Malawi draws up new cyber security guidelines to protect finance
Malawi draws up new cyber security guidelines to protect finance
The Reserve Bank of Malawi (RBM) has implemented new guidelines to help banks effectively manage data amid increasing cyber security risks.
Dubbed 'the Information and Cyber Security Risk Management Guidelines' and finalised in October 2019, the new regulations replace IT risk management policies that have been in place since 2016.
In a statement, the registrar of financial institutions RBM Governor Dalitso Kabambe acknowledged that cyber security risk, if not properly managed, has the potential to cause disruption to the financial industry.
Kabambe explained that any breaches could result in "denial of service to customers, exposure of private information, deletion of or tampering with customers' and banks' records and inability to manage both the bank's own as well as customers' assets."
The guidelines, which are issued pursuant to Section 96 of the Financial Services Act, 2010, are expected to apply in addition to all other Risk Management Guidelines issued by the central bank.
"The guidelines outline minimum requirements and banks are therefore expected to put in place more robust measures for managing information and cyber security risk in addition to those stipulated in these guidelines," said Kabambe.
John Kapito, executive director for Consumers Association of Malawi said since the banking industry faces high-risk, so constant reviews on policies that guide and protect consumers from illicit financial transactions is paramount.
The guidelines feature five objectives, including the provision of minimum requirements on management of information and cyber security risk, as well as strengthening banks' information system security and protection of critical information infrastructure.
Bram Fudzulani, president of Information and Communications Technology Association of Malawi, said this will guard against major threats like theft of money and the underlying technology or intellectual property.
The guidelines urge banks to establish an effective Information and Cyber Security Risk Management Framework which should be rolled out by a Chief Information Security Officer.
Where a bank intends to outsource or engage third party service providers for some of its IT-related functions, the guidelines advocate that this should only be done when there is a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced.
Other critical issues are compelling banks to regularly conduct vulnerability assessments (VAs) to detect security vulnerabilities in the IT environment, as well as evaluating security requirements associated with its e-banking services where it will be expected to adopt effective encryption algorithms that are in line with international standards and best practices.