Cybersecurity In Regulated Institutions Regulation

Home / Regulatory Digest & Market Consultation / Regulatory digest / Cybersecurity In Regulated Institutions Regulation

REGULATORY DIGEST ON “CYBERSECURITY IN REGULATED INSTITUTIONS REGULATION”

Background

The safe and efficient operation of Financial Institution Infrastructures (FIIs) is essential to maintaining and promoting financial stability and economic growth( (BIS, 2016)

Establishing an effective cybersecurity legal framework in financial institutions is the role of regulator. As financial services become increasingly digitized, the volume of sensitive digital data grows exponentially and with it, the potential for personal and system impacts of data breaches. As such, the need for safeguards from illicit access to this data becomes increasingly important.

Given how rapidly cybersecurity threats emerge and change, financial institutions are compelled to think ahead and ensure that they are resilient enough against any cybersecurity threat.

In order to keep the financial institutions and clients  safe, regulation No 50 /2022 OF 02/062022 on Cybersecurity in  regulated institutions was enacted to ensure that regulated institutions have resilient ICT including cyber security that is subject to protection, detection, response and recovery programs that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes to fully support and facilitate the delivery of the regulated institution’s critical operations.

Regulatory Key Highlights

The current regulation replaces regulation No 01/2018 on cyber security mainly to adjust the regulation with the dynamism of the markets, to apply the regulation across all regulated institutions and to establish minimum prudent standards to financial institutions for the prevention or mitigation of any cyber security threats.

 As part of the regulatory requirements (Chapter II), the regulation places the responsibility of cyber security governance to the board of directors and senior management and it details the components of comprehensive cyber security governance framework. Besides, it provides required cyber security committees and functions.

This regulation requires regulated institutions to maintain a cyber-security strategy and policy based on institution’s risk assessment. It requires regulated institutions to conduct at least annual penetration tests as well as bi-annual vulnerability assessments. The regulated institutions are also required to maintain systems that include audit trail and they should provide customers with information on precautions to take while using Alternative Delivery Channels (ADC). As part of their risk management framework, regulated institutions should conduct cyber security risk assessment. In relation to service providers, regulated institutions should ensure security of information systems and nonpublic data accessible to or held by service providers.

Other regulatory requirements include having qualified information security auditors within internal audit team, having risk based multi-factor authentication, having in place data retention policy, putting in place cyber security awareness program, ensuring encryption of non-public data where required, and having in place incident response and business continuity management plan. Regulated institutions are also required to notify to supervisory authority the occurrence of an incident within specified period based on the magnitude and effect of the incident. Further regulated institutions are required to carry out self-assessment and submit a statement of self-assessment annually to supervisory authority.

The requirement of maintaining primary data on the territory of the Republic of Rwanda was removed in the repealed regulation however, regulated institution shall abide with other legal and regulatory requirements applicable to cybersecurity, outsourcing outside Rwanda and data protection and privacy (Art. 23). Note here mainly article 50 of the law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy.

Important deadlines

Regulated institutions that do not comply with the provisions of this regulation are given a period of one year to comply with them from the publication in the Official Gazette of the Republic of Rwanda (Official Gazette n° Special of 17/06/2022).

Regulated institutions shall submit statement of self-assessment not later than 15th January of each year.

Implications for concerned stakeholders

All regulated institutions must satisfy any of the requirements of this Regulation, the failure of which the Supervisory Authority may apply any sanctions available under relevant provisions of the relevant specific regulations.

CLICK HERE FOR MORE DETAILS:

https://www.bnr.rw/laws-and-regulations/banking/regulations/