Financial stability report’s findings prompt Central Bank cyberattack rules

The Central Bank of Barbados has implemented stringent new regulations requiring commercial banks to report major cyber incidents within four hours of discovery, as part of efforts to bolster cybersecurity in the nation’s financial industry.

The measure, detailed in the just released 2023 Financial Stability Report, comes as an increasing number of Barbadians adopt online banking and electronic transactions.

Under the new rules, banks and large credit unions classified as “systemically important financial institutions” must report any major cyber incident to the Central Bank within four hours of the moment it is discovered to be a major attack.

According to the Central Bank, a major cyber incident is one that has a “material impact on the delivery of services or where critical systems have been extensively compromised”.

The Financial Stability Report, a joint analysis by the Central Bank and the Financial Services Commission (FSC), examines the operations of commercial banks, credit unions, mutual funds, occupational pension funds, insurance companies, real estate operations, and securities, the risks facing these institutions and their ability to withstand various shocks.

As the two regulators zeroed in on cyber risks, the report notes the vulnerability of finance houses to these challenges due to the “interconnections and interdependencies within the financial system and its operational systems”.

While in the past cyber attacks and similar risks were viewed as peculiar events that bothered internal IT infrastructure, it has become such an important threat that it required top level supervision and guidance by the Central Bank and the FSC.

According to the report, cyber attacks can target financial institutions, disrupting their operations, compromising sensitive data, and undermining the overall trust in the financial system.

Financial institutions are now required to classify cyber incidents in a timely manner; however, the Central Bank demands that licensees classify the cyber incident no later than within 24 hours of the moment it was detected and classified as major.

Institutions face serious penalties for non-compliance.

With increasing cyber attacks on businesses and financial enterprises including a ransomware attack in which the attacker demanded significant sums from the financial institution, the Central Bank issued a Technology and Cyber Risk Management Guideline and a Major Cyber Incident Reporting Template and Classification Matrix to the industry in 2023.

The guideline provides rules on the governance of cyber risk and the necessary controls needed to strengthen cyber security and resilience. Banks and specific financial institutions must now report any major cyber incidents to the Central Bank “in a uniform manner that facilitates the review and study of the root causes and potential problems that may result in a cyber incident”.

The reporting template which the Central Bank designed helps to “ensure clarity and accuracy in reporting by outlining the specific details and data that are needed, such as the incident’s impact, causes, and the licensee’s response”.

(IMC1)