Cybersecurity & Cyber Risk Management
As technology continues to evolve, so do the risks faced by financial institutions. The Financial Services Commission (FSC) is responsible for ensuring that its licensees maintain robust systems for managing cyber and technology risks.
This page provides guidance, regulatory expectations, and reporting forms related to cybersecurity risk management for FSC-regulated entities. For detailed instructions on reporting cyber incidents, including examples of what constitutes a reportable event, please refer to our Information Circular on Reporting Cyber Incidents.
Technology & Cyber Risk Management Guideline
The Financial Services Commission has issued a comprehensive guideline that outlines best practices for managing cyber and technology risks. These standards aim to help institutions prevent, detect, and respond to cyber incidents while ensuring proper disclosure and reporting.
Cyber Incident Reporting Process
All FSC-regulated financial institutions are required to notify the Commission of any reportable cyber incidents, including both successful breaches and unsuccessful attempts.
Click here to download the Instructions for the completion of the Cyber Incident Reporting Forms.
The FSC’s reporting framework includes three structured steps:
- Initial Report
Must be submitted within 4 hours (for high-priority incidents) or 24 hours (medium/low).
Submit Initial Report – Form 1
- Intermediate Report
Submitted 5 business days after the initial report.
Submit Intermediate Report – Form 2
- Final Report
Submitted 20 business days after the Intermediate Report, once business operations return to normal.
Submit Final Report – Form 3
For incidents that remain unresolved, entities are expected to submit additional Intermediate Reports as required.
Examples of Reportable Incidents
Table 1 below provides some examples of the types of reportable incidents but should not be considered an exhaustive list.
| Scenario Type | Scenario Description | Impact |
|---|---|---|
| BIN (Bank Identification Number) Attack | An act of guessing an accurate combination of a debit/credit card number, the associated card verification value (CVV), and the card expiration date using brute force computing. | 1. Unauthorised transactions 2. Loss of funds 3. Reputational damage |
| Cyber Attack | An account takeover is targeting online services with the use of new methods. The FI’s current defenses are failing to prevent its customers’ accounts from being compromised. | 1. High volume and velocity of attempts 2. Current controls are failing to block attacks 3. Customers are locked out 4. Indication that customer account(s) or information has been compromised |
Service Availability & Recovery | Technology failure at data centre. | 1. Critical online service is down, and alternate recovery option failed 2. Extended disruption to critical business systems and operations |
| Third-Party Breach | A material third party is breached, the FI is notified that the third party is investigating. | 1. Third party is designated as material to the FI 2. Impact to FI data is possible |
| Extortion Threat | The FI has received an extortion message threatening to perpetrate a cyber attack. | 1. Threat is credible 2. Probability of critical online service disruption |
Table 1: Examples of Reportable Incidents
• Cyber Threat: A potential circumstance or event that may cause harm to systems or information.
• Cyber Event: A suspected or actual unauthorised access or breach that may become an incident.
• Cyber Incident: A confirmed event that significantly compromises business operations and requires corrective action.
Frequently Asked Questions
All FSC-regulated financial institutions are required to report cyber incidents and significant unsuccessful attempts.
An incident such as a BIN attack attempt that fails but reveals vulnerabilities (e.g., $0 test transactions) should still be reported.
At least one is required after five days if unresolved. Additional reports may be requested by the FSC before or after this period.
A unique code assigned after Form 1 is submitted, used to track each incident.
