CBSL tightens oversight on IT and cybersecurity risks in banking sector

CNL Reporter
May 9, 2025
News
CBSL
0 Comments

In a move to reinforce operational resilience across the banking sector, the Central Bank of Sri Lanka (CBSL) has issued a new directive mandating licensed banks to promptly report a broad range of information technology (IT) and cybersecurity incidents.

The latest circular that was released this week comes against the backdrop of growing digital adoption among banks and rising threats to data integrity and system stability.

The circular was issued with the financial sector regulator having observed the increased reliance on digital infrastructure by licensed banks, the risk of cyberthreats, data breaches, and system failures that require prompt and transparent reporting of such incidents to CBSL and relevant stakeholders to ascertain risks, mitigate potential disruptions and safeguard customer information and assets.

The directive applies to both licensed commercial banks and licensed specialised banks and is an extension of the Banking Act Direction No. 16 of 2021 on Technology Risk Management and Resilience.

Under the new rules, banks are required to report incidents affecting customers, ranging from system usage and insider threats to advanced persistent threats (APTs), supply chain attacks, and online or digital scams.

Unplanned critical system outages, regulatory non-compliance related to IT and cybersecurity, and other notable disruptions must also be disclosed.

Reports are to be submitted to the Director of the Bank Supervision Department via designated email channels.

The CBSL issued a format in which the financial institutions should share the information of such incidents.

The CBSL listed three types of reporting: immediate reporting – within two hours of detection of the incident, detailed reporting – within 14 days of detection, and quarterly reporting – within 15 days following the end of each quarter.

The circular dated 25 January 2016 on reporting of cybersecurity events is revoked and no longer valid.

Spread the love

Tags: CBSL

CBSL tightens oversight on IT and cybersecurity risks in banking sector

In a move to reinforce operational resilience across the banking sector, the Central Bank of Sri Lanka (CBSL) has issued a new directive mandating licensed banks to promptly report a broad range of information technology (IT) and cybersecurity incidents.

Leave A Comment Cancel reply

Search

Recent posts

Sri Lanka on heightened alert over possible implications

Jacqueline Fernandez: Only Bollywood actress to own a private island ?