Rwanda: Implemented National Bank of Rwanda Regulation on Cyber Security in Regulated Institutions (No. 50/2022) including cyber incidents report requirement

On 17 June 2022, the Regulation on Cyber Security in Regulated Institutions (No. 50/2022) enters into force. The regulation applies to financial institutions supervised by the National Bank and establishes mandatory requirements for cybersecurity governance, risk management, and data protection. It mandates the implementation of governance frameworks involving Boards of Directors and Senior Management to oversee cybersecurity strategies and ensures the regular assessment of risks. The regulation requires institutions to adopt measures such as multi-factor authentication, encryption, and audit trail maintenance to protect sensitive data. It further obliges institutions to report cyber incidents to the supervisory authority within two hours and provide detailed reports within 24 hours. Provisions also include requirements for secure data retention, monitoring of alternative delivery channels, and evaluation of third-party service providers.