Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #7 | Section 9: IT System Controls and Use of the Internet

We continue to discuss other requirements for regulated entities’ cybersecurity program.

The following key requirements should be considered:

Payment Cards & Systems

Regulated Entities who accept, store, process, and/or transmit cardholder data should:

  1. Ensure they are in compliance with Payment Card Industry Data Security Standard (PCI DSS);
  2. Implement secure measures that apply to payment systems such as point of sale (PoS) terminals, online services and payments (mobile platforms, etc.); and 
  3. Conduct risk assessment to identify possible fraud scenarios. 
Use of the Internet

Regulated entities should:

  1. Establish policies and controls to guard against attacks and minimise impact of attacks on internet systems where they provide financial services and clients transact;
  2. Ensure transactions performed over the internet, as well as credentials, personal data and sensitive personal data are protected, authenticated and secured against exploits, such as account takeovers;
  3. Evaluate security requirements associated with Internet systems and adopt industry standard encryption algorithms;
  4. Consider the deployment of two–factor authentication (2FA) for all types of online financial systems and transaction-signing for authorising transactions;
  5. Maintain high-resiliency and availability of online and supporting systems;
  6. Put in place measures to plan and track capacity utilisation and guard against attacks such as denial of service (DoS) attacks;
  7. Take appropriate measures to minimise exposure to other forms of cyber attacks such as Business E-mail Compromise (BEC) attacks; and
  8. Ensure adequate information is provided on their website detailing information about the regulated entity including its physical address and their head office. 

Next week, we review:
Section 10: Accountability - What are the responsibilities of the governing body regarding cybersecurity?

Did you find this useful?