Cybersecurity Initiatives of the Central Bank of Eswatini: Safeguarding the Financial Ecosystem

The rise in cyber threats within the global financial system has made cybersecurity a crucial priority for financial institutions. The Central Bank of Eswatini plays a critical role in safeguarding the integrity of the country’s financial system by implementing robust cybersecurity initiatives. The Bank protects not only the financial institutions it regulates but also the public, ensuring the financial ecosystem is resilient against cyber-attacks. This article highlights the key initiatives the Bank is undertaking for regulated financial institutions, the public, and within the Central Bank itself.

1. Initiatives for Regulated Financial Institutions

As regulator, the Central Bank of Eswatini has taken proactive steps to ensure that the institutions it oversees have robust cybersecurity measures. Two critical guidelines have been issued to assist financial institutions in enhancing their cyber resilience:

1.1?Cybersecurity Guidelines for Financial Institutions No. 1 of 2021:

These guidelines are designed to strengthen the cybersecurity framework of financial institutions. Based on the globally recognized NIST (National Institute of Standards and Technology) cybersecurity framework and the guidance from the?Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO), the guidelines set out clear expectations for how institutions should protect themselves against cyber threats. Key requirements include:

• The establishment of a board-approved Cyber Resilience Framework, with the board and senior management actively overseeing its implementation.
• Financial institutions must identify their information assets, processes, procedures, systems, and dependencies to build a stronger cyber resilience posture.
• Protective measures must be in line with leading cybersecurity practices to prevent, limit, or mitigate the impact of cyber events.
• Institutions must develop capabilities to detect, monitor, respond to, and recover from cyber-attacks.
• Regular testing, including vulnerability assessments, penetration tests, and scenario-based testing, is required to evaluate the institution’s preparedness.
• Institutions are encouraged to learn from incidents within their organization as well as from others in the industry.

1.2?Cloud Computing Guideline No. 1 of 2024:

The adoption of cloud computing by financial institutions introduces additional risks, which the Central Bank seeks to mitigate through this guideline. The purpose is to ensure institutions engaging with cloud service providers do so responsibly, with the following requirements:

• A board-approved cloud strategy and comprehensive cloud computing policy.
• Rigorous due diligence on cloud service providers to assess security, compliance, and risk management.
• Institutions must implement necessary security controls, manage associated risks, and ensure data is hosted in compliance with privacy laws.
• Institutions are also required to develop data migration, contingency, and exit strategies to minimize disruptions and ensure data integrity.

The Central Bank closely monitors compliance with these guidelines as part of its supervisory and inspection duties, ensuring that financial institutions maintain high standards of cybersecurity.

The Central Bank and the Eswatini Communications Commission (ESCCOM) are also working on protecting financial services offered through mobile devices. Security clinics have been previously organised for participants in the telecommunication, banking and payments space. A Digital Financial Services Security framework to manage the risks is under development.

2. Initiatives for the Public and End-User Customers

While the Central Bank of Eswatini does not engage directly with the public as end-user customers, it holds regulated financial institutions accountable for customer education. Section 4 of Legal Notice 62 of 2016 requires financial institutions to allocate budgets for consumer education. The aim is to ensure customers are aware of cyber threats, particularly the increasing sophistication of scams targeting personal information and funds.

Through public education campaigns, financial institutions are expected to inform their customers about phishing scams, online fraud, and other cyber risks. The Central Bank views consumer education as a critical defence mechanism to reduce the success rate of cyber-attacks targeting individuals. By empowering customers with knowledge, financial institutions can help mitigate the risks posed by cybercriminals and protect consumer data and money.

The Central Bank commends financial institutions for their ongoing efforts in consumer education, both individually and through the Eswatini Bankers Association. These initiatives play a vital role in empowering consumers to make informed decisions and safeguard their financial well-being.

3. Initiatives Within the Central Bank of Eswatini

As the backbone of Eswatini's financial system, the Central Bank has made significant investments in its cybersecurity infrastructure to safeguard critical national financial assets. A dedicated Information Security and Cybersecurity Unit has been established to manage the Bank's cybersecurity operations.

One of the key projects is the establishment of a Network and Cybersecurity Operations Centre (NCSOC). This centre enables advanced monitoring of threats and ensures timely responses to potential cyber incidents. The NCSOC continuously analyses and mitigates risks to the financial infrastructure, providing an additional layer of protection.

Additionally, the Central Bank is in the process of rolling out the Eswatini Payment Switch (EPS), a critical piece of infrastructure for the country's banking system. Recognizing the importance of EPS in national financial operations, the Central Bank has rigorously assessed the security controls surrounding this system. A penetration test has already been conducted to evaluate its resilience against potential attacks, ensuring that it meets the highest cybersecurity standards.

By investing in personnel, advanced systems, and continuous training, the Central Bank is fortifying its defences to maintain the security and integrity of the nation’s financial system.

4. Looking Ahead

The Central Bank of Eswatini is committed to strengthening the resilience of the financial services sector. Recognizing the need for a coordinated approach to cybersecurity, the Central Bank, along with other regulators and all stakeholders in the financial sector, is working towards establishing a Financial Sector Computer Security Incident Response Team (CIRT) to work hand in hand with the national CIRT at ESCCOM. The Financial Sector CIRT will serve as a hub for sharing threat intelligence, coordinating responses during cyber incidents, and providing expert guidance to mitigate the impact of cyber-attacks.