Security & Support | |
Security & Support | |
2375 VIEWS | |
![]() |
Saturday,
September 21, 2019 / 10:49AM / Contributed by Hogan
Lovells BSTL SC to ILO / Header Image
Credit: JonesDay.com
Introduction
On 27 November 2018
the Ministry of Finance and Public Credit published a resolution modifying the
general regulations that apply to banks in the Official Gazette. The
resolution responds to the need to strengthen the regulatory framework
applicable to banks, particularly with regard to cybersecurity and
technological infrastructure. The changes aim to ensure that banks possess the
tools necessary to respond to cyberattacks and other risks that could affect
their operations. The resolution also aims to guarantee the confidentiality,
integrity and availability of customer information.
Under the original regulations, a 'cybersecurity incident' was broadly defined as an event in which:
The resolution has amended the definition of 'users' sensitive information'. This is now defined as any information that identifies an individual, including their name, address, phone number and email address. In addition, it includes:
Technological
infrastructure
The resolution has strengthened
the regulations with regard to banks' technological infrastructure. For
example, the amended regulations establish that any mechanism that allows for
the creation of a fingerprint or other biometric database must first be
approved by the bank's board of directors.
Further, new requirements regarding banks' technological infrastructure have been established. As regards non-discretionary quantifiable risks, a bank's risk committee must approve a system that classifies the bank's vulnerability to cybersecurity risks in terms of:
Likewise, risk committees must
establish and implement policies and procedures for classifying and treating
information based on the implied risk of the information's security being
breached for each of the bank's specific business units and other operational
areas.
The CEO of a bank is now responsible for protecting its integrity and maintaining its technological infrastructure. CEOs must also oversee automated data protection systems and notify the National Banking and Securities Commission of any operational incidents which last more than one hour and:
constitute a failure in the technological infrastructure that supports the bank's branch or electronic banking services;
The notification must be made
within one hour of discovering the incident.
Information
security
A new section entitled
"Information Security" has been added to the regulations. It
establishes that CEOs are responsible for the implementation of an internal
cybersecurity control system and provides a set of obligations in this regard.
CEOs must designate a chief
information security officer (CISO) who will directly report to them. CISOs
will be responsible for cybersecurity and responding to any requirements set
out by the legal authorities or the bank.
Cybersecurity
incidents
Where a cybersecurity incident
specified in the resolution occurs and the notification requirements are
triggered, the CEO must immediately inform the National Banking and Securities
Commission of the incident and undertake an investigation into the cause. The
CEO must also implement a plan regarding the actions to be taken to eliminate
or mitigate the risks and vulnerabilities that led to the incident. Even if
there is no requirement for the bank to notify the commission, it must maintain
all of the records relating to the incident which are at its disposal.
In the case of a
cybersecurity incident involving sensitive information in the possession of a
bank or a third party that renders services thereto, the CEO or the person
designated thereby must notify the bank's clients of the possible loss,
extraction, alteration or unauthorised access of their information. The
notification must be made within 48 hours of the incident's occurrence or the
bank becoming aware of it.
Banks must maintain
a database registry of incidents, failures or detected vulnerabilities in their
technological infrastructure. This information must be backed up and kept for
at least 10 years.
Although the resolution came
into effect on 28 November 2018, different entry into force dates were
established for the various obligations established therein.
For further information on
this topic please contact Federico
De Noriega, Ana
Rumualdo or David
Amado at Hogan Lovells BSTL by email (mailto:federico.denoriega@hoganlovells.com,
mailto:ana.rumualdo@hoganlovells.comor
david.amado@hoganlovells.com).
Credits
The article New
cybersecurity rules for banks first appeared in ILO
Banking on Jan, 18, 2019.
Related News
1.
Addressing Business Cybersecurity: The Top
Measures That Companies Must Take
2.
World Economic Forum: Investors Must Prioritize
Cybersecurity Or Risk Losing Money
3.
Cyber Security and Businesses
5.
Perspectives on Nigeria Cyber Security Outlook
2019
6.
Breed Efficiency; Move Industry Into The Cloud
7.
Two Things You Need to Know Before Using
Quickbooks
8.
FINRA Publishes Report On Selected Cybersecurity
Practices At Securities Firms - 2018
9.
New S$30m Grant To Enhance Cybersecurity
Capabilities In Financial Sector
10.
Security Tips for Your Business: Raising
Awareness about Cybersecurity
11.
DHS and Private Sector Partners Establish Info
and Comms Technology Supply Chain Risk Mgt Task Force
12.
Everything You Ever Needed To Know About Mobile
Security and 3 Other Guides For Digital Security
13.
Cases of Bank Fraud Continue to Rise
14.
Phillips Consulting Transforms Banking in
Nigeria with Introduction of Intellect Digital Solution
15.
4 In 5 Financial Services Professionals Using
Search Engines Are Exposed To Financial Crime Risk