The Cybersecurity Framework for Kuwaiti Banking Sector, released by Central Bank of Kuwait in February 2020, aims at establishing an integrated framework for improving cyber resilience. Based on the Framework, all local banks should engage an independent third-party firm to audit the cybersecurity controls to validate their compliance with the Framework.
Baker Tilly in Kuwait, an independent member firm of Baker Tilly international, explained that pursuant to the CBK Circular dated 1 February 2021 to local banks, the permitted term of engagement of the independent third-party auditor to provide Cybersecurity Audit services to the same bank shall be two years. The Cybersecurity Audit Report should be issued on a quarterly basis.
According to Baker Tilly in Kuwait, the following are the four domains regarding baselines covered under Cybersecurity Framework:
- Governance, Risk Management, and Compliance
- Technology and Operations
- Third Party Security
- Protection of Electronic Payment Systems
Considering the criticality of cybersecurity, CBK requires that cybersecurity audits shall be performed by an independent third-party firm. The audits will include checking and verifying security controls in place in the regulated entities with view to ensuring availability, integrity and privacy of information. These will cover all controls, management practices, governance, risk, and compliance adopted with these entities. In addition, the audits should o encompass third parties bound by contracts with audit rights.
It is worth mentioning that Baker Tilly Kuwait is a registered firm with CBK to render the cybersecurity audit service, meeting all requirements of the independent third-party firm, including qualified team with academic and professional certifications as well as previous experience in the field of cybersecurity audits.