All financial institutions in the country – that is formal banks and other deposit taking institutions – need to have appointed a Chief Information Security Officer (CISO) to their top management teams as part of new measures to curb cybercrime.
The Central Bank of Kenya (CBK) has issued new guidelines for cybersecurity for financial institutions operating in the country. The document, titled “Guidance Note on Cybersecurity for the Banking Sector” was published in August this year and sets November 30, 2017 as the deadline for financial institutions to implement the new cybersecurity guidelines.
The guidelines stipulate the minimum requirements that financial institutions need to build upon in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk.
To avoid creating ambiguity, CBK clarifies that the Guidance Note “is not a replacement for and does not supersede the legislation, regulations and guidelines that institutions must comply with as part of their regulatory obligations; particularly in risk management, outsourcing, ICT, internal controls and corporate governance.”
In this regard, the Guidance Note is intended to among things: create a safer and more secure cyberspace that underpins information system security priorities and promote stability of the Kenyan banking sector; establish a coordinated approach to the prevention and combating of cybercrime; and up-scaling of identification and protection of critical information infrastructure. It also aims to promote compliance with appropriate technical and operational cybersecurity standards; enhance development of requisite skills, continuous building of capacity and promote a culture of fostering a strong interplay between policy, leveraging on technology to do business and risk management; and maintenance of public trust and confidence in the financial system.
According to the Guidance Note, board of directors and senior management of an institution are expected to formulate and implement Cybersecurity strategies, policy, procedures, guidelines and set minimum standards for the institution. All these must be documented and made available for review by external auditors and CBK.
Among the key requirements is that financial institutions to have on board a Chief Information Security Officer (CISO), a position which the regulator believes will help in “creating an organizational culture of shared cybersecurity ownership.”
“As cyber-attacks evolve, subjecting institutions to threats such as information theft, CBK expects the leadership of institutions to ensure strategic means are incorporated so as to enable a proactive approach to cybersecurity,” states the Guidance Note, adding:
“One of the strategic measures globally accepted and acknowledged by CBK has been the introduction of the role of the Chief Information Security Officer (CISO). This role is aimed at creating an organizational culture of shared cybersecurity ownership.”
In terms of the reporting structure within organizations and where the CISO will form in the hierarchy, CBK states that each institution should determine the best reporting option of the CISO depending on factors such as an institution’s vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines.
The note recommends that the person holding the CISO role “could report to either the Chief Executive Officer (CEO), Chief Information Officer (CIO), Chief Operating Officer (COO)or Risk Function” with the overall emphasis being that the CISO should serve “in the Senior Management Team.”
As the clock ticks towards the November 30 deadline set by the CBK, industry stakeholders are already deliberating on the discussing the requirements, especially appointment of the CISO.
During a briefing for representatives drawn from financial institutions at the launch of Proactive enterprise cyber solution by Internet Solutions Kenya, many attendees were of the opinion that the CISO should report either to the CIO and CTO.
“Once appointed, the CIO can sit somewhere between the CIO and CEO. S/he can also sit on the organisation’s boar”, said Bright Mawudor, Head of Cyber Security at Internet Solutions.
The CISO is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO is responsible for: overseeing and implementing the institution’s cybersecurity program and enforcing the cybersecurity policy; ensuring that the institution maintains a current enterprise-wide knowledge base of its users, devices, applications and their relationships (including but not limited to software and hardware asset inventory; Network maps (including boundaries, traffic and data flow); and Network utilization and performance data.
The holder of the position needs to ensure that information systems meet the needs of the institution, and that the ICT strategy (in particular information system development strategies), comply with the overall business strategies, risk appetite and ICT risk management policies of the institution. S/he also needs to design cybersecurity controls with the consideration of users at all levels of the organization, including internal (i.e. management and staff) and external users (i.e. contractors/consultants, business partners and service providers).
The CISO is also meant to organize professional cyber related trainings to improve technical proficiency of staff and ensure that regular and comprehensive cyber risk assessments are conducted.
The CISO is also required to provide reports to the CEO on an agreed interval (but not less than once per quarter) on various areas including: assessment of the confidentiality; integrity and availability of the information systems in the institutions; ensure timely update of the incident response mechanism and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered; incorporate the utilization of scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.
The individual is also expected to ensure frequent data backups of critical IT systems (e.g. real time back up of changes made to critical data) are carried out to a separate storage location and ensure that the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
Finally, the holder of the position of CISO is also required to continuously test disaster recovery and Business Continuity Plans (BCP) arrangements to ensure that the institution can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.