BitDepth #1406
MARK LYNDERSAY
THE IMF'S country report 23/161 for TT focused on a visit to the country by its Monetary and Capital Markets Department between October 31 and November 4, 2022.
The specific purpose of the IMF mission was to "strengthen the cybersecurity of the financial institutions under the supervisory ambit of CBTT, build supervisory capacity for the effective supervision of cybersecurity and strengthen the cybersecurity posture of the Central Bank."
During the visit, the IMF held extensive discussions with and assessments of the status of the TT Central Bank's (CBTT) management of cyber risks, spoke to banks operating locally and hosted a hybrid event with CBTT teams, financial regulators and institutions on key issues that the entire financial sector needs to manage more effectively.
The supervision of financial institutions is fragmented across a range of local authorities.
The CBTT supervises banks, non-banks, insurance companies, pension firms, bureaux de change and payment systems. The Co-operative Development Division in the Ministry of Youth and National Development oversees credit unions. The TT Security and Exchange Commission supervises the securities market and intermediaries. The Financial Intelligence Unit investigates anti-money laundering/counter financing of terrorism.
It is unclear whether the IMF scheduled this mission based on observed shortfalls in finance-related cybersecurity or if there was an invitation to evaluate from the CBTT, but 'its clear there are significant shortfalls that need to be addressed urgently.
In a list of 21 key recommendations compiled in the report, 18 were described as high priority and one, the augmentation of the CBTT's resources available for ICT/cyber-risk supervision was flagged as immediately necessary.
The report lamented the complement of supervisory staff assigned to banks/non-banks and expressed specific concern that there was only one junior examiner qualified as an IT resource partially assigned to ICT and cyber-risk supervision. There is no equivalent resource assigned to review insurance and pension firms.
The report urged the CBTT to assess the workload of its IT Security Unit noting, "An analysis of the unit's current workload should be performed, including operations and project work.
"CBTT's commitment to improving its cyber resilience will result in additional workload on top of an already stretched agenda, which needs to be estimated and the necessary resource development plans drawn up in advance, as there is a general shortage of available skills."
The CBTT, however, is the only national regulatory entity considering the development of specific ICT and cyber-risk guidelines to address rapidly evolving threats that aren't covered by existing requirements for corporate governance, market conduct and security of customer information.
The Central Bank of Barbados published new cyber-risk guidelines this month.
This fuzziness in defining how financial institutions should conduct their busines