Sri Lanka
USA
Canada
India
UK
UAE
In response to rising cyber threats and growing digital dependency in banking, the Central Bank of Sri Lanka (CBSL) has introduced a new directive requiring all licensed banks to promptly report cybersecurity and IT-related incidents.
The move comes amid concerns about data breaches, insider threats, and system outages that could compromise customer information and disrupt banking operations. The CBSL aims to enhance operational resilience and protect public trust by ensuring timely and structured reporting of such risks.
This directive, an extension of the Banking Act Direction No. 16 of 2021, applies to both licensed commercial and specialised banks. It mandates the reporting of incidents like digital frauds, supply chain attacks, regulatory breaches, critical system failures, and more.
Banks must follow a strict reporting schedule:
Immediate reporting within 2 hours of detecting an incident
Detailed reporting within 14 days
Quarterly reporting within 15 days after each quarter ends
The directive replaces the outdated 2016 circular on cybersecurity event reporting. Submissions are to be sent to the Director of the Bank Supervision Department via designated email formats shared by CBSL.
This proactive step reinforces CBSL’s commitment to cyber resilience, ensuring that Sri Lanka’s banking sector remains robust, secure, and transparent in a fast-evolving digital landscape.
