Cambodia Issues New Technology and Cyber Risk Management Guidelines for Banks and Financial Institutions
Key Takeaway: The National Bank of Cambodia's Technology and Cyber Risk Management Guidelines (TCRMG) set a broad, assessable baseline of mandatory expectations for banks and financial institutions, spanning governance, cybersecurity operations, resilience, outsourcing, cloud adoption, and customer data protection. The Guidelines supersede the 2019 technology risk guidance and push BFIs toward measurable cyber maturity, including annual penetration testing, red-team exercises every two years, and early planning for post-quantum security readiness.
Introduction
The TCRMG is positioned as a principles and best-practices framework to help banks and financial institutions strengthen technology and cyber risk management, replacing the earlier Technology Risk Management Guidelines issued in 2019.
A key feature is that "compliance requirements" are explicitly defined as items that will be assessed for compliance under the Guidelines, signaling supervisory and audit relevance rather than optional guidance.
I. Governance, Accountability, and Operating Model
The Guidelines strongly anchor technology and cyber risk in corporate governance. Boards and senior management are expected to establish sound governance and ensure appropriate oversight structures and responsibilities for technology and cyber risks.
Operationally, BFIs are expected to maintain a documented IT organization structure with clearly defined roles and responsibilities, and to appoint equivalent leadership roles such as CIO and CISO depending on size and complexity.
II. Baseline Policies and Control Expectations
Several policy layers are treated as core foundations:
- Information security policy and standards: BFIs should establish information security policies and review them at least annually.
- Remote access controls: Mandatory remote access policy and procedures, management approval for access, VPN requirements, logging, session timeouts, and two-factor authentication for remote access.
- Data security controls: Data classification and lifecycle protection, encryption (at rest and in transit), secure disposal, and techniques like masking or tokenization where appropriate.
III. Technology Risk Management and Resilience
A. Technology Risk Management Framework and Asset Discipline
BFIs are expected to implement a structured Technology Risk Management Framework (TRMF), including risk monitoring and board reporting, and to maintain comprehensive information asset inventories (hardware, software, and data).
B. Data Center Resiliency and Location-Related Approvals
The Guidelines contain clear resiliency and governance expectations for hosting:
- BFIs must maintain at least one primary data center in Cambodia.
- A secondary or disaster recovery data center is expected, with sufficient geographic separation.
- Establishing a data center outside Cambodia requires prior approval, and an offshore site is framed as secondary only, plus required risk assessment and an exit strategy back to Cambodia if needed.
IV. Cybersecurity Management and Testing Maturity
A. Cyber Risk Framework and Operational Capability
BFIs are expected to embed cybersecurity into risk management and operations, including establishing a cybersecurity operation function and, for larger or more complex BFIs, a Security Operation Center (SOC) for monitoring.
Threat intelligence is emphasized, including subscribing to reputable threat intelligence services and sharing cyber threat information with the regulator.
B. Incident Management
BFIs are required to establish and maintain incident response arrangements (including testing at least annually) and report cyber incidents to the regulator in compliance with relevant requirements.
C. Cyber Testing and Forward-Looking Security
The Guidelines set notable maturity expectations:
- Penetration testing: at least annually for critical systems.
- Red team: adversarial simulation exercises at least every two years.
- Post-quantum readiness: develop governance, training, and a migration roadmap, and ensure board and senior management are regularly briefed on risks and uses of quantum computing.
V. Digital Services, SWIFT, and Emerging Technology Controls
A. Digital Services Baseline
Digital services must be risk assessed prior to launch and periodically thereafter, with risk management controls aligned to the specific service type (internet banking, mobile banking, e-wallets, and others).
B. SWIFT Controls
BFIs must assess against the latest SWIFT Customer Security Controls Framework (CSCF), ensure compliance with mandatory requirements, and rotate the CSCF assessor at least once every three years.
C. Enabling Technologies and Approvals
The Guidelines recognize rapid fintech change and require controls and governance for enabling technologies. For critical systems and critical business functions, BFIs must seek regulatory approval when implementing enabling technologies.
Cloud computing receives detailed treatment, including integration with TRMF/CRMF, location risk studies, CSP due diligence, shared responsibility clarity, and a defined cloud exit strategy.
VI. Outsourcing, Business Continuity, and Customer Data Protection
A. Outsourcing and Third-Party Risk
BFIs must adopt a board-approved outsourcing policy and conduct due diligence and ongoing monitoring of service providers.
B. Business Continuity Management
BFIs must conduct BCM exercises and tests, document issues and action plans, and review BCP, DRP, and IEMP at least annually or upon significant change.
C. Customer Personal Data Protection
The Guidelines introduce a comprehensive privacy program expectation:
- Establish privacy policy and procedures.
- Enable individual rights (access, rectification, deletion, restriction, transfer).
- Conduct DPIA or PIA at least every three years or after critical data incidents.
- Incorporate privacy-by-design and data minimization.
Cross-border data hosting is explicitly controlled: BFIs must assess geographic risk and obtain prior approval from the regulator before customer personal data is migrated or hosted outside Cambodia.
Practical Implications for BFIs
- Treat "compliance requirements" as examinable controls and map them to internal policies, standards, and evidence artifacts.
- Run a structured gap analysis and create a time-bound remediation roadmap, aligned to size and complexity.
- Plan early for location and approval constraints (data center outside Cambodia, customer data hosting outside Cambodia, enabling technologies for critical systems).
- Upgrade testing and resilience cadence to meet explicit expectations (annual penetration testing, red team every two years, annually tested incident response, annual BCM reviews and tests).
- Strengthen independent assurance through a board-approved IT audit charter and a risk-based annual IT audit plan.
This regulatory update is provided for general information purposes only and should not be construed as legal or professional advice on any particular matter, nor create a Privacy Iuris-client relationship. Before you take any action that may have legal implications, please inquire with your contact at Privacy Iuris.