Circular 09: Guiding the response to information security incidents in banking operations in Vietnam

According to the Circular No. 09/2020/TT-NHNN of the State Bank of Vietnam, response to information security incidents is prescribed as follows:

1. The network for response to information security incidents in banking sector (hereinafter referred to as the “incident response network”) is comprised of:

- The steering committee established by the SBV’s Governor;

- The coordinating agency which is the Information Technology Authority (affiliated to SBV);

- Members of the incident response network, including: The Information Technology Authority (affiliated to SBV), credit institutions (departments in charge of information security) and voluntary members that are authorities and organizations voluntarily joining the incident response network.

2. The incident response network shall cooperate with human resources in banking sector and other sectors to efficiently respond to information security incidents and thus ensure the safe operations of banking system.

3. Principles for incident coordination and response

- The steering committee shall: (i) consider approving the network’s annual operation strategies and plans; (ii) manage the network’s operations (including incident response, drills, training and exercises in incident response); (iii) evaluate and submit annual report on the network’s performance to the SBV’s Governor;

- The organizations mentioned in Point c Clause 2 of this Article shall take responsibility to provide resources and perform tasks as a member of the network;

- When an incident occurs, the network’s members shall report it to the coordinating agency in accordance with the provisions in Clause 1 Article 54 hereof;

- In case of serious incidents that they cannot be handled, the network’s members shall send written request for support to the coordinating agency;

- Depending on each incident, the coordinating agency shall report it to the steering committee and request the network’s members or regulatory authorities to give support and response.

- Principles for managing and using information in incident coordination and response:

+ Any information exchanged or provided during the process of coordinating and responding to an incident shall be considered classified information;

+ Any act of use of information exchanged during the incident coordination and response which harms the prestige and/or image of the organization providing such information is prohibited.

View more details at the Circular No. 09/2020/TT-NHNN of the State Bank of Vietnam, effective from January 01, 2021.

Thuy Tram

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE