CNBS Cybersecurity Compliance Honduras
Practical guide to Resolution GRD No.793/2022 for supervised banks, insurers and cooperatives in Honduras — required controls, timelines and how GLADiiUM helps you comply
Resolution GRD No.793 of December 16, 2022 from the Comision Nacional de Bancos y Seguros (CNBS) updated the Standards for the Management of Information Technology, Cybersecurity and Business Continuity, establishing concrete and verifiable obligations for all supervised institutions in Honduras. This is the most important cybersecurity regulatory framework for the Honduran financial sector and non-compliance exposes institutions to sanctions, fines and license revocation.
Despite its critical importance, Resolution 793/2022 is one of the least understood regulatory documents in the Honduran financial ecosystem. Most IT and compliance executives at banks and cooperatives know the regulation exists but struggle to map its requirements to concrete, implementable technical controls. This guide is designed to solve exactly that problem.
GLADiiUM Technology Partners has spent over 20 years working with the Honduran financial sector. We know Resolution 793/2022 from the inside — not just as a regulatory document, but as a set of controls we have implemented and documented in institutions supervised by the CNBS.
What Is CNBS Resolution GRD 793/2022?
Resolution GRD No.793/16-12-2022 updated the Standards for the Management of Information Technology, Cybersecurity and Business Continuity imposed by the CNBS on supervised institutions. These standards replace and consolidate earlier regulations, establishing a comprehensive framework covering four main domains:
- IT Governance — Organizational structure, roles, responsibilities and information security policies at board and senior management level.
- Technology Risk Management — Identification, assessment, treatment and monitoring of cyber risks specific to the Honduran financial environment.
- Operational Cybersecurity — Technical controls to protect infrastructure: continuous monitoring, access management, encryption, vulnerability management and incident response.
- Business Continuity — Documented, tested and updated plans to maintain operations during security incidents, natural disasters or critical infrastructure failures.
The 8 Critical Controls of Resolution 793/2022
1. Continuous Security Monitoring
The regulation requires continuous surveillance of all systems accessing sensitive financial information. GLADiiUM provides 24/7 SIEM with alerts validated by analysts from our NSOC in Honduras.
2. Identity and Access Management
Granular control of who accesses which systems, with mandatory multi-factor authentication (MFA) for critical systems, privileged accounts and remote access.
3. Security Incident Management
Documented procedures for detecting, containing, eradicating and recovering from incidents, with measurable response times and CNBS reporting within defined deadlines.
4. Vulnerability Management
Periodic vulnerability scans with remediation evidence, annual penetration testing and patch lifecycle management across all critical systems.
5. Financial Data Protection
Encryption of data in transit and at rest, information classification, DLP controls to prevent exfiltration and monitoring of access to sensitive client data.
6. Cloud and Third-Party Security
Technology vendor risk assessment, minimum controls for cloud services and security requirements in contracts with third parties accessing financial data.
7. Business Continuity and DR
Documented continuity plan, tested at least annually, with recovery objectives (RTO/RPO) defined by system criticality and explicit cybersecurity component.
8. Audit and Documentary Evidence
Audit log records with defined retention, documented incident reports and evidence demonstrating control effectiveness to CNBS inspectors.
Which Institutions Must Comply?
The Resolution applies to all entities supervised by the CNBS, including:
- Commercial banks — domestic and foreign with operations in Honduras
- Insurance and reinsurance institutions
- Supervised savings and credit cooperatives
- Exchange houses and remittance companies
- General deposit warehouses
- Credit card issuing companies
- Electronic money providers (INDEL)
- Finance companies and private development organizations under CNBS supervision
If your institution is supervised by the CNBS and you do not have a formal cybersecurity program aligned to Resolution 793/2022, you are in regulatory risk. GLADiiUM can perform a gap assessment in 2 weeks to determine exactly where you stand and what you need.
Consequences of Non-Compliance
The CNBS has legal authority to apply corrective measures and sanctions to supervised institutions that fail to meet the cybersecurity requirements of Resolution 793/2022. Potential consequences include:
- Formal observations and requirements with remediation deadlines
- Supervised improvement plans with periodic CNBS reporting
- Administrative fines escalating with repeated non-compliance
- Operational restrictions on specific products or services
- Administrative intervention in cases of systemic risk
Beyond regulatory risk, non-compliance directly exposes institutions to operational risk: without the controls in Resolution 793/2022, a supervised institution in Honduras is significantly more vulnerable to ransomware, financial fraud, customer data theft and attacks on core banking infrastructure.
How GLADiiUM Implements CNBS 793/2022 Compliance
GLADiiUM offers a structured four-phase implementation program that takes a supervised institution from its current state to demonstrable compliance before the CNBS:
Phase 1 — Gap Assessment (2 weeks)
Complete evaluation of current state versus Resolution 793/2022 requirements. Deliverable: gap map with regulatory priority, operational risk and estimated remediation effort.
Phase 2 — Technical Controls Implementation (4 to 12 weeks)
Deployment of SIEM, EDR, MFA, vulnerability management and access controls based on identified gaps. Configuration of specific alerts for financial fraud detection and core banking threat monitoring.
Phase 3 — Documentation and Policies (2 to 4 weeks)
Development of policies, procedures and plans required by the regulation: Incident Response Plan, Business Continuity Plan, Vulnerability Management Policy, Information Classification and Access Control Policy.
Phase 4 — Continuous Monitoring and Evidence (ongoing)
SOC as a Service automatically generating the audit evidence CNBS inspectors require: logs, incident reports, monitoring metrics, continuity test results and executive security posture dashboards.
Frequently Asked Questions — CNBS Resolution 793/2022
When did CNBS Resolution GRD 793/2022 come into effect?
Resolution GRD No.793 was issued on December 16, 2022 and came into effect on the same date. Supervised institutions had differentiated timelines to implement controls based on complexity, but as of today all implementation deadlines have passed. Institutions that do not have the controls implemented and documented are in active non-compliance and subject to CNBS observations and sanctions.
What is the difference between Resolution 793/2022 and the ISO 27001 standard?
ISO 27001 is a voluntary international information security management standard applicable to any type of organization. CNBS Resolution 793/2022 is a mandatory regulatory standard specific to supervised financial institutions in Honduras. Although they share many principles, Resolution 793/2022 has requirements specific to the Honduran context and the consequences of non-compliance are regulatory — CNBS fines and sanctions — unlike ISO 27001 where non-compliance only results in loss of the voluntary certification. GLADiiUM can help achieve both frameworks simultaneously.
Does Resolution 793/2022 apply to savings and credit cooperatives?
Yes. Savings and credit cooperatives under CNBS supervision are subject to Resolution 793/2022. This includes cooperatives that due to their size or deposit-taking activities have been classified as supervised institutions. GLADiiUM has specific experience working with cooperatives in Honduras and can clarify the applicable scope for your institution.
What documents must a supervised institution have for a CNBS inspection?
In a CNBS cybersecurity inspection, inspectors typically request: information security policy approved by the board of directors, incident response plan with documented incident history, vulnerability scan results with remediation evidence, security monitoring logs with minimum retention per the regulation, business continuity plan with evidence of completed tests, access records for critical systems, and technology vendor contracts including security clauses. GLADiiUM automatically generates most of this documentation as part of the SOC as a Service.
How long does it take to implement CNBS 793/2022 compliance from scratch?
For an institution starting from a low cybersecurity maturity level, the complete implementation program typically requires 3 to 6 months depending on institution size, infrastructure complexity and internal team availability. GLADiiUM can accelerate this because we already have the technical controls, policy templates and experience from previous implementations in the Honduran financial sector. The initial 2-week gap assessment determines the exact starting point and a realistic timeline.
Assess Your Institution's CNBS 793/2022 Compliance
GLADiiUM performs a free 2-week gap assessment mapping your institution's current state against Resolution 793/2022 requirements, identifying the highest regulatory-risk gaps and presenting a prioritized remediation plan — at no cost or commitment.
English
Español