The Central Bank of Sri Lanka (CBSL) has introduced a new directive aimed at strengthening operational resilience within the banking sector by mandating licensed banks to report a wide range of IT and cybersecurity incidents without delay.
This move comes in response to the rapid digital transformation in the banking industry and the corresponding rise in threats to data integrity and system stability.
CBSL observed an increasing dependence on digital infrastructure among licensed banks, along with growing cyber risks, prompting the need for swift and transparent reporting of security events to both the regulator and relevant stakeholders.
The new directive, which extends the provisions of the Banking Act Direction No. 16 of 2021 on Technology Risk Management and Resilience, applies to both licensed commercial and specialised banks.
Under the updated rules, banks must report incidents that impact customers, including insider threats, advanced persistent threats (APTs), supply chain attacks, digital scams, and system misuse.
Critical unplanned system outages, IT and cybersecurity-related regulatory non-compliance, and other significant disruptions must also be disclosed.
Reports must be submitted to the Director of the Bank Supervision Department through designated email channels, using the standard format prescribed by CBSL.
Three types of reporting are required: immediate reporting within two hours of incident detection, detailed reporting within 14 days, and quarterly reporting within 15 days after each quarter’s end.
With the issuance of this directive, CBSL has formally revoked the earlier circular dated 25 January 2016 regarding the reporting of cybersecurity incidents.
