The Central Bank of Sri Lanka has issued new supervisory requirements for licensed commercial banks and licensed specialised banks to report specified information technology and cybersecurity incidents, aiming to support operational resilience amid increased reliance on digital infrastructure. The circular updates incident reporting expectations set under the Banking Act Direction No. 16 of 2021 on technology risk management and resilience, as amended. The requirements cover a minimum set of reportable incident types, including intrusion and hacking (such as malware, ransomware, phishing, DDoS and supply chain attacks), customer-impacting online and digital scams, unplanned critical system outages or performance failures, and regulatory non-compliances related to IT and cybersecurity. Banks must submit an immediate notification within two hours of detection, a detailed report within 14 days of detection, and a quarterly report within 15 days after the end of each quarter, using the templates specified in the annexes; the 25 January 2016 circular on “Reporting on Cybersecurity Events” is revoked with immediate effect.
Central Bank of Sri Lanka 2025-05-07
Central Bank of Sri Lanka mandates two-hour notification for banks’ IT and cybersecurity incidents and revokes 2016 reporting circular
The Central Bank of Sri Lanka has updated supervisory requirements for licensed commercial and specialised banks to report IT and cybersecurity incidents, enhancing operational resilience. The directive specifies reportable incidents, including intrusions, scams, outages, and regulatory non-compliances, with immediate and periodic reporting obligations. The 2016 circular on cybersecurity event reporting is revoked.