Financial institutions should view building their cyber risk framework as an ongoing process in which they respond to both internal threats and those which affect affiliates and competitors.
This is the view of the Central Bank of Barbados’ Deputy Director, Bank Supervision, Tamara Hurley, who was one of the panellists for “Not If, But When: Managing Cyber-Risk in Barbados' Financial Sector,” an online discussion hosted by the Bank and fellow regulator the Financial Services Commission (FSC).
Hurley pointed out that while cyber risk affects any type of organisation, financial institutions are particularly vulnerable because they rely heavily on technology, and they house significant personal data.
She said while entities can’t completely eliminate cyber risk, they can reduce their exposure and minimise the effect of cyberthreats on their operations.
The deputy director revealed that the Bank issued a technology and cyber risk management guideline and major incident reporting template for licensees last year.
“This guideline details the standard that we expect for cyber risk management and, as with all of our guidelines, we expect licensees to consider the nature, types of products and services, the complexity, and their size in applying systems and processes to comply with the various requirements,” Hurley said.
Fellow panellist, Shonté Chandler, Analyst, Credit Unions at the FSC said phishing, ransomware, and bank identification number (BIN) attacks are the most common cyber incidents the sector is reporting.
She said the FSC has a three-step reporting process for its registrants that is similar to the Bank’s, explaining that in the event of a cyberthreat, entities must submit an initial report, an intermediate report, and a final report.
“The severity of the incident should be classified within 24 hours of its detection. Registrants should be prepared to submit any additional documents required by the regulator… as well as to follow up on any requests or clarifications made by the regulator,” Chandler said.
She noted that the initial report should be submitted within four hours from the moment the cyber incident has been classified as major. If the entity has not been able to contain the incident within five working days, it needs to file an intermediate report.
The final report becomes necessary when the registrant has fully contained the incident and all systems are back to normal.
Chandler said the FSC sent a technology and cyber risk questionnaire to credit unions last year to analyse their network security mechanisms. The regulator is finalising a similar tool for insurance companies and entities regulated under the Securities Act.
View the full discussion below.