Prudential Supervision: Data and Cyber Security Related Risks

1. Supervisors can support innovation while still enforcing minimum cybersecurity standards such as strong encryption, incident reporting, and third-party risk management. A risk-based approach allows flexibility for new products while ensuring core safeguards are in place.

2. Regional cooperation helps by sharing threat intelligence and coordinating responses to cross-border cyber incidents. This allows supervisors to detect emerging threats earlier and respond more effectively.

3. To address the skills gap, supervisors can invest in staff training, partner with international organisations, and support regional training programs to build cybersecurity expertise.

a. Supervisors can balance innovation and security by applying risk-based cyber oversight while ensuring DFSPs continuously strengthen threat-mapping and incidents response capabilities
b. Regional cooperation and information sharing platforms help mitigate cross-border cyber risks by enabling joint incident response and threat intelligence exchange across national CSIRTs
c. Supervisors can address cybersecurity talent shortages by investing in national capacity building programs and establishing CSIRTs to strengthen technical expertise in developing markets

1. Supervisors face a dual mandate: encourage innovation to expand financial inclusion and efficiency, while protecting consumers and the financial system from rising cyber risks. Research and global governance insights show that this balance can be achieved through coordinated, risk‑based supervisory strategies. Including strengthening governance and aligning innovation with cyber‑risk strategies, promoting cross‑functional collaboration, using regulatory sandboxes with built‑in cyber safeguards and ensuring responsible use of emerging technologies.
2. Cross‑border cyber threats are growing rapidly due to interconnected digital systems, state‑sponsored cyber operations, and cybercrime syndicates that exploit jurisdictional gaps. Because these risks transcend national boundaries, no country can manage them alone making regional cooperation and information‑sharing platforms essential.
3. Supervisors in developing markets can address the cybersecurity skills shortage by building national cyber talent pipelines, supporting regional training centers, provide sector‑wide training, promoting reskilling, leveraging international expertise, and encouraging automation to offset human shortages.

1.Supervisors can use a risk-based approach that allows innovation while requiring DFSPs to meet basic cybersecurity and data protection standards.
2. Regional cooperation helps countries share cyber threat information and coordinate responses to cross-border attacks.
3.Supervisors can build capacity through training, partnerships, and support from international and private cybersecurity experts.

Supervisors can require DFSPs to adopt strong security measures such as end to end encryption, multi factor authentication, and continuous monitoring of data access. They can also require proper third party risk management frameworks for critical ICT services such as cloud providers and APIs as well as core banking systems.

At the same time, supervisors can allow innovation through regulatory sandboxes or phased implementation of new technologies while ensuring that security requirements are built into system design from the start. (For example, some countries in Africa have rolled out regulatory sandboxes for the testing of new technologies such as Central Bank Digital Currencies,


Regional cooperation and information-sharing platforms enables countries to obtain information on cyber threats that originate outside their jurisdiction, making them better prepared for attackers that might attempt to use similar approaches

To address the shortage of cyber security expertise, supervisors can invest in training programs for staff, collaborate with international organisations such as the BIS, and IMF, and promote certification programs for cybersecurity professionals

1. Supervisors can promote digital innovation in DFSPs through three methods, which include establishing regulatory sandboxes for testing purposes, enforcing security audit requirements, and supporting data governance framework development. The DFSPs continue to work together to meet security standards and protect consumer rights.
2. The regional cooperation, together with information-sharing platforms, shows its capability to protect against international cyber threats that come from other nations. The system allows users to exchange threat intelligence while delivering security updates and conducting joint threat response operations. The process develops trust between parties, together with common standards and unified legal systems, which create obstacles for cybercriminals to exploit existing system weaknesses.
3. Supervisors in developing markets can address cybersecurity expertise shortages by using educational incentives, public-private partnership development, international standards adoption and talent acquisition and cybersecurity awareness programs.

1. Risk management approach should be employed on the supervision of technology adoption, either on the DFS itself or the third-party service provider, to eliminate third-party risk
2. The cooperation allows threat intelligence sharing before the riks crystalizes, and could also serve as a ground for capacity building for the nations that are not sophisticated yet
3. In the short term, the services can be outsourced to a known or reputable professional from outside the country, while training, public private partnership is carried out to build capacity in the medium and long term

1. Supervisors can implement regulatory sandboxes with "security-by-design" requirements, allowing innovators to test products within guarded parameters that mandate basic encryption and data protection from day one.
2. Regional cooperation enables the creation of shared Cyber Threat Intelligence (CTI) platforms, allowing regulators to exchange real-time data on active malware and hacking patterns across borders. Establishing joint incident response protocols ensures that a breach in one country’s payment system is immediately signaled to neighbors, preventing regional contagion.
3. Supervisors can launch public-private talent pipelines, partnering with universities and global tech firms to offer specialized certifications and internships focused specifically on supervisory technology. Investing in automated SupTech tools reduces the reliance on large teams of experts by using AI to perform the heavy lifting of routine vulnerability scanning and log analysis.

1. Supervisors can use a risk-based approach, allowing innovation through sandboxes, pilot programs, and proportional regulation, while requiring minimum cybersecurity standards, regular audits, incident reporting, data protection controls, and strong governance from all DFSPs. Disclosure of the activities and interactions to regulators, compliant acceptance mechanisms.
2.Cross-border cyber risks can be reduced when supervisors share threat intelligence, attack patterns, regulatory practices, and incident alerts through regional platforms. This improves early warning, coordinated response, and consistency in handling risks that affect multiple jurisdictions.
3.Supervisors can invest in staff training, partner with universities and international bodies, use shared regional expertise, issue practical guidance for the market, and outsource highly technical assessments where necessary while building internal capacity over time.

1. Supervisors can balance promotion and protection by implementing tiered regulatory sandboxes that allow innovation to flourish under controlled monitoring while simultaneously enforcing risk-based cybersecurity frameworks tailored to a provider's scale. This approach encourages digital growth without compromising systemic stability, as it requires Digital Financial Services Providers (DFSPs) to demonstrate security resilience as they scale their operations.

2. Regional cooperation facilitates the creation of shared threat intelligence platforms, enabling countries to exchange real-time data on cross-border cyberattacks and common vulnerabilities. By harmonizing regulatory standards and incident response protocols across a region, supervisors can prevent "regulatory arbitrage" and build a collective defense that is much stronger than any single nation's individual efforts.

3. To address the expertise shortage, supervisors can establish public-private partnerships with academic institutions and tech firms to create specialized certification programs and internships focused on financial cybersecurity. Additionally, investing in automated supervisory technology (SupTech) can help bridge the gap by performing complex security audits that would otherwise require a large team of specialized human experts.

Supervisors can promote digital innovation by having flexible data protection frameworks that create quality standards of data protection from cyber-attacks and mitigating cyber security risks and continuous support on affordable cyber security support systems and timely information on threats and risk-based measures to overcome the threats and regulatory sandboxes to support supervisors understand.

Regional cooperation and information sharing platforms for supervisors help mitigate cyber risks such as cyber-crime syndicates through interconnected digital systems by different vendors or third-party services providers through sharing cyber-threat intelligence from cross-border supervisors or regulators to detect similar or emerging risks and apply proportionate risk-based approaches to mitigate the risks.

Supervisors can partner with sister regulators or supervisors of developed countries to train and support their supervisory team improve cyber security knowledge and recruit a cyber security expertise to train and work together with the existing supervisors to address the emerging risks and develop a continuous onboarding program of cyber security experts.

1. Supervisors balance this by integrating data and cyber protection directly into prudential regulatory and supervisory frameworks, linking compliance to risk management and licensing conditions for DFSPs, while mandating independent audits of cybersecurity controls.
2. Regional cooperation and information-sharing platforms help by enabling supervisors to spearhead cross-border supervisory colleges or regional cyber information-sharing forums. These exchange threat intelligence, coordinate responses to transnational attacks, and support shared cyber threat intelligence platforms and regional data protection frameworks that ensure consistent minimum standards for cyber resilience.
3. Supervisors should prioritize capacity building for staff on cyber risk supervision through partnerships with regional training centers or international bodies (BIS, IMF, ITU) and promote certification Programmes for cybersecurity professionals to reduce the local talent gap.

1.Balancing digital innovation with strong cybersecurity standards
Supervisors can strike this balance by allowing innovation but embedding security as a core requirement rather than an afterthought.Integrate cybersecurity into regulation and licensing, Make data protection and cyber risk management part of prudential frameworks and licensing conditions for DFSPs
for Data and Cyber Security Related Risks. Adopt risk-based supervision. Allow innovation while ensuring providers manage risks like third-party exposure and data breaches, Mandate minimum security standards End-to-end encryption, Multi-factor authentication. Continuous monitoring of data access, Data and Cyber Security Related Risks. Require independent audits and testing
Cybersecurity audits, Stress testing and simulation exercises,Ensure incident reporting frameworks Clear timelines and thresholds improve sector-wide awareness and response.
2.Role of regional cooperation and information-sharing
Cyber risks often cross borders, so collaboration is essential: Cross-border supervisory cooperation, Establish supervisory colleges to coordinate oversight of regional DFSPs, Align regulatory expectations across countries
Cyber threat intelligence sharing. Regional platforms help share: Emerging threats, Attack patterns, Vulnerabilities. This improves early warning systems
Coordinated incident response. Joint responses to large-scale or cross-border cyberattacks reduce systemic impact. Harmonized standards like regional data protection frameworks create consistent cybersecurity expectations, Public–private collaboration, Shared platforms between regulators and industry improve resilience and reduce fragmentation.
3. Addressing the shortage of cybersecurity expertise,Supervisors in developing markets can take several practical steps: Capacity building for supervisory staff, Invest in training on cyber risk supervision, Focus on evolving threats and technologies, Partnerships with international organizations
Collaborate with institutions like: BIS, IMF, ITU. Data and Cyber Security Related Risks, Regional training centers,Share expertise and resources across countries, Promote certification programs,Encourage development of local cybersecurity professionals, Leverage public private partnerships
Industry can help provide: Technical expertise, Training programs, Threat intelligence, Use shared services and platforms, Smaller markets can access affordable cybersecurity support through pooled resources.