Cenbank introduces new cybersecurity framework for financial sector

Bangladesh Bank has issued a comprehensive cybersecurity framework to address rising cyber risks in the country's financial sector. The new guideline, titled "Cybersecurity Framework, Version 1.0 (2026)", mandates that all scheduled banks, finance companies, mobile financial service (MFS) providers, payment service providers, and payment system operators fully implement the framework by 31 December 2026.

In a statement today (29 March), the central bank highlighted the rapid expansion of online services, digital platforms, cloud computing, and interconnected networks, which has significantly increased the use of information technology in financial services. While these advances ensure faster and more convenient services, they have also escalated cyber threats and vulnerabilities.

The circular warns that incidents such as cyberattacks, hacking, phishing, malware infections, ransomware, and data breaches pose serious financial, reputational, and operational risks to financial institutions. 

To mitigate these threats, the framework emphasises the need to protect customer data confidentiality, integrity, and availability, while maintaining the stability of technological infrastructure.

The framework covers multiple areas, including cybersecurity governance, risk management, information and data protection, network and infrastructure security, access control, cyber threat monitoring and incident management, third-party and outsourcing risk management, audit and compliance assurance, as well as stakeholder training and awareness programs. 

Financial institutions are required to implement documented security practices, maintain secure system design, and conduct regular monitoring. Role-based and general cybersecurity training for employees is also mandated.

From an organisational standpoint, the framework underscores that managing cybersecurity and privacy risks demands a continuous, comprehensive approach. This involves enforcing strict security requirements for third-party providers, adopting reliable and updated technologies, and integrating security throughout the system development lifecycle.

Structured around six functional areas – Identify, Protect, Detect, Respond, Recover, and Reporting – the framework provides a holistic approach to cybersecurity risk management and incident handling. 

Its core objectives include safeguarding financial stability, detecting and responding to cyber threats, standardising cybersecurity practices across institutions, and ensuring compliance with legal and industry standards.

The circular also instructs institutions to contact the central bank's ICT Department, specifically the ICT Audit, Inspection, and Compliance Wing, if any implementation issues or questions arise.

Bangladesh Bank has issued the guideline under the authority granted by relevant sections of the Bank Companies Act, 1991 (Amended), Finance Company Act, 2023, and the Payment and Settlement Systems Act, 2024.