ECCB 2018-2019 Annual Report and Statement of Accounts

| EASTERN CARIBBEAN CENTRAL BANK ANNUAL REPORT 2018/2019

Develop a Holistic Internal Risk Management Framework

Internal Management

The Internal Audit Department (IAD) is an independent appraisal function established within the Bank to examine and evaluate its activities as a service to the organisation. The department reports functionally to

the Bank’s Board Audit and Risk Committee and administratively to the Governor. The objectives of the department are to ensure:

the achievement of organisational objectives;

the integrity and reliability of information;

compliance with established policies, procedures, laws and regulations; and

the economical, efficient and effective use of resources.

The Bank outsourced and coordinated a comprehensive review of the its Management Information Systems Department. The review included an assessment of the core functions of the department including:

Resourcing and Strategic alignment; Information Technology General Controls and Network Configuration; review of the security of the Bank’s main Applications and Vulnerability and Penetration Testing.

Cyber Security

Recognising that cyber security is a strategic enterprise risk that can impact well beyond information technology operations, the ECCB undertook the following activities to independently assess its technology

resilience and overall cyber security posture. These activities have assisted in prioritising the Bank’s efforts to improve cyber resilience and provided a baseline for measuring progress.

Cyber Maturity Assessment (CMA)

An independent service provider conducted a Cyber Maturity Assessment (CMA) of the Bank’s technology environment. The objective was to assess the Bank’s ability to protect and manage its sensitive

information and assets, and to protect itself against cyber-attacks. The CMA included an assessment of the Bank’s current and planned enterprise security policies, procedures, and capabilities in multiple

technology and security-related domains.

SWIFT Customer Security Programme (CSP)

In fulfillment of a mandate by SWIFT to mitigate against the growing threat of cyber-attacks by implementing mandatory security controls and new services to help prevent and detect fraudulent activity, the

Bank complied and successfully attested to the SWIFT Customer Security Programme before the 31 December 2018 deadline.

Upgrade of Agency Office Network Infrastructure

As part of an ongoing security initiative, the Bank commenced work on an improved internet plan incorporating a revised network configuration inclusive of security features at the Agency Offices. This

enhancement will increase productivity as well as improve the security posture of the Agency Offices.

ORGANISATIONAL EFFECTIVENESS