The case for CSR/ Sustainability Reporting Done Responsibly


Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Bank Muscat promotes cybersecurity

Case study: How Bank Muscat promotes cybersecurity

Bank Muscat is the leading financial institution in Oman, with a strong presence in corporate banking, personal banking, investment banking, Islamic banking, treasury, private banking and asset management. As cybercrimes can cause enormous financial and material losses for both victims and the economy, Bank Muscat remains vigilant in its cybersecurity efforts  Tweet This! so as to safeguard, according to strict standards of security and confidentiality, any information customers share with the Bank.

This case study is based on the 2019 Sustainability Report by Bank Muscat published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

Bank Muscat’s information/cybersecurity management function helps to secure information within the Bank, as well as keep the Bank secured from cybersecurity risks. In order to promote cybersecurity Bank Muscat took action to:

  • identify and address cybersecurity risks
  • improve cybersecurity measures
  • launch an anti-fraud public awareness campaign

What are the material issues the company has identified?

In its 2019 Sustainability Report Bank Muscat identified a range of material issues, such as customer relationship management, employee training and development, responsible investing, Anti-Money Laundering and Anti-Financing of Terrorism (AML and AFT). Among these, promoting cybersecurity stands out as a key material issue for Bank Muscat.

Stakeholder engagement in accordance with the GRI Standards             

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Bank Muscat engages with:                    

Stakeholder Group                Method of engagement
Employees ·       Annual performance reviews

·       Regular dialogue and interaction with employees

·       Training and education programmes

·       Grievance mechanism

·       Polls and survey

Customers ·       Employee

·       Call Centre Feedback Management System (FMS)

·       Company website

·       Focus groups

·       Customer networking events for specific customer segments

·       Branches and access points including ATMs and CDMs

·       Media and social media channels

·       Annual report and sustainability report

·       Other bank publications including investor presentations

Government (Including Regulatory Bodies) ·       Government Business Division

·       Investment in the national economy

·       Supporting initiatives of national importance

Correspondent / Other Banks / International Entities ·       Financial Institutions Group (FIG)

·       Company website and other publications

·       Roadshows and presentations

Shareholders/ Investors


·       Investor Relations Department

·       Shareholder meetings

·       Roadshows and presentations

·       Company website and other publications

Local, Regional & International Media ·       Media, social media and other publications

·       Press conferences

·       Media networking events

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Bank Muscat engaged with its stakeholders through interviews and surveys.

What actions were taken by Bank Muscat to promote cybersecurity?

In its 2019 Sustainability Report Bank Muscat reports that it took the following actions for promoting cybersecurity:

  • Identifying and addressing cybersecurity risks
  • Bank Muscat continuously invests in maintaining and updating the systems and processes that are designed to ensure the security of the Bank’s computer systems, software, networks and other technology assets. Bank Muscat’s information/cybersecurity risk management function focuses on the following key aspects:
    • Cybersecurity incident response plans in order to implement effective management of cybersecurity incidents
    • Information security governance through security policies, procedures, guidelines and standards
    • Information security monitoring using the latest solutions and tools, including real time as well as fixed frequency monitoring
    • Implementing a robust security defence network as well as maintaining strong internal controls
    • Information security reviews comprising new and existing technologies, solutions, networks and also the various processes/ operations within each and every department of the Bank
  • Improving cybersecurity measures
  • In 2019, Bank Muscat partnered with the Information Technology Authority (ITA) to improve cybersecurity measures. The Bank took part in a series of cybersecurity events organised by the ITA, including the 8th Regional Cybersecurity Summit, FIRST & International Telecommunication Union Arab Regional Cyber Security Centre (ITU-ARCC), and the 7th Regional Cyber Drill. Bank Muscat also participated in the Cybersecurity Readiness drill, held under the theme “Intelligence of Malware” and organised by the National Computer Emergency Readiness Team (OCERT) to assess cybersecurity readiness in Organisation of Islamic Cooperation (OIC) countries.
  • Launching an anti-fraud public awareness campaign
  • In 2019, the Royal Oman Police (ROP) and Bank Muscat launched an anti-fraud public awareness campaign. The campaign focused on educating the community not to share their personal details or their banking/card details with anyone over the phone, and not to input them on links received through social media or messaging.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:


80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP



1) This case study is based on published information by Bank Muscat, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:


Note to Bank Muscat: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.