Press release on issuance of Circular No.

09/2020/TT-NHNN
Hanoi, October 21, 2020. The Governor of the State Bank of Vietnam (SBV) has issued Circular No.
09/2020/TT-NHNN as replacement of Circular No. 18/2018/TT-NHNN dated August 21, 2018 on the
operational safety of the information system in banking operations.
The Circular has been issued to update the new provisions of the Law on Cyber-Information Security
(LCIS) and its guiding documents, as well as to amend several requirements for security and
confidentiality in line with the rapid and diversified development of the information technology and the
situation of cyber-information security in the banking sector.
The new Circular is composed of 3 Chapters and 56 Articles with the following main substances:
- Chapter I - Scope of regulation; subjects of application; explanation of terms used in the Circular;
general principles for securing the information system and principles of information classification;
information systems classification in accordance with safety levels. Specifically, the Circular amends
Article 1 to include new subjects under the management or licensing authority of the State Bank of
Vietnam, such as people's credit funds, microfinance institutions, credit information service providers,
the National Payment Corporation of Vietnam (NAPAS), Vietnam Asset Management Company
(VAMC), the National Money Printing Factory, Deposit Insurance of Vietnam; and supplements Article
5 on the classification of information systems to be in consistency with the guidelines on classification
of information systems under Decree No. 85/2016/ND-CP dated July 1, 2016 of the Government
stipulating the assurance of information system security by different levels.
- Chapter II - Specific regulations on information technology asset management, human resources,
physical safety of the installation environment; the operations and exchanges of information;
accessibility; management and utilization of information technology services by third parties;
receiving, developing and maintaining the information systems; information security incident
management; ensuring continuous operations of the information systems; internal inspection and
reporting scheme. Specifically, several new regulations have been supplemented, such as: (i)
Applying multi-factor authentication at the final approval step when performing inter-bank electronic
money transfers in Article 20; (ii) Detailed logging of information security incidents in Article 26; (iii)
Administering the service account in Article 28; (iv) Limiting requirements on third-party contracts that
only apply to information systems of level 3 or higher and information systems that handle customers'
personal information in Article 35; (v) Annual drills/exercises of the Plan for handling with incidents to
ensure information security for at least one of the information systems of level 3 or higher in Article 46;
(vi) Detailed regulations for the operations of the entities that perform internal inspection and
compliance with the provisions of the Circular in Article 53.
- Chapter III - Enforcement: Regulating the responsibilities of the entities under the State Bank of
Vietnam; the effectiveness and the organization for implementation of the Circular among different
units and entities.
The new Circular shall take effect from January 1, 2021.
Translated by VA