How to prepare for a BNR cybersecurity audit: the practical guide

If you have been through a BNR cybersecurity examination, you know the feeling: the notification lands, and suddenly every policy document, every test report, every board minute from the past year becomes urgent. If you have not been through one yet, this guide will tell you exactly what to expect so you can prepare properly rather than scrambling.

This is not a summary of what BNR requires. For that, see our guides on BNR cybersecurity requirements and BNR cybersecurity compliance in 2026. This article covers the audit itself: the process, the timeline, what inspectors actually do when they arrive, what evidence they ask for, where institutions consistently fall short, and how to avoid those failures.

How the BNR examination process works

BNR supervises financial institutions through a combination of off-site surveillance and on-site examinations. Cybersecurity is no longer a side topic during IT examinations. Under the Regulation on Cyber Resilience for the Financial Sector, cyber risk has become a standalone examination area with dedicated assessment criteria.

The process typically follows this sequence:

1. Notification. BNR sends a formal notification to the institution, usually two to four weeks before the on-site visit. The notification specifies the examination scope and requests an initial set of documents.
2. Document submission. The institution submits the requested documentation within the specified deadline, typically five to ten business days.
3. Off-site review. The examination team reviews submitted documents, identifies areas requiring deeper investigation, and prepares their on-site examination plan.
4. On-site examination. Inspectors arrive at the institution for a period of two to four weeks. They interview management and staff, review systems, inspect evidence, and test controls.
5. Exit meeting. At the end of the on-site period, the examination team conducts an exit meeting with senior management to discuss preliminary findings.
6. Draft report. BNR issues a draft examination report. The institution has an opportunity to respond to findings with factual corrections.
7. Final report and remediation plan. The final report is issued with findings classified by severity. The institution must submit a remediation action plan with specific timelines.

What BNR inspectors actually look for

Understanding the difference between what the regulation says and what inspectors focus on during an examination is critical. Inspectors are experienced practitioners. They know how to distinguish between a compliance programme that exists on paper and one that is genuinely operational.

Board governance and oversight

Inspectors will request board minutes from the past twelve months and look for specific evidence:

• Cybersecurity is a distinct agenda item, not buried under general IT updates.
• The board received quantitative risk reporting: number of incidents, vulnerability statistics, penetration test results, progress on remediation.
• Directors asked questions and made decisions based on the information presented. Rubber-stamped minutes with no discussion are a red flag.
• The board approved the cybersecurity policy within the past twelve months.

Penetration testing and vulnerability management

This is one of the first things inspectors verify because it is binary: either you have current test reports or you do not.

• Date of the last penetration test. If it is more than twelve months old, that is a finding.
• Scope of testing. Inspectors will compare the scope in your report against your actual internet-facing systems. If you have fifteen public-facing applications but only tested three, that gap will be noted.
• Tester qualifications. Inspectors check whether the testing firm holds recognised certifications, particularly OSCP. An internal scan run by your IT team does not satisfy the requirement.
• Remediation evidence. For every critical and high finding in the report, inspectors expect evidence that the vulnerability was fixed and retested. Open critical findings from a previous test are among the most serious audit deficiencies.

For context on what a proper engagement involves, see our guide on penetration testing versus vulnerability assessment for banks.

Incident response readiness

Inspectors do not just want to see the incident response plan. They want to see proof it works.

• Tabletop exercise records. When was the last drill? Who participated? What scenario was tested? What were the lessons learned?
• Incident logs. Has the institution logged and classified any security incidents in the past year? An institution that reports zero incidents is viewed with scepticism, not admiration.
• Escalation procedures. Does the team know whom to call at 2 AM when a breach is detected? Are contact lists current?
• BNR notification procedures. The regulation requires institutions to notify BNR of significant cyber incidents. Inspectors verify that the institution has a documented process for this and that staff know the threshold for notification.

For more on building effective incident response capabilities, see our guide on incident response planning for East African financial institutions.

Access control and identity management

Inspectors will ask your IT team to demonstrate access controls in real time. Common checks include:

• Pulling up the active directory or identity management system and reviewing privileged accounts.
• Asking to see the last access review and its outcomes. Were any excessive permissions revoked?
• Checking for shared administrator accounts. If multiple staff use a single “admin” credential, that is a serious finding.
• Verifying multi-factor authentication on critical systems: core banking, internet banking admin, email, VPN, and cloud management consoles.
• Reviewing user provisioning and deprovisioning processes. When an employee leaves, how quickly is access removed? Inspectors may check whether former employees still have active accounts.

Third-party and vendor risk management

BNR expects institutions to manage the cybersecurity risk introduced by third-party service providers. Inspectors will check:

• Whether the institution maintains a register of all ICT third parties with risk classifications.
• Whether security due diligence was conducted before contracting: vendor security questionnaires, certifications review, penetration test reports.
• Whether contracts include security clauses: right to audit, incident notification requirements, data protection obligations.
• Whether the institution conducts ongoing monitoring of vendor security posture, not just a one-time assessment at onboarding.

For a deeper look at this topic, see our guide on third-party vendor security assessment.

The 90-day preparation timeline

Whether you have received a notification or are preparing proactively (which is the right approach), this timeline provides a structured path to examination readiness.

90 days out: gap assessment and planning

Objective: Understand exactly where you stand and build a remediation plan.

• Conduct a gap assessment against current BNR cybersecurity requirements. Map each requirement to your existing controls and documentation. Identify every gap.
• Review the findings from your last BNR examination (if applicable). Every finding that was not fully remediated is a priority.
• Assess the current state of all documentation: policies, procedures, risk registers, incident response plans. Are they current? Were they reviewed within the past year?
• Check penetration test reports. When was the last test? Was the scope comprehensive? Were all critical and high findings remediated and retested?
• Compile a remediation backlog prioritised by risk and examiner focus areas.
• Commission a penetration test if you do not have a current one. Allow time for remediation and retesting. See our guide on choosing a penetration testing firm in Kigali.

60 days out: remediation and evidence building

Objective: Close gaps and generate the evidence that inspectors will request.

• Remediate penetration test findings. Work through critical and high findings first. Document every fix with before-and-after evidence.
• Update all policies and procedures. Ensure the cybersecurity policy is current and has board approval dated within the past twelve months. Update the ICT risk register to reflect current systems and threats.
• Conduct an incident response tabletop exercise. Choose a realistic scenario (ransomware, data breach, insider threat). Include all relevant stakeholders. Document the exercise thoroughly: date, participants, scenario, decisions, outcomes, lessons learned.
• Run a board cybersecurity briefing. If your board has not received a dedicated cybersecurity report recently, schedule one now. Ensure the minutes capture the discussion.
• Complete access reviews. Audit all privileged accounts. Remove excessive permissions. Disable accounts for departed employees. Document the review and its outcomes.
• Review vendor risk assessments. Ensure all critical ICT vendors have been assessed. Update any assessments that are more than twelve months old.

30 days out: validation and documentation assembly

Objective: Verify everything is in order and compile the evidence package.

• Retest critical penetration test findings. Engage your testing provider to verify that critical and high vulnerabilities have been properly remediated. Obtain a formal retest report.
• Compile the evidence package. Organise all documentation into a structured folder ready for submission. Use the evidence checklist below.
• Conduct internal walkthroughs. Have your compliance team interview IT staff using the same types of questions inspectors would ask. Can your team articulate the incident response process? Can they demonstrate access controls? Do they know the BNR notification requirements?
• Verify logging and monitoring. Confirm that your SIEM or logging solution is operational, that alerts are being generated and investigated, and that you can demonstrate this to inspectors with screenshots or live demonstrations.
• Brief senior management. Ensure the CEO, CTO, CISO, and head of compliance understand the examination process and their roles during it.

The evidence checklist

When BNR sends their pre-examination document request, you should be able to produce the following without delay. Having these ready demonstrates operational maturity.

Governance and policy documents:

• Board-approved cybersecurity policy (with approval date)
• Board minutes showing cybersecurity as a standing agenda item (past 12 months)
• ICT governance structure and organisational chart
• CISO or IT risk officer board presentation materials

Risk management:

• ICT risk register (current, reviewed within past 12 months)
• Risk assessment methodology documentation
• ICT asset inventory

Technical assessments:

• Penetration test report (dated within past 12 months)
• Penetration test remediation tracker showing status of all findings
• Retest report confirming critical and high findings resolved
• Vulnerability scan results (most recent quarterly scan)
• Tester qualifications and certifications

Incident response:

• Incident response plan (current version)
• Tabletop exercise documentation (date, participants, scenario, outcomes)
• Incident log for past 12 months (even if no incidents occurred, document that monitoring was active)
• BNR notification procedure documentation

Access control:

• Access control policy
• Most recent privileged access review and outcomes
• MFA implementation evidence for critical systems
• User provisioning and deprovisioning procedures

Business continuity:

• Business continuity plan
• Disaster recovery plan
• Most recent DR test results

Third-party risk:

• Vendor register with risk classifications
• Vendor security assessments for critical ICT providers
• Contract extracts showing security clauses

Training and awareness:

• Security awareness training records (attendance, dates, topics)
• Phishing simulation results (if conducted)

Common deficiencies and how to avoid them

These are the findings that appear most frequently in BNR cybersecurity examination reports, based on patterns we observe across our work with regulated institutions.

1. No current penetration test report

The finding: The institution has no penetration test report dated within the past twelve months, or the report covers only a fraction of internet-facing systems.

Why it happens: Institutions delay commissioning tests due to budget constraints, procurement timelines, or simply not prioritising it until an examination is announced.

How to avoid it: Treat annual penetration testing as a fixed operational requirement, not an optional project. Budget for it at the start of each fiscal year. Build a relationship with a qualified testing provider so engagement can begin quickly. See our guide on penetration testing costs in Rwanda for budgeting guidance.

2. Unremediated critical findings

The finding: The penetration test report identified critical or high-severity vulnerabilities that remain open months later.

Why it happens: IT teams acknowledge the findings but remediation gets deprioritised against feature development or other operational demands.

How to avoid it: Establish a remediation SLA: critical findings remediated within 30 days, high within 60 days. Track remediation in a formal system, not in email threads. Commission retesting to obtain formal verification.

3. No incident response drill

The finding: The institution has an incident response plan but has never tested it through a tabletop exercise or simulation.

Why it happens: Teams assume the plan is sufficient because it exists in a document. They underestimate the value of testing.

How to avoid it: Schedule at least one tabletop exercise per year. It does not need to be elaborate. A two-hour session with the incident response team walking through a ransomware scenario is sufficient. Document everything.

4. Board minutes lack cybersecurity substance

The finding: Board minutes mention IT or cybersecurity in passing but contain no evidence of substantive discussion, risk quantification, or decision-making on cyber matters.

Why it happens: The board receives IT updates but cybersecurity is not presented as a distinct risk domain. Reports are superficial.

How to avoid it: Ensure the CISO or IT risk officer presents a dedicated cybersecurity report at least quarterly. Include specific metrics: number of vulnerabilities identified and remediated, incidents detected, penetration test status, compliance gap status. Record the board’s questions and decisions in the minutes.

5. Shared administrator credentials

The finding: Multiple staff members use the same administrator account to access critical systems such as the core banking platform, firewalls, or database servers.

Why it happens: Convenience and legacy practices. The organisation never migrated to individual named accounts with role-based access.

How to avoid it: Eliminate shared accounts entirely. Create individual named accounts for every administrator. Implement role-based access control. Enable multi-factor authentication on all privileged accounts. Conduct quarterly access reviews.

6. No vendor risk management programme

The finding: The institution relies on multiple third-party ICT providers but has no formal process for assessing or monitoring their security posture.

Why it happens: Vendor relationships are managed by procurement or business units without security involvement. There is no standardised security assessment process for vendors.

How to avoid it: Establish a vendor risk management programme. Maintain a register of all ICT vendors. Conduct security assessments for critical vendors annually. Include security requirements in contracts. For guidance, see our third-party vendor security assessment guide.

What happens after the audit

The examination does not end when inspectors leave. The post-examination phase is where many institutions lose ground.

Draft report response. When you receive the draft examination report, review each finding carefully. You have the opportunity to provide factual corrections, not to dispute the findings, but to correct any factual inaccuracies. Do not miss the deadline for this response.

Remediation action plan. You will be required to submit a formal remediation plan for each finding, specifying the corrective action, the responsible person, and the target completion date. Be realistic with timelines. BNR will hold you to these dates. Committing to remediating everything within 30 days and then missing the deadline is worse than proposing a 90-day plan and delivering on time.

Follow-up verification. BNR may conduct follow-up examinations to verify that remediation actions have been completed. Maintain documentation of every remediation action taken.

Continuous compliance. The institutions that perform best in examinations are those that treat compliance as a continuous operational practice rather than a periodic preparation exercise. Maintain your controls, conduct regular testing, keep documentation current, and report to the board consistently. When the next examination notification arrives, preparation should require days of organisation rather than months of scrambling.

How we help institutions prepare

We work with BNR-regulated institutions across Rwanda to prepare for cybersecurity examinations efficiently. Our approach covers the full preparation cycle: gap assessment against BNR requirements, penetration testing with OSCP-certified testers, remediation guidance, retesting, and documentation structured in the format examiners expect.

For institutions that need a penetration test as part of their preparation, see our penetration testing service page. For a broader compliance assessment, see our security assessments service page.

Contact us to discuss your examination timeline. We can typically begin within two weeks of agreement and structure the engagement to deliver results before your examination date.