Cybersecurity Statement of Guidance for Regulated Entities has been saved
Cybersecurity Statement of Guidance for Regulated Entities
Weekly insights from CIMA’s Cybersecurity Guidance
Insight #7 | Section 9: IT System Controls and Use of the Internet
We continue to discuss other requirements for regulated entities’ cybersecurity program.
The following key requirements should be considered:
Payment Cards & Systems
Regulated Entities who accept, store, process, and/or transmit cardholder data should:
- Ensure they are in compliance with Payment Card Industry Data Security Standard (PCI DSS);
- Implement secure measures that apply to payment systems such as point of sale (PoS) terminals, online services and payments (mobile platforms, etc.); and
- Conduct risk assessment to identify possible fraud scenarios.
Use of the Internet
Regulated entities should:
- Establish policies and controls to guard against attacks and minimise impact of attacks on internet systems where they provide financial services and clients transact;
- Ensure transactions performed over the internet, as well as credentials, personal data and sensitive personal data are protected, authenticated and secured against exploits, such as account takeovers;
- Evaluate security requirements associated with Internet systems and adopt industry standard encryption algorithms;
- Consider the deployment of two–factor authentication (2FA) for all types of online financial systems and transaction-signing for authorising transactions;
- Maintain high-resiliency and availability of online and supporting systems;
- Put in place measures to plan and track capacity utilisation and guard against attacks such as denial of service (DoS) attacks;
- Take appropriate measures to minimise exposure to other forms of cyber attacks such as Business E-mail Compromise (BEC) attacks; and
- Ensure adequate information is provided on their website detailing information about the regulated entity including its physical address and their head office.
Next week, we review:
Section 10: Accountability - What are the responsibilities of the governing body regarding cybersecurity?