The Central Bank of Kuwait (CBK) issued an updated cybersecurity framework for local banks and financial institutions on 3 December 2025 titled the Cyber and Operational Resilience Framework (CORF). The purpose of this update is to enrich the level of controls on the financial institutions’ IT environments, to protect them from the business interruptions that may arise due to internal and external threats.
What is the importance and business value of the Cyber and Operational Resilience Framework (CORF)?
The Cyber and Operational Resilience Framework (CORF) issued by the CBK is a mandatory regulatory framework that strengthens cyber resilience, operational resilience, and third-party risk management for local banks and financial institutions. CORF enables regulated entities to protect critical IT environments, prevent business disruptions, ensure regulatory compliance, and demonstrate resilience through baseline self-assessments, Statement of Applicability (SoA), and independent audits.
What are the core components of the Cyber and Operational Resilience Framework (CORF)?
The Cyber and Operational Resilience Framework (CORF) is built on three strategic baselines: Cyber Resilience, Operational Resilience, and Third-Party Risk Management. The framework is structured across 27 domains, 93 sub-domains, 200 control areas, and 876 controls, forming a comprehensive regulatory resilience architecture for CBK-regulated entities to manage cyber risk, operational disruption, and third-party exposure.
Who does CORF apply to?
CORF applies to all CBK-regulated entities, including:
- Kuwaiti banks
- Foreign banks operating in Kuwait
- Finance companies
- Exchange companies
- E-payment of funds companies
- Credit information companies
- Open banking service providers
Are any exemptions permitted under CORF, and how can a control be marked as not applicable?
CORF does not provide automatic exemptions for any category of CBK-regulated entities. Any control may only be marked as Not Applicable or Exempted if it is supported by a documented justification, approved by senior management, and formally submitted to CBK for review and approval. A control shall remain applicable unless explicit regulatory approval is obtained from the CBK.
What does CORF require financial institutions to do?
Regulated entities are required to implement Cyber Resilience, Operational Resilience, and Third-Party Risk Management baselines, perform inherent risk profiling, maintain a Statement of Applicability (SoA), conduct baseline self-assessments, undergo independent regulatory assessments, and submit regulatory deliverables to CBK in line with CORF requirements.
Why is a CORF audit required?
CBK requires regulated entities to engage an independent CBK-approved third-party firm to assess compliance with CORF requirements and validate the effectiveness of implemented cyber and operational resilience controls.
What is the frequency of the CORF audit by an independent CBK-approved audit firm?
CBK requires regulated entities to undergo an independent CORF audit by a CBK-approved third-party audit firm on an annual basis, aligned with supervisory tiering and inherent risk profiling. The audit validates baseline self-assessments, control effectiveness, maturity scoring, and regulatory submissions, including the Statement of Applicability (SoA).
It is worth mentioning that Baker Tilly is a registered firm with the Central Bank of Kuwait for providing this service.
How often is a CORF assessment conducted by CBK?
CBK conducts supervisory CORF assessments through its assessment teams based on tiering-based supervisory oversight and inherent risk profiling as follows:
- High Impact (Tier I) – Annual CBK supervisory inspection
- Medium Impact (Tier II) – CBK inspection every 18 months
- Low Impact (Tier III) – CBK inspection every 2 years
These assessments are performed directly by CBK supervisory and assessment teams and are separate from the mandatory independent CORF audit conducted annually by a CBK-approved audit firm.
What is Baker Tilly’s CORF audit methodology and approach?
Baker Tilly’s CORF audit methodology is aligned with CBK supervisory expectations and international audit standards. Our approach includes governance and risk review, control design assessment, operating effectiveness testing, evidence-based validation, maturity scoring, and regulatory reporting.
What are the CORF audit services provided by Baker Tilly?
Baker Tilly provides independent CORF audit and assurance services covering:
- Cyber resilience baseline assessment
- Operational resilience baseline assessment
- Third-party risk baseline assessment
- Control design and operating effectiveness testing
- Maturity assessment and benchmarking
- Regulatory reporting and supervisory submissions
Why Baker Tilly Kuwait?
- CBK-approved cyber and operational resilience audit firm
- Deep experience supporting CBK-regulated entities
- Proven regulatory audit and remediation expertise
- Global cybersecurity and resilience methodologies
- Strong understanding of CBK supervisory expectations