Now Reading:

New Cybersecurity Rules For Banks

Security & Support	1918 VIEWS
Security & Support
1918 VIEWS

Saturday, September 21, 2019 / 10:49AM / Contributed by Hogan Lovells BSTL SC to ILO / Header Image Credit: JonesDay.com

Introduction

On 27 November 2018 the Ministry of Finance and Public Credit published a resolution modifying the general regulations that apply to banks in the Official Gazette. The resolution responds to the need to strengthen the regulatory framework applicable to banks, particularly with regard to cybersecurity and technological infrastructure. The changes aim to ensure that banks possess the tools necessary to respond to cyberattacks and other risks that could affect their operations. The resolution also aims to guarantee the confidentiality, integrity and availability of customer information.

Definitions

Under the original regulations, a 'cybersecurity incident' was broadly defined as an event in which:

an institution's technological infrastructure was breached or put at risk; or
a bank's cybersecurity policies were violated.

The resolution has amended the definition of 'users' sensitive information'. This is now defined as any information that identifies an individual, including their name, address, phone number and email address. In addition, it includes:

an individual's:

bank card number;
bank account number;
credit limit;
bank balance; and
bank username and other authentication information; and

other data of a financial nature.

Technological infrastructure

The resolution has strengthened the regulations with regard to banks' technological infrastructure. For example, the amended regulations establish that any mechanism that allows for the creation of a fingerprint or other biometric database must first be approved by the bank's board of directors.

Further, new requirements regarding banks' technological infrastructure have been established. As regards non-discretionary quantifiable risks, a bank's risk committee must approve a system that classifies the bank's vulnerability to cybersecurity risks in terms of:

criticality;
probability of occurrence; and
impact.

Likewise, risk committees must establish and implement policies and procedures for classifying and treating information based on the implied risk of the information's security being breached for each of the bank's specific business units and other operational areas.

The CEO of a bank is now responsible for protecting its integrity and maintaining its technological infrastructure. CEOs must also oversee automated data protection systems and notify the National Banking and Securities Commission of any operational incidents which last more than one hour and:

constitute a failure in the technological infrastructure that supports the bank's branch or electronic banking services;

affect the critical components of said infrastructure (where the bank's business continuity plan has been fully or partially activated); and
affect 30% of the bank's branches, ATMs, point-of-sale terminals or the technological infrastructure of its commission agents' points of service.

The notification must be made within one hour of discovering the incident.

Information security

A new section entitled "Information Security" has been added to the regulations. It establishes that CEOs are responsible for the implementation of an internal cybersecurity control system and provides a set of obligations in this regard.

CEOs must designate a chief information security officer (CISO) who will directly report to them. CISOs will be responsible for cybersecurity and responding to any requirements set out by the legal authorities or the bank.

Cybersecurity incidents

Where a cybersecurity incident specified in the resolution occurs and the notification requirements are triggered, the CEO must immediately inform the National Banking and Securities Commission of the incident and undertake an investigation into the cause. The CEO must also implement a plan regarding the actions to be taken to eliminate or mitigate the risks and vulnerabilities that led to the incident. Even if there is no requirement for the bank to notify the commission, it must maintain all of the records relating to the incident which are at its disposal.

In the case of a cybersecurity incident involving sensitive information in the possession of a bank or a third party that renders services thereto, the CEO or the person designated thereby must notify the bank's clients of the possible loss, extraction, alteration or unauthorised access of their information. The notification must be made within 48 hours of the incident's occurrence or the bank becoming aware of it.

Banks must maintain a database registry of incidents, failures or detected vulnerabilities in their technological infrastructure. This information must be backed up and kept for at least 10 years.

Comment

Although the resolution came into effect on 28 November 2018, different entry into force dates were established for the various obligations established therein.