Skip to main content
Version date: 31 March 2021 - onwards

ICT including cyber security (Principle 7)

[Cyber security as defined in the FSB's Cyber Lexicon of November 2018.]

Principle 7: Banks should ensure resilient ICT including cyber security that is subject to protection, detection, response and recovery programmes that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes to fully support and facilitate the delivery of the bank's critical operations. [The management of ICT articulated in this principle should be consistent with and conducted alongside the ICT principle as articulated in paragraphs 55-57 of Principle 10 in the proposed revisions to the PSMOR.]

37. Banks should have a documented ICT policy, including cyber security, which stipulates governance and oversight requirements, risk ownership and accountability, ICT security measures (eg access controls, critical information asset protection, identity management), periodic evaluation and monitoring of cyber security controls, and incident response, as well as business continuity and disaster recovery plans.