Compliance deadline: December 31, 2026

BB Cyber Security Framework Compliance, Delivered.

Q: What is the Bangladesh Bank Cyber Security Framework v1.0?

The Bangladesh Bank Cyber Security Framework v1.0 (BB CSF 2026) is a comprehensive regulatory framework requiring all banks, non-bank financial institutions, mobile financial service providers, and payment system operators in Bangladesh to implement a 7-pillar cybersecurity architecture. The seven pillars are: (1) Governance and risk management; (2) Identity and access management with mandatory MFA; (3) Network and endpoint security; (4) Application security and secure development; (5) Security monitoring and SIEM; (6) Incident response with 72-hour reporting; (7) Third-party and supply chain risk management. Compliance is mandatory by December 31, 2026.

Q: What are the MFA requirements under BB Cyber Security Framework?

The BB Cyber Security Framework mandates multi-factor authentication (MFA) for all privileged access, customer-facing systems, and inter-system connections. Requirements include: OAuth 2.1 with PKCE for authorization flows; WebAuthn/FIDO2 or hardware security keys for privileged administrators; at minimum TOTP-based MFA for all users; session management with configurable timeouts; and centralized identity provider integration. Wenme by KaritKarma meets all these requirements natively as a 100% passwordless OAuth 2.1 identity platform.

Q: Do banks need a SIEM system under BB Cyber Security Framework?

Yes. Pillar 5 of the BB Cyber Security Framework explicitly requires Security Information and Event Management (SIEM) capabilities including: real-time log aggregation from all critical systems; automated threat detection with correlation rules; anomaly detection using AI/ML models; automated alerting for security events; 90-day log retention minimum; and integration with Bangladesh Bank's reporting infrastructure. Aegis by KaritKarma provides a 3-layer AI fraud cascade with 80+ rules, sub-50ms scoring, and 0.9955 ROC-AUC accuracy -- exceeding the framework's SIEM requirements.

Q: What is the 72-hour incident reporting requirement?

Under Pillar 6 of the BB Cyber Security Framework, all financial institutions must report significant cybersecurity incidents to Bangladesh Bank within 72 hours of discovery. This includes data breaches, unauthorized access, system compromise, and fraud events exceeding threshold amounts. Reports must include: incident timeline, systems affected, data exposure assessment, containment actions taken, and remediation plan. BitsPath by KaritKarma provides automated incident detection and multi-channel notification (Email, SMS, WhatsApp) to meet this 72-hour reporting window.

Q: How does the Cyber Security Framework relate to ICT Security v4.0?

The BB Cyber Security Framework v1.0 supersedes and extends the earlier ICT Security Guideline v4.0. While ICT Security v4.0 focused on technical controls (firewalls, antivirus, access management), the new CSF adds governance requirements, AI-readiness mandates, supply chain security, and mandatory incident reporting timelines. Institutions already compliant with ICT Security v4.0 will find approximately 40-50% of CSF requirements already met, but must address the governance, SIEM/AI, incident response, and third-party risk pillars as new requirements.

Q: What percentage of banks are AI-ready for cyber security?

According to industry assessments, approximately 89% of banks in Bangladesh are NOT AI-ready for the cybersecurity requirements under the BB Cyber Security Framework. Most institutions lack: AI-powered threat detection (using rule-based systems with limited detection coverage); machine learning models trained on Bangladesh-specific fraud patterns; real-time anomaly detection capabilities; and automated incident correlation. Aegis by KaritKarma addresses this gap with a 3-layer AI cascade specifically trained on Bangladesh banking fraud patterns with 0.9955 ROC-AUC accuracy.

Q: When is the BB Cyber Security Framework compliance deadline?

The compliance deadline for the Bangladesh Bank Cyber Security Framework v1.0 is December 31, 2026. All scheduled banks (61), non-bank financial institutions, mobile financial service providers (bKash, Nagad, Rocket), and payment system operators must have full compliance by this date. Bangladesh Bank is expected to begin compliance audits in Q1 2027.

The Bangladesh Bank Cyber Security Framework v1.0 (2026) mandates a 7-pillar cybersecurity architecture for all banks, NBFIs, MFSPs, and PSOs. 89% of banks are NOT AI-ready. KaritKarma provides the complete compliance stack: Wenme (MFA), Darwan (access control), Aegis (SIEM/AI), and BitsPath (incident reporting).

Talk to compliance team View 7-pillar mapping

Security pillars

89%

Banks NOT AI-ready

72hr

Incident reporting

7/7

Pillars covered

What is it

Bangladesh Bank Cyber Security Framework v1.0 (2026)

The BB Cyber Security Framework (CSF) v1.0 is a comprehensive regulatory mandate from Bangladesh Bank requiring all financial institutions to implement a structured cybersecurity architecture built on seven pillars. It supersedes the earlier ICT Security Guideline v4.0 with expanded requirements covering AI-readiness, mandatory incident reporting timelines, and supply chain security.

The framework addresses a critical gap: while Bangladesh's financial sector has grown rapidly with digital banking, mobile financial services, and fintech integration, cybersecurity maturity has not kept pace. Industry assessments indicate that 89% of banks lack AI-powered threat detection capabilities, rely on rule-based systems with limited coverage, and cannot meet the 72-hour incident reporting requirement without automated detection and notification infrastructure.

The CSF aligns with international frameworks (NIST CSF, ISO 27001) while incorporating Bangladesh-specific requirements such as data localization, Bangla-language reporting, and integration with Bangladesh Bank's supervisory technology infrastructure.

Framework

BB CSF v1.0, 2026

Issuing Authority

Bangladesh Bank (ICT Division)

Compliance Deadline

December 31, 2026

The AI readiness gap

89% of banks are NOT AI-ready for cybersecurity.

The BB Cyber Security Framework mandates AI/ML-powered threat detection (Pillar 5). Most banks still rely on rule-based systems with limited detection coverage. Aegis closes this gap immediately.

Rule-based systems miss 60%+ of novel attack patterns

No ML models trained on Bangladesh-specific fraud data

Average detection time: 7+ days (requirement: real-time)

Manual incident reporting (requirement: 72-hour automated)

Aegis: AI-ready on day one

3-layer AI cascade: rule engine, machine learning, and deep learning. 80+ Bangladesh-specific detection rules. Sub-50ms scoring. 0.9955 ROC-AUC accuracy. Trained on Bangladesh banking fraud patterns. Deploy in days.

0.9955

ROC-AUC

<50ms

Scoring

80+

Detection rules

373

Automated tests

Learn more about Aegis

7-pillar framework

Every pillar. Mapped to a working product.

The BB Cyber Security Framework v1.0 defines seven pillars of cybersecurity. Each maps directly to a KaritKarma product or service.

Pillar 1

Governance & Risk Management

Board-level cybersecurity oversight, risk assessment frameworks, and security policies aligned with international standards.

LoneSock Consultancy

15+ years advisory. Gap assessment, policy development, board reporting frameworks.

Pillar 2

Identity & Access Management

MFA mandatory for all access. Role-based access control. Privileged access management with hardware keys.

Wenme + Darwan

OAuth 2.1 + PKCE, WebAuthn/FIDO2, 42-endpoint RBAC with SoD.

Pillar 3

Network & Endpoint Security

Network segmentation, encrypted communications, endpoint detection and response, VPN for partner access.

Infrastructure

Tier-3 DC, IPSec/WireGuard VPN, per-partner segmentation, APNIC AS 64005.

Pillar 4

Application Security

Secure development lifecycle, code review, vulnerability scanning, and penetration testing for all customer-facing applications.

LoneSock Consultancy

SAST/DAST integration, secure code review, annual pen testing.

Pillar 5

Security Monitoring & SIEM

Real-time log aggregation, AI/ML threat detection, anomaly detection, automated alerting. 90-day log retention.

Aegis

3-layer AI cascade. 80+ rules. Sub-50ms scoring. 0.9955 ROC-AUC. Bangladesh-specific.

Pillar 6

Incident Response & Reporting

72-hour incident reporting to Bangladesh Bank. Automated detection, containment, and multi-channel notification.

Aegis + BitsPath

Automated detection + Email/SMS/WhatsApp notification via BitsPath CPaaS.

Pillar 7

Third-Party & Supply Chain Risk

Partner risk classification, vendor security assessment, supply chain monitoring, and contractual security requirements.

Darwan + LoneSock

ABAC policies for partner classification. Vendor risk assessment frameworks.

Implementation roadmap

How to achieve BB CSF compliance

Seven steps from assessment to certification. Each step maps directly to the 7-pillar framework.

Conduct cybersecurity maturity assessment

Evaluate current security posture against the 7-pillar framework. Identify gaps in governance, IAM, network security, application security, SIEM, incident response, and third-party risk management. Map existing controls to CSF requirements.

Deploy identity and access management with Wenme + Darwan

Implement Wenme as the centralized identity provider with mandatory MFA, OAuth 2.1 + PKCE, and WebAuthn/FIDO2 for privileged access (Pillar 2). Connect Darwan for RBAC, separation of duties, and comprehensive audit trails. Deployment takes days, not months.

Establish SIEM and AI threat detection with Aegis

Deploy Aegis for real-time security monitoring and threat detection (Pillar 5). The 3-layer AI cascade (rule engine + ML + deep learning) with 80+ Bangladesh-specific detection rules provides automated threat identification. Sub-50ms scoring ensures real-time protection.

Configure incident response and 72-hour reporting

Set up automated incident detection via Aegis with multi-channel notification through BitsPath (Email, SMS, WhatsApp) to meet the 72-hour reporting requirement (Pillar 6). Configure escalation workflows and Bangladesh Bank reporting templates.

Implement network security and partner segmentation

Establish encrypted VPN tunnels (IPSec/WireGuard) for all partner connections (Pillar 3). Configure per-partner network segmentation, certificate-based mutual authentication, and real-time session monitoring on KaritKarma Tier-3 infrastructure.

Address governance and third-party risk

Develop board-level cybersecurity reporting frameworks (Pillar 1). Implement third-party risk classification and vendor security assessment processes using Darwan ABAC policies (Pillar 7). LoneSock Consultancy provides advisory support.

Validate and submit compliance documentation

Run end-to-end compliance validation: penetration testing, vulnerability assessment, IAM verification, SIEM effectiveness testing, and incident response drills. Generate compliance documentation mapping each CSF pillar to your implementation. Submit before December 31, 2026.

Frequently asked questions

BB Cyber Security Framework compliance questions

What is the Bangladesh Bank Cyber Security Framework v1.0?

The Bangladesh Bank Cyber Security Framework v1.0 (BB CSF 2026) is a comprehensive regulatory framework requiring all banks, non-bank financial institutions, mobile financial service providers, and payment system operators in Bangladesh to implement a 7-pillar cybersecurity architecture. The seven pillars are: (1) Governance and risk management; (2) Identity and access management with mandatory MFA; (3) Network and endpoint security; (4) Application security and secure development; (5) Security monitoring and SIEM; (6) Incident response with 72-hour reporting; (7) Third-party and supply chain risk management. Compliance is mandatory by December 31, 2026.

What are the MFA requirements under BB Cyber Security Framework?

The BB Cyber Security Framework mandates multi-factor authentication (MFA) for all privileged access, customer-facing systems, and inter-system connections. Requirements include: OAuth 2.1 with PKCE for authorization flows; WebAuthn/FIDO2 or hardware security keys for privileged administrators; at minimum TOTP-based MFA for all users; session management with configurable timeouts; and centralized identity provider integration. Wenme by KaritKarma meets all these requirements natively as a 100% passwordless OAuth 2.1 identity platform.

Do banks need a SIEM system under BB Cyber Security Framework?

Yes. Pillar 5 of the BB Cyber Security Framework explicitly requires Security Information and Event Management (SIEM) capabilities including: real-time log aggregation from all critical systems; automated threat detection with correlation rules; anomaly detection using AI/ML models; automated alerting for security events; 90-day log retention minimum; and integration with Bangladesh Bank's reporting infrastructure. Aegis by KaritKarma provides a 3-layer AI fraud cascade with 80+ rules, sub-50ms scoring, and 0.9955 ROC-AUC accuracy -- exceeding the framework's SIEM requirements.

What is the 72-hour incident reporting requirement?

Under Pillar 6 of the BB Cyber Security Framework, all financial institutions must report significant cybersecurity incidents to Bangladesh Bank within 72 hours of discovery. This includes data breaches, unauthorized access, system compromise, and fraud events exceeding threshold amounts. Reports must include: incident timeline, systems affected, data exposure assessment, containment actions taken, and remediation plan. BitsPath by KaritKarma provides automated incident detection and multi-channel notification (Email, SMS, WhatsApp) to meet this 72-hour reporting window.

How does the Cyber Security Framework relate to ICT Security v4.0?

The BB Cyber Security Framework v1.0 supersedes and extends the earlier ICT Security Guideline v4.0. While ICT Security v4.0 focused on technical controls (firewalls, antivirus, access management), the new CSF adds governance requirements, AI-readiness mandates, supply chain security, and mandatory incident reporting timelines. Institutions already compliant with ICT Security v4.0 will find approximately 40-50% of CSF requirements already met, but must address the governance, SIEM/AI, incident response, and third-party risk pillars as new requirements.

What percentage of banks are AI-ready for cyber security?

According to industry assessments, approximately 89% of banks in Bangladesh are NOT AI-ready for the cybersecurity requirements under the BB Cyber Security Framework. Most institutions lack: AI-powered threat detection (using rule-based systems with limited detection coverage); machine learning models trained on Bangladesh-specific fraud patterns; real-time anomaly detection capabilities; and automated incident correlation. Aegis by KaritKarma addresses this gap with a 3-layer AI cascade specifically trained on Bangladesh banking fraud patterns with 0.9955 ROC-AUC accuracy.

When is the BB Cyber Security Framework compliance deadline?

The compliance deadline for the Bangladesh Bank Cyber Security Framework v1.0 is December 31, 2026. All scheduled banks (61), non-bank financial institutions, mobile financial service providers (bKash, Nagad, Rocket), and payment system operators must have full compliance by this date. Bangladesh Bank is expected to begin compliance audits in Q1 2027.

266 days remaining

December 31, 2026 is closer than you think.

89% of banks are not AI-ready. The 7-pillar framework requires capabilities most institutions do not have today. Start your cybersecurity maturity assessment now.

Schedule CSF assessment View all compliance areas