MAURITIUS Law and Practice Contributed by: Valerie Bisasur, Jean-Vincent Dacruz and Shane Mungur, BLC Robert & Associates
• business model and strategy; • governance; • internal control framework and risk manage - ment; • implementation of scenario analysis and stress testing; and • disclosure of information on climate-related and environmental financial risks to which they are exposed, the potential impact of material risks and their approach to managing these risks. The disclosure requirement will be effective from the financial year ending 31 December 2023. The BoM introduced the Guideline on Cyber and Technology Risk Management in 2023, which sets out specific regulatory requirements that financial institutions must meet to enhance their cyber and technology risk management. The Guideline sets out the minimum requirements that banks and payment service providers are expected to implement with respect to cyber and technology risk management, to ensure that the risks are well understood and managed appropriately. The key regulatory requirements within the Guideline that banks and payment service providers should be aware of – as they align with broader cyber-resilience standards in the financial sector – are as follows. Governance Framework for Cyber-Resilience Financial institutions must establish a cyber and technology risk governance structure that includes oversight by their board and senior management. 10. DORA 10.1 DORA Requirements
The board of directors of each financial insti - tution is responsible for approving cyber and technology risk strategies and for ensuring that these align with the institution’s overall business objectives. Financial institutions must designate a Chief Information Security Officer (CISO) or equiva - lent to oversee cyber-risk and report regularly to senior management and the board on cyber- resilience. Identification of Critical Assets and Dependencies The Guideline requires entities to conduct regu - lar risk assessments to identify potential cyber and technology risks across their operations, and to identify and document critical assets, processes and third-party dependencies that are essential to their operations. Key requirements for managing third-party risk include: • conducting thorough due diligence on poten - tial service providers; • establishing contractual agreements that include security standards, incident notifi - cation obligations and compliance with the financial institution’s cybersecurity require - ments; and • monitoring third parties for compliance with agreed cybersecurity measures, and conduct -
ing periodic reviews or audits. The assessments should cover:
• identification of critical assets and systems; • evaluation of potential threats and vulnerabili - ties; and • impact analysis to understand how cyber incidents could affect business continuity.
367 CHAMBERS.COM
Powered by FlippingBook