Cybersecurity Audit

Cybersecurity Audit

Considering the quantum leap that information technology has made in the business world, it has been associated with the emergence of cyber threats and crimes, which have become a significant challenge threatening business continuity. This entails the need to perform periodic audits of business entities’ cybersecurity environment to ensure adequate cybersecurity controls are in place.

In this context, the Central Bank of Kuwait (CBK) issued the Cybersecurity Framework (CSF) for the Kuwaiti Banking Sector and financial institutions in February 2020. This established an integrated framework warranting the improvement of cyber resilience.

What Does Cybersecurity Mean in the Enterprise?

Information Systems Audit and Control Association (ISACA) defines cybersecurity as “the protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.”

What is A Cybersecurity Audit?

A cybersecurity audit examines security controls implemented in an entity to ensure the availability, integrity, and confidentiality of information.

Why Do Organizations Need to Perform a Cybersecurity Audit?

Cybersecurity audits need to be conducted to ensure data security and not pose any threats to business continuity. However, aside from safeguarding data and ensuring a safe IT Environment, there are mandates for performing a cybersecurity audit. The Central Bank of Kuwait (CBK) requires all Kuwaiti banks, financial institutions, and foreign bank branches authorized by the CBK to engage an independent third-party firm to audit the cybersecurity controls, in which they express assurance of compliance with the Framework.

What Criteria of Qualifications Should an Independent Third-party Cybersecurity Auditor Possess?

The independent third-party auditor shall meet the following criteria:

  1. The Central Bank of Kuwait must approve the selected firm conducting the audit.
  2. Qualified and highly experienced team in the field of cybersecurity audits.

It is worth mentioning that Baker Tilly is a registered firm with the Central Bank of Kuwait for providing this service.

What Is the Permitted Term of Engagement of The Independent Third-party Auditor to Provide Cybersecurity Audit Services to Local Banks?

The permitted term of engagement of the independent third-party auditor to provide Cybersecurity Audit services to the same bank is two years, as outlined in the Cybersecurity Framework for Kuwaiti Banking Sector issued by the Central Bank of Kuwait.

How Often Does a Company Regulated By The CBK Have to Perform a Cybersecurity Audit?

The cybersecurity audit report must be submitted to the Central Bank of Kuwait annually, towards the end of every year. Entities regulated by the CBK are communicated a deadline by the central bank and are to abide accordingly.

In addition, the cybersecurity audit report shall be submitted to the board quarterly to discuss and improve findings and recommendations to ensure compliance with the cybersecurity framework.

Who is Responsible for Conducting Baseline Maturity?

The regulated entities must use the Baseline Self-Assessment template and conduct a self-assessment to assess the baseline maturity of implemented controls as per the Strategic Cybersecurity Framework for the Kuwaiti Banking Sector developed by the Central Bank of Kuwait.

What Are the Cybersecurity Audit Services Offered By Baker Tilly Kuwait?

Baker Tilly provides a set of cybersecurity audit services, including the following:

  • Secure software lifecycle management
  • Security considerations for emerging technologies
  • Mobile banking security
  • Customer self-service machines
  • Contactless technology
  • Access control management
  • Cryptography
  • Change and release management
  • Capacity management
  • Data privacy and security
  • Email security
  • Portable device security
  • Reputation protection
  • Logging, monitoring, and security incident management
  • Vulnerability management
  • Human Resource Security
  • Security awareness and training
  • Physical and environmental security
  • Business continuity and Disaster recovery (BC and DR)
  • Cyber threat intelligence management

Why Baker Tilly Kuwait?

Baker Tilly is distinguished by specialist professional experience and offers the following characteristics carrying added value to our clients as follows:

  • Global consulting firm operating in the State of Kuwait.
  • World-class laboratories with state-of-the-art tools are used for vulnerability assessment and cyberattack exposures.
  • Updated databases of automated systems enable the cybersecurity audit of any technology environment a client adopts.
  • Updated databases of new cyberattack methods and the processes to prevent the same.
  • Local experience under a global network comprising more than 250 cybersecurity experts.

Call Us