• Cyber Compliance clock ticking for Mauritian financial institutions 

Headers Ribbon

Incoming cyber regulation deadlines are looming, but Mobius Consulting can help.

Article by Lovena J Reddi 

The Bank of Mauritius recently issued its Guideline on Cyber and Technology Risk Management, setting in motion a series of deadlines for compliance. While this affects the financial sector specifically, it’s merely the first  in a line of incoming regulations that will include other industries in due course. Simply put, if you run any kind of regulated business in Mauritius, it’s very much to your advantage to get a head start — not just for the sake of obligation, but to put yourself on the path to sustainable security and to start establishing digital trust. 

The Guideline

The Bank of Mauritius aims to provide banks and financial institutions with guidelines for the safeguarding of their information assets against cyber threats and attacks. To this end, the Guideline sets out the minimum requirements that must be adopted to effectively manage cyber and technology risks. The guidelines are also designed with alignment to internationally recognised frameworks and standards, so compliance will also assist organisations to develop digital trust beyond our borders. The Guideline is comprehensive and includes controls that are applicable across the business, including strategies, assessments and reporting, security testing, and third-party service provider due diligence. Of particular note is that the prescribed responsibilities go well beyond the CISO’s role and include responsibilities of both senior management and the board. 

The broader view

Making the matter a board-level concern is very much in step with international trends. As digital  strategies continue to be a business imperative, IT risk can no longer afford to be seen as a purely technological concern, but rather as an organisation-wide endeavour that also encompasses people, processes and governance. This means developing a new approach that includes embedding security into all aspects of business. Doing so will provide the necessary level of trust that supports your organisation’s ability to execute your strategy at pace. Which is all very easy to talk about, of course, but what does it mean in practice for Mauritian businesses who urgently need to meet deadlines with limited internal resources?

The way forward

Mobius Consulting is currently assisting a number of financial institutions on their compliance journey. As such, we’re perfectly positioned to help businesses of any size and sector to not only comply with the new legislation, but to also embed security across the business and improve their overall security posture. Crucially, we act as an extension of your team, which means there’s less burden on your internal resources. We go beyond just the minimum compliance requirements by helping you to identify opportunities to proactively optimise your cyber security, and to align with international best practices. From gap assessment to a complete end-to-end solution, we have the skills, experience and flexibility to help you get where you need to go.

Lovena J Reddi is the Director of Mobius Consulting Mauritius. To accelerate your cyber security journey, email info@mobiusconsulting.mu or call +230 5297 0903

Key deadlines and requirements

29 May 2023 

Guideline released by Bank of Mauritius.

30 Nov 2023 

Report on findings of penetration testing and vulnerability assessments, together with remediation plan.

31 Jan 2024 

Submit board-approved gap analysis report together with remediation plan. 

30 June 2024

Fully comply with all provisions of Guideline.

30 Nov 2024 (final deadline)

Ensure cyber and technology risk management framework is duly audited by an external independent assessor.

Reporting requirements: Submit findings of all audits, assessments and testing exercises together with remediation plan within 90 days of date of completion of respective exercise.