as a business consideration, the Guideline starts with a ten-page cyber lexicon. This glossary, which precedes the purpose, sets out the meanings of terms from the straightforward ‘asset’ to the harder to pin down ‘cyber resilience.’ Many of the definitions directly mirror those found in globally accepted privacy, cyber and risk standards from bodies like NIST and the ISO.
The ‘Application and Scope’ section of the Guideline requires organizations to build a cyber risk management framework based on individual attributes, such as scale of data processing. The Guideline, however, cautions that “where material deviations from this Guideline are contemplated, licensees must demonstrate to the Bank that the alternative measures have at least an equivalent effect of ensuring strong and effective cyber resilience.”
After Oversight, the main areas of focus in the Guideline are Operational IT Risk Guidelines, IT Service Management, Operational Infrastructure Security Management, and Online Financial Services.
Emphasis on Cyber Resilience
The Guideline, in tandem with the current thinking around cybersecurity, places heavy emphasis on cyber resilience. References to resilience appear 27 times in the 58-page document.
Cyber resilience is defined in the Guideline as “the ability of an organization to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.”
This need for the incorporation of cyber resilience in the operations of a bank governed by the Guideline is extraterritorial. Banks governed by the CBB must implement the Guideline in overseas branches and majority-owned subsidiaries.
The responsibility for the ongoing shoring up of cyber resilience, as a key component of cyber risk management, lies squarely with the board and senior management of banks. The Guideline points out that this is because of the importance of IT to business, and the possible fallout from systems failures.
Mandatory vs Non-mandatory Provisions
The Guideline deploys a mixture of mandatory and non-mandatory provisions as signaled by the use of ‘should’ and ‘may’. For example, in speaking to System Availability, Reliability and Recovery, the Guideline states that “licensees should ensure that their business continuity plans are updated, and that the recovery site can adequately support all key systems in the production environment.” However, it suggests that “licensees may employ a number of complex interdependent systems and network components for their IT processing.”
In addressing incidents under IT Service Management, the Guideline states that licensees should establish the roles of staff members involved in incident management. However, “licensees may delegate the function of determining incident severity levels to a centralized technical help desk function.”
Similar distinctions are made in the succeeding sections on Management of IT Outsourcing Risks, Internet of Things, and Information and Intelligence Sharing.
The Guideline requires incidents to be classified by banks within 24 hours of detection, based on the perceived severity of the incident. When an incident is deemed major, an initial report must be made to the CBB within four hours of the classification. However, the CBB should be contacted immediately if an incident is classified as major, or if news of that incident reaches the media.
Compliance with Data Protection Act
The Barbados Data Protection Act (“DPA”) places a higher compliance burden on entities processing sensitive personal data. Financial records of data subjects constitute sensitive data under the DPA. Banks, as processors of financial records, therefore, already have a higher compliance burden under the DPA.
The Guideline is expected to dovetail with and supplement the existing DPA obligations of banks governed by the CBB. Various provisions of this Guideline imply compliance with the DPA. For example, in discussing outsourcing of IT functions, the Guideline says the licensee is fully responsible for compliance with ‘regulatory requirements.’ Additionally, the Guideline requires banks to have an Information security policy that includes ‘reporting security incidents to the regulator’.
Similar guidelines are now being drafted by the Financial Services Commission (“FSC”). The FSC regulates non-banking financial institutions. The draft regulations being developed by the FSC are expected to have similar scope to the Guidelines.
Article provided by INPLP member: Bartlett Morgan (Chancery Advocates, Barbados)
Dr. Tobias Höllwarth (Managing Director INPLP)