SUMMARIZED DRAFT GUIDANCE NOTE ON CYBER RISK
GUIDANCE NOTE ON CYBER RISK
STATEMENT OF POLICY
This Guidance Note outlines the minimum requirements that institutions shall build upon in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk. Therefore, the purpose of this Guidance Note is to:
•Create a safer and more secure cyberspace that underpins information system security priorities and promote stability of the Kenyan banking sector;
•Establish a coordinated approach to the prevention and combating of cybercrime;
•Up-scaling of identification and protection of critical information infrastructure;
•Promotion of compliance with appropriate technical and operational cybersecurity standards;
•Development of requisite skills, continuous building of capacity and promote a culture of fostering a strong interplay between policy, leveraging on technology to do business and risk management; and
•Maintenance of public trust and confidence in the financial system.
This Guidance Note sets the minimum standards that institutions should adopt to develop effective cybersecurity governance and risk management frameworks. It is not a replacement for and does not supersede the legislation, regulations and guidelines that institutions must comply with as part of their regulatory obligations; particularly in the areas of risk management, information communication technology, internal controls and corporate governance.
The board of directors and senior management of an institution are expected to formulate and implement Cyber Risk strategies, policy, procedures, guidelines and set minimum standards for an institution. All these must be documented and made available for review by external auditors and CBK.
24 Sources of Cybercrime
Cyber-attacks launched against information systems have placed the abuse of cyberspace high in the domestic as well as international agenda. Some illustrations of cybercrime activities include:-
• A breach in institutions’ databases exposing data to cyber criminals.
•Improper access to privileged accounts – a hacker who gains access to a privileged account could control the entire system. For example hiding criminal acts by modifying or deleting log files or disabling detection mechanisms.
•Interconnectedness of institutions could lead to compromise in the institutions entry points such as through service providers.
•Internal IT systems can itself be a source of cyber risk. For example data replication arrangements that are meant to safeguard business continuity could transfer malware or corrupted data to the backup systems.
•Poor authentication controls to protect customer data, transactions and systems.
PART III SPECIFIC REQUIREMENTS
1) Board of Directors
All board members should understand the nature of their institution’s business and the cyber threats involved. Robust oversight and engagement on cyber risk matters at the board level promotes a security risk conscious culture within the institution. The responsibilities of the board in relation to cyber risk include:
1. Oversee the cultivation and promotion of an ethical governance, management culture and awareness. Setting the right ‘tone from the top’ is a crucial element in fostering a robust cyber risk management culture.
2. Engage management in establishing the institution’s vision, risk appetite and overall strategic direction with regards to cybersecurity.
3. Allocation of an adequate cybersecurity budget based on the institution’s structure and size of its cyber risk function.
4. Review management’s determination of whether the institution’s cybersecurity preparedness is aligned with its cyber risks.
5. Adoption of an effective internal cybersecurity control framework with submission of periodic independent reports.
6. Establish or review cyber security risk ownership and management accountability and assign ownership and accountability to relevant stakeholders; the coverage should include relevant business lines and not just the I.T function.
7. Approve and continuously review the cybersecurity strategy, governance charter, policy and framework. The purpose of the cybersecurity strategy, policies and framework is to specify how to identify, manage, and mitigate cyber risks in a comprehensive and integrated manner. The strategy, policies and frameworks should be tailored based on the institution’s risk profile, size, complexity and nature of their business processes.
8. Ensure that the cyber security policy applies to all of the bank’s operating entities, including subsidiaries, joint ventures and geographic regions.
9. Review on a regular basis the implementation of the institution’s cyber security framework and implementation plan, including the adequacy of existing mitigating controls.
10. Incorporate cyber security as a standard agenda in Board meetings.
11. Review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threats.
2) Senior Management
Senior Management of an institution is responsible for implementing the institution’s business strategy, risk appetite and threats. As such, the Senior Management should:-
1. Implement the board approved cybersecurity strategy, policy and framework.
2. Understand cyber organizational scope as well as identify cyber threats, critical business processes and assets.
3. Put in place adequate business resilience arrangements for disaster recovery and business continuity.
4. Continuously improve collection, analysis, and reporting of cybercrime information.
5. Oversee deployment of strong authentication measures to protect customer data, transactions and systems.
6. Ensure the provision of sufficient number of skilled staff for the management of cyber security, who should be subjected to enhanced background and security checks.
7. Ensure timely and regular reporting to the board on the cyber risk status of the institution.
8. Establish a cyber-security benchmarking framework with the Board’s endorsement.
9. Incorporate cyber security as a standard agenda in Senior Management meetings.
10. Provide regular reports of the institution’s cybersecurity posture to the board.
11. Document cybersecurity incident response plan providing a roadmap for the actions the institution will take during and after a security incident. The plan should address inter-alia:
(1) the roles and responsibilities of staff;
(2) Incident detection and assessment, reporting; and
(3) Escalation and strategies deployed.
12. Collaborate with other institutions and the security agencies to share the latest cyber threats/attacks encountered by the institution.
3) Chief Information Security Officer (CISO)
As cyber-attacks evolve placing institutions under threats such as information theft, CBK expects the leadership of institutions to ensure strategic means are incorporated so as to enable a proactive approach to cybersecurity. One of the strategic measures globally accepted and acknowledged by CBK has been the introduction of the role of the Chief Information Security
Officer (CISO). This role is aimed at creating an organizational culture of shared cyber risk ownership. The CISO is responsible for:
1. Overseeing and implementing the institution’s cybersecurity program and enforcing the cybersecurity policy.
2. Ensuring that the institution maintains a current enterprise-wide knowledge base of its users, devices, applications and their relationships, including but not limited to:
•software and hardware asset inventory;
•network maps (including boundaries, traffic and data flow); and
•network utilization and performance data.
3. Ensuring that information systems meet the needs of the institution, and the ICT strategy, in particular information system development strategies, comply with the overall business strategies, risk appetite and ICT risk management policies of the institution.
4. Design cyber security controls with the consideration of users at all levels of the organization, including internal (i.e. management and staff) and external users (i.e. contractors/consultants, business partners and service providers).
5. Organizing professional cyber related trainings to improve technical proficiency of staff.
6. Conducting regular and comprehensive cyber risk assessments that consider people (i.e. employees, customers, outsourcing and other external parties), processes, data, technology across all its business lines and locations.
7. Monitoring current and emerging cyber risks.
8. Maintain comprehensive cyber risk registers. Risk identification should be forward looking and include the security incident handling.
9. Reporting to the board on an agreed interval but not less than once per quarter on the following:
•Assessment of the confidentiality, integrity and availability of the information systems in the institutions.
•Detailed exceptions to the approved cybersecurity policies and procedures.
•Cyber risk identification.
•Assessment of the effectiveness of the approved cybersecurity program.
•All material cybersecurity events that affected the institution during the period.
10. Ensure timely update of the incident response mechanism and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered.
11. Incorporate the utilization of scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.
12. Ensure frequent data backups of critical IT systems (e.g. real time back up of changes made to critical data) are carried out to a separate storage location.
13. Ensure the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
14. Continuously test disaster recovery and Business Continuity Plans (BCP) arrangements to ensure that the institution can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.
3.2 Regular Independent Assessment and Test
The understanding of the cyber threat landscape within institutions requires a collaborative approach that encompasses the following functions: Internal Audit, Risk Management and External Audit. Institutions should engage external consultants with sufficient cyber security expertise to assist in understanding their cyber threat landscape.
3.2.1 Roles of Internal Auditors
All institutions should incorporate qualified Information and Communication Technology (ICT) Auditors within the Internal Audit team. The institution’s internal IT auditors should ensure that the audit scope includes and is not limited to the tasks below:
1. Continuously review the cyber risk and controls of the ICT systems within the institutions and other related third-party connections.
2. Assess both the design and effectiveness of the cyber security framework implemented.
3. Conduct regular independent threat and vulnerability assessment tests.
4. Report to the board the findings of the assessments.
3.2.2 Roles of External Auditors
External auditors should ensure that the IT audit scope includes and is not limited to:
1. Obtaining an understanding of the institution’s IT infrastructure, use of IT and the impact of IT on the financial statements.
2. Understanding the extent of the institution’s automated controls as they relate to financial reporting. This should include an understanding of:
•IT general controls that affect the automated controls.
•Reliability of data and reports used in the audit that are produced by the institution.
3. Conduct an independent threat and vulnerability assessment.
4. Comprehensive review of the approved cybersecurity strategy and policy.
5. Conduct comprehensive penetration tests.
6. Report to the board and CBK on the findings of the assessments.
•Institution’s should implement IT security awareness training programmes to provide information on good IT security practices, common threat types and the institution’s policies and procedures. The training should be provided to all employees.
•A formalized plan should be put in place to provide ongoing technical training to cyber security specialists within the institution.
•Cyber security awareness and information should be provided to the institution’s customers and clients as well.
PART IV: REPORTING
CBK is well aware of the fact that cyber risk will keep morphing due to the evolution of cyber threats in Kenya and across the globe. Therefore, CBK mandates all institutions to review their cybersecurity strategy, policy and framework regularly based on each institution’s threat and vulnerability assessment. All institutions are required to submit their Cyber Security Policy, strategies and frameworks to the Central Bank of Kenya by 31st August 2017.
The institutions should also notify the Central Bank of Kenya immediately when it becomes aware of a cybersecurity incident that could have a significant and adverse impact on the institution’s ability to provide adequate services to its customers, its reputation or financial condition.
In the event of any query or clarification, please contact:
Bank Supervision Department
Central Bank of Kenya
P. O. Box 60000 – 00200,